April 3rd, 2023
A Halborn client expressed concerns regarding potential unauthorized access to a highly-privileged GitHub token configured in AWS CodeBuild. Based on this report, Carlos Polop, Halborn’s Pentesting Cloud, Web & Mobile Team Leader, conducted an extensive investigation into AWS CodeBuild to identify potential methods of exposing this token.
During this investigation, Polop identified a vulnerability that could allow a user with sufficient permissions to leak the access token used to connect AWS CodeBuild with GitHub or Bitbucket. Halborn reported this issue to AWS and supported efforts to remediate the issue, which is now fixed by AWS.
The vulnerability was a post-exploitation attack on AWS's CodeBuild service. It required high privileges to exploit, but with these privileges, an attacker could exfiltrate tokens to third-party applications stored within CodeBuild. This could potentially enable an attacker to pivot from AWS CodeBuild to other platforms, such as GitHub or Bitbucket. The leaked token could be used to access the platform and the token’s authorized repositories.
In addition to providing potentially unauthorized access to these repositories, the vulnerability also allowed an attacker to abuse the token’s potential write access. Since legitimate use of this token via CodeBuild does not allow this, the vulnerability broke the intended functionality of the CodeBuild platform and introduced potential supply chain security risks if an attacker used it to introduce vulnerabilities or malicious code into a company’s products.
January 18, 2023: The vulnerability was reported to email@example.com, which is the recommended email for reporting AWS vulnerabilities.
February 6, 2023: Halborn’s responsible disclosure team was included in the email loop to request a responsible disclosure of the vulnerability.
February 15-20, 2023: A draft of the disclosure blog post was sent and reviewed by AWS.
February 22, 2023: Halborn’s Carlos Polop had a meeting with the Bug Bounty team of AWS, who stated that it could be fixed in the following weeks. They also confirmed that it was possible to disclose the issue.
February 22-25, 2023: The vulnerability was fixed.
February 25, 2023: The vulnerability was disclosed at the h-c0n conference in Madrid.
AWS CodeBuild is a cloud-based build service that provides fully managed continuous integration capabilities, including source code compilation, test execution, and software package creation for deployment. This service eliminates the need for users to provision and manage their own build servers, enabling fast and automatic building and testing of code.
CodeBuild also offers integrations with third-party platforms such as GitHub, GitHub Enterprise, and Bitbucket. These integrations allow AWS access to the platforms via OAuth applications or access tokens, providing CodeBuild with the ability to access code repositories and perform operations on them.
While AWS REST APIs are available for creating, retrieving metadata, and deleting these accesses, there is no API to obtain the access token in clear text for, what is supposed, security reasons. CodeBuild is expected to be able to access the repositories of third-party platforms without the administrator being able to recover the token.
The vulnerability discovered by Carlos Polop, the Pentesting Cloud, Web & Mobile Team Leader at Halborn, involved exploiting CodeBuild to leak tokens in clear text. The vulnerability impacted both configurations that used OAuth applications or access tokens. Technical details on how the exploit was carried out are available on Polop's blog.
The vulnerability discovered by Polop allowed an attacker with sufficient permissions in AWS to modify a CodeBuild project to leak the access token used to connect to GitHub or Bitbucket. This vulnerability should be taken seriously, as it would enable the attacker to use the leaked token to access the platform, access all the token's authorized repositories, and even abuse the token's potential write access, something that is impossible through regular CodeBuild functionality.
The client who brought the issue to Halborn’s attention was advised about how to protect itself from this vulnerability — without disclosing the details about the vulnerability — from the moment it was discovered. This ensured that potential attackers couldn’t exploit the organization during the time while it was being fixed by AWS.
As AWS has already fixed the vulnerability, any company using this service is no longer vulnerable to this bug and does not need to take any further action.