Cloudbuild - Security
Last updated
Last updated
We will discuss some of interesting security implications on CodeBuild.
Many times, you might find secrets in environment variables or buildspec.yml in CodeBuild. In order to view those, you need to know Project Name and then make the API call :-
Here we assumed project name to be securitylabs-article
.
API call ouputs the buildspec.yml
and the configured environment variables in the project.
A malicious build-spec.yml can be used to steal the STS tokens of the CodeBuild's attached role.
The below commands can be added in the buildspec to exfilterate the CodeBuild's STS credentials
The first curl request to 169.254.170.2
returns STS credentials. Endpoint $_AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
contains the credentials path in format of /v2/credentials/<build_id>
and since build-id is dynamic and not easy to guess, we would use the global environment variable to fetch the credential path.
Once the STS tokens are saved in aws_credentials.json file, we need to configure aws with the extracted credentials and finally ~/.aws/credentials
can be base64 encoded and passed to our 18.189.180.144
server to exfilterate STS tokens.
Below screenshot indicates the base64 encoded credentials which were exfilterated out of codebuild.