Exploit involved duping developers into exposing repositories with social engineering techniques
A security researcher has discovered a way to launch code execution attacks by exploiting the GitHub Pages build process.
Joren Vrancken netted a $4,000 reward for a command injection bug reported through GitHub’s HackerOne bug bounty program, as described in a recent blog post.
According to Vrancken, the security issue existed in GitHub Pages, a static hosting service able to pull data from repositories, run code through a build process, and then publish websites.
Path to code execution
To streamline the process, GitHub Pages supports the Jekyll static site generator.
Jekyll settings are stored in a YAML configuration file, and some aspects of the service are automated by GitHub, including themes, in which GitHub will issue a POST request and automatically create a new commit to issue changes to the source.
These processes require administrator privileges, and only two directories – the root of a branch and /docs – can be specified. However, user-input directories can also be specified in the theme chooser URL.
Catch up with the latest bug bounty news
You could select an arbitrary directory to use as a GitHub Pages source and then run the GitHub job workflow, which includes the launch of Jekyll, static file deployment, and uploading page artifacts. Eventually, this process can trigger a payload via a tar command, resulting in arbitrary code execution.
However, the attacker already has admin privileges, so this isn’t necessarily a huge problem.
Vrancken found the means to turn this workflow functionality into something more serious. If an attacker wants access to code hosted in a private repo, all they need is a URL and user interaction.
By crafting a malicious URL that downloads and executes a script from a third-party source, attackers could use phishing or other social engineering tactics to lure an admin user into clicking the link and following the Select Theme process – thereby triggering a malicious payload and exposing the repository.
Attackers need only supply a URL – they do not need a GitHub account nor any connection to the target repo.
‘Hack The Box-esque’
After notifying GitHub of his findings on July 27, Vrancken received a response on the same day, with confirmation arriving on August 2. By August 23, the GitHub security team had resolved the issue by removing the Theme Chooser functionality.
Vrancken was awarded a GitHub Pro subscription as well as a bug bounty of $4,000 for his efforts.
“This was definitely one of the more fun bug bounties I did, because it combines multiple GitHub-specific features with some more traditional Hack The Box-esque techniques,” the researcher commented. “I wholeheartedly recommend the GitHub bug bounty program.”
Jill Moné-Corallo, GitHub’s director of product security engineering response, told The Daily Swig: “Each submission to our bug bounty program is a chance to make GitHub, our products, and our customers more secure. Joren’s findings demonstrate their passion in security research and engaging researchers like them is the reason why we continue to see value in our bug bounty program.”