A publicly exposed `.git` directory, a common oversight in modern development, served as the initial vulnerability, which contained sensitive information, including source code and commit history.
By leveraging the exposed commit history, an attacker was able to identify a specific commit that included a vulnerable version of a dependency containing a known remote code execution (RCE) vulnerability.
The attacker was able to gain unauthorized access to the server and execute arbitrary commands by exploiting this RCE, ultimately leading to a full server takeover.
A significant number of websites inadvertently expose their .git directories to the public, which is a critical security vulnerability, as .git stores the entire version history of a project, including potentially sensitive configuration files.
By accessing the .git/config file, attackers can easily obtain credentials, allowing them to clone the entire repository and potentially exploit further vulnerabilities, which highlights the importance of protecting .git directories to prevent unauthorized access and potential data breaches.
Bitbucket Pipelines, a continuous integration and continuous delivery (CI/CD) tool integrated with Bitbucket, is being utilized by the repository’s developers for automated code execution.
It triggers specific actions, such as building, testing, and deploying the code, whenever changes are made to the repository through actions like code pushes, issue creation, or pull request submissions, which streamlines the development and deployment process, ensuring consistent quality and reducing manual intervention.
The analyzed pipeline configuration file exposes a potential security concern by utilizing the atlassian/ssh-run action to establish an SSH connection with the production server “damn.vulnerable.site” using the username “ubuntu.”
Then executes the command “cd /path/to/app && git pull” on the server, effectively updating the deployed application’s source code directly, as this practice of storing sensitive credentials like usernames within the pipeline configuration raises security risks.
The attacker modified the pipeline configuration to inject a malicious script using the “atlassian/ssh-run” step, which would connect to a specified server (“damn.vulnerable.site”) with SSH credentials and create a new SSH key in the authorized_keys file of a designated user (“ubuntu”).
Then changes file permissions to restrict access and finally pulls code from a remote repository, which ensures the attacker’s SSH key gets added to the server during the next pipeline run, granting unauthorized access.
The user successfully pushed their changes to the repository, triggering a pipeline execution. Upon completion, they were able to log into the server using SSH, indicating a successful compromise.
The server was now under their complete control, allowing them to execute any desired commands. Additionally, a privilege escalation vulnerability was identified, which could be exploited to gain root access, further exacerbating the security breach.
To mitigate SSH key-based attacks, regularly review, revoke unused SSH keys associated with production servers, and prevent unauthorized access to .git directories by implementing server configurations that restrict access to these sensitive repositories.
According to Razz Security, by proactively managing SSH keys and securing .git directories, developers and sysadmins can significantly reduce the risk of exploitation and maintain the integrity of their systems.