Symposium sur la sécurité des technologies de l'information et des communications

Conférence francophone sur le thème de la sécurité de l'information.
Elle se déroulera à Rennes du 5 au 7 juin 2024.

Action Man VS Octocat: GitHub action exploitationHugo Vincent

Date : 06 June 2024 à 15:00 — 30 min.

GitHub Actions is the CI/CD environment of GitHub, allowing users to execute a specific set of tasks based on an event that happened on a repository. These tasks sometimes run in privileged contexts and may manipulate untrusted data coming from external sources that can be controlled by an attacker. This could lead to arbitrary code execution in privileged contexts allowing the attacker to steal sensitive secrets or push arbitrary code on the targeted repository. Such scenarios can be exploited without being an internal contributor of the targeted project.

First, we will introduce the different concepts of CI/CD practices. We will then expose the different elements that are present in a GitHub workflow. Some of them will play a crucial role when it comes to exploitation. We will then showcase multiple types of misconfigurations we observed on different open-source repositories. These could allow a remote attacker to steal sensitive secrets or gain arbitrary write on the different repositories.