Action Man VS Octocat: GitHub action exploitation — Hugo Vincent
Date : 06 June 2024 à 15:00 — 30 min.
GitHub Actions is the CI/CD environment of GitHub, allowing users to execute a specific set of tasks based on an event that happened on a repository. These tasks sometimes run in privileged contexts and may manipulate untrusted data coming from external sources that can be controlled by an attacker. This could lead to arbitrary code execution in privileged contexts allowing the attacker to steal sensitive secrets or push arbitrary code on the targeted repository. Such scenarios can be exploited without being an internal contributor of the targeted project.
First, we will introduce the different concepts of CI/CD practices. We will then expose the different elements that are present in a GitHub workflow. Some of them will play a crucial role when it comes to exploitation. We will then showcase multiple types of misconfigurations we observed on different open-source repositories. These could allow a remote attacker to steal sensitive secrets or gain arbitrary write on the different repositories.