logo

Controlling the Source: Abusing Source Code Management Systems

Conference:  Black Hat USA 2022

2022-08-11

Summary

The presentation discusses attacking and defending source code management systems, specifically GitHub Enterprise, Bitbucket Server, and Azure DevOps. The main goal is to bring attention to securing these systems and inspire future research on defending them.
  • Source code management systems manage source code repositories and integrate with other systems in the devops pipeline
  • Software supply chain attacks can target source code management systems and compromise the integrity of the source code
  • GitHub Enterprise has different roles for organizations, repositories, and access tokens
  • Attacks on GitHub Enterprise can lead to initial access points to other systems in the devops pipeline
  • Defensive measures include limiting access, requiring approvals for code commits, and increasing logging levels
The speaker mentions instances of developers leaving testing code branches with credentials and other sensitive information, which can be easily found by attackers. This highlights the importance of properly securing source code management systems.

Abstract

Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory. SCM systems are used in the majority of organizations to manage source code and integrate with other systems within the enterprise as part of the DevOps pipeline, such as CI/CD systems like Jenkins. These SCM systems provide attackers with opportunities for software supply chain attacks and can facilitate lateral movement and privilege escalation throughout an organization.This presentation will include a background on SCM systems, along with detailing ways to abuse some of the most popular SCM systems such as GitHub Enterprise, GitLab Enterprise and Bitbucket to perform various attack scenarios. These attack scenarios will include reconnaissance, manipulation of user roles, repository takeover, pivoting to other DevOps systems, user impersonation and maintaining persistent access. Additionally, there will be a public release of open-source tooling to perform and facilitate these attacks, along with defensive guidance for protecting these SCM systems.

Materials:

Tags: