阿德南·汗与约翰·斯塔温斯基_自托管的GitHub CICD跑步者持续集成与持续毁灭.pdf

1、#BHUSA BlackHatEventsSelf Hosted GitHub Self Hosted GitHub RunnersRunnersContinuous Integration,Continuous DestructionContinuous Integration,Continuous DestructionAdnan Khan|John StawinskiFirstA StoryTwo months ago,someone identified a GitHub Actions misconfiguration in a public repository owned by

2、one of the largest domestic chip manufacturers in the United States-anyone with a GitHub account could have exploited it by creating a pull request.The vulnerability allowed them to obtain Enterprise admin privileges over that companys GitHub Enterprise Cloud tenant.This provided access to some of t

3、hat companies most sensitive intellectual property.They had the privileges to make every repository public or even delete their GitHub organizations,which would trigger an immediate loss of over 120,000 repositories.Thankfully,this was not an APT,it was me,and I responsibly disclosed the vulnerabili

4、ty.-Adnan KhanDisclaimer-All vulnerabilities mentioned during this talk have been remediated-The views and opinions expressed in this presentation are solely our own-The content presented is not endorsed by,nor does it represent the views of our employers-All materials and ideas shared are independe

5、ntly developed and should not be attributed to our employers#BHUSA BlackHatEventsJohn Stawinski-Email: Website:Adnan Khan X:adnanthekhan Website:John StawinskiAdnan Khan Red Team Security Engineer CI/CD Security Researcher Enjoys anything outside,especially activities that lead to injury Former Coll

6、egiate Athlete Nomadic(for now)Email:LinkedIn: Security Engineer for Day Job Security Researcher Bug Bounty Hunter Live in Baltimore,MarylandX:adnanthekhanWebsite:Insert Adnan pic hereAnd many more.#BHUSA BlackHatEventsOk,but is it really that bad?Yes.There is a systemic lack of awarenessaround self