Saturday, 18 May 2019

Finding leaks in Travis logs- an automated approach

First of all, I would like to give credits to original researchers who highlighted this issue into the public.
The original blog post can be accessed through this link
https://edoverflow.com/2019/ci-knew-there-would-be-bugs-here/

I used their concepts to write a tool which automates the entire process and finds out potential leaks.
The tool can be found here.
https://github.com/Shashank-In/TravisLeaks

What is Travis?
Travis CI is a hosted continuous integration service used to build and test software projects hosted at GitHub.

According to Travis for open source projects, they can be used for free, but the entire Travis log remains public. This opens a door for malicious hackers to harvest sensitive API keys, passwords, etc. of the organization having public Travis logs.

Travis, in 2015, acknowledged that their API is being misused to find sensitive keys. They also started hiding potentially sensitive data in Travis logs by replacing them with the [secure]. But the question was, it enough?

Now Ed in his research already listed common keywords in Travis logs which could potentially leak some sensitive data. But while looking for those keywords, I realized most of them got replaced with [secure] by Travis. It seems like Travis hides sensitive data based on some whitelisted keywords.



So the plan was to look for keywords based on Ed's list and additionally use the concept of entropy to find possible API keys. This seemed to be the right solution because it was not easy to figure out more potential keywords.

Example GITHUB_TOKEN is perhaps blacklisted as can be seen above. What if the variable is TSD_GITHUB_TOKEN? Difficult to guess, but if we use the concept of entropy, we can find the possible leak.











Tuesday, 12 March 2019

Taking Over Publicly Editable Github Wiki in Masses

Let's get familiar with a few things first!

What is Github?
GitHub is a web-based hosting service for version control using Git. Github is quite popular for its efficient service and hence all big companies like Google, Facebook, Microsoft, etc. use it for their open-source projects.

Any GitHub repository has a "wiki" page. The "wiki" page is generally used for documentation, installation instructions, etc.





With certain settings, an Organisation or a user can allow any other user (who is not a collaborator) to edit the "wiki" page. According to me, this is absolutely a bad option to be enabled.

If not appropriately observed a malicious user can edit or publish a "wiki" page on a company's official Github repository and mislead the community or user's following the repo. to download or install malware, vulnerable libraries, etc.

This vulnerability can be an excellent catalyst for malicious hackers who infect users through typosquatted malicious libraries hosted by them. An innocent user will apparently follow the wiki instructions blindly especially if the wiki is hosted on a popular organization's Github repo.

This is in general considered as a low priority security issue. But let's look at a bigger picture.

According to Github, there are around 96 Million repos. and 2.1 Million organization. Even with a success rate of 0.1%, an attacker can publish malicious content on 96,000 wiki pages on Github.


I wrote a simple tool in python using selenium which will take an organization's Github username as input, then iterate through all the repositories under that organization to find "publicly editable wiki" and then publish a sample wiki page on it as well as return the page URL.

Please find the codes on my Github
https://github.com/Shashank-In/VulEdiWi




I scanned popular organization's Github and following was the result:-

Google (https://github.com/google)

168 out of 1420 repositories had publicly editable wikis.









Facebook (https://github.com/facebook)

1 out of 162 repositories had publicly editable wikis.





Alibaba (https://github.com/alibaba)

38 out of 246 repositories had publicly editable wikis.





Microsoft (https://github.com/Microsoft)

364 out of 2251 had publicly editable wikis



Mozilla (https://github.com/mozilla)
792 out of 1960 had publicly editable wikis