fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Here’s How A Researcher Broke Into Microsoft VS Code’s GitHub

Here’s How A Researcher Broke Into Microsoft VS Code’s GitHub

This month a researcher has disclosed how he broke into the official GitHub repository of Microsoft Visual Studio Code.

A vulnerability in VS Code’s issue management function and a lack of authentication checks enabled the researcher to obtain push access, and write to the repository.

For responsibly reporting the vulnerability, the researcher was awarded a bug bounty award of an undisclosed amount.

Flawed regex, no authentication, code injection in CI scripts

While riding a train, researcher RyotaK discovered a vulnerability in the VS Code’s Continuous Integration (CI) script that let him break into Microsoft VS Code’s official GitHub repository and commit files.

“I was too bored while I was on the train, so I decided to read the VS Code code. After a while, I noticed that VS Code has a separate repository for CI scripts named vscode-github-triage-actionsSo I decided to read it,” RyotaK told BleepingComputer.

Shortly, the researcher noticed an interesting line in the script that could be exploited in code injection attacks:

exec(`git -C ./repo merge-base –is-ancestor ${commit} ${release}`, (err) => {

Also Read: 10 Principles On How To Build A Good Governance Model


“Of course, there is command injection. But it requires control of the ‘commit’ variable or the ‘release’ variable,” continued RyotaK in an email interview.

The researcher soon realized the commit variable could be controlled by an attacker due to two reasons:

  1. missing authentication checks within theclosedWithcommand (i.e. not checking if the user had the authorization to associate commit hashes with an issue), and
  2. flawed regex expression used to validate the closedWith command specified in a closing comment.

The closedWith command is used to associate a commit hash with the issue before the commit is closed.

However, a flawed regex expression (shown below) used to validate the closing comments and no authentication checks in the CI script meant, any user could associate a commit with an issue, and inject code within the closedWith value.const closingHashComment = /(?:\\|\/)closedWith (\S*)/

Because VS Code’s vulnerable CI workflow ran once a day, around midnight, the researcher carefully planned a Proof-of-Concept (PoC) exploit in advance, so as to not make any dangerous mistakes during night hours.

To do so, the researcher browsed through the GitHub Actions code files for the project to get an understanding of the Continuous Integration and Continuous Delivery (CI/CD) workflow.

“Fortunately, the workflow files for GitHub Actions are published on GitHub, so I have some idea of what’s going on inside GitHub Actions.”

“Since actions/checkout was executed in the step before the vulnerable workflow file is used, there was a GitHub token with write permission to the repository. So I made a plan to use this token,” the researcher told BleepingComputer.

By injecting his basic PoC exploit into the VS Code’s CI script which ran around midnight, the researcher obtained a reverse shell.

Further, the researcher obtained the GitHub authorization token for VS Code repository that would give him write access to the repository.

Eventually, after obtaining the token, the researcher posted a PoC commit to the repository:

github vscode poc commit by RyotaK
RyotaK successfully committed to Microsoft VS Code’s GitHub repo by exploiting the flaws 

Although, the master branch of the repository had account-based branch protections that could not be bypassed with the GitHub Actions token, it was possible to push the file to the release branch using the token, states the researcher.

It is worth noting RyotaK performed this PoC exploit while adhering to Microsoft’s “safe harbor” guidelines when reporting vulnerabilities through their bug bounty programs.

“Microsoft permits the diagnosis of vulnerabilities through safe harbors. This article describes the vulnerabilities discovered / reported in compliance with the safe harbor, and is not intended to recommend unauthorized vulnerability diagnosis,” stated RyotaK in his blog post.

Also Read: The Importance Of DPIA And Its 3 Types Of Processing

For his discovery of the vulnerability and following responsible disclosure guidelines, the researcher told BleepingComputer, that he was awarded a cash bounty prize of an undisclosed amount by Microsoft. 

Code repo flaws may pave ways for software supply chain attacks

Flaws of this extent that enable adversaries to break into otherwise secure software codebases can lay the groundwork for sophisticated software supply chain attacks.

This astounding discovery comes to light when the SolarWinds supply chain attack incident has already been making headlines.

In this case, the ethical hacker RyotaK discovered and responsibly reported the flaw to Microsoft before advanced threat actors could exploit it, to push their malicious code upstream into the Visual Studio Code repository.

Corruption of source-code editors and IDEs in a targeted supply chain attack can have devastating consequences for its users, developers, and the clients that would then be receiving the applications built using a tainted IDE.

Recently, another group of security researchers reported finding exposed Git credentials due to improperly secured .git directories on UN domains.

This discovery enabled them to clone the entire Git repository of the United Nations Environment Programme (UNEP) and eventually access over 100,000 employee records.

Securing your CI/CD tools, and proactively auditing their scripts for security flaws before adversaries exploit any vulnerabilities are a few defenses towards preventing software supply-chain compromises.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us