1、#BHAS BlackHatEventsThe Illusion of Isolation:How Isolation Failures in CI/CD Servers Lead to RCE and Privacy RisksSpeakers:Tian Zhou,YiWen Wang#BHAS BlackHatEventsAbout UsCTFer NeSEWeb Security ResearcherTian Zhou(byc_404)YiWen Wang(rebirth)CTFer NeSEWeb Security Researcher#BHAS BlackHatEventsOutli
2、ne1.Introduction2.Exploit the Isolation in CI/CD3.Real World Cases4.Takeways#BHAS BlackHatEventsOutline1.Introduction#BHAS BlackHatEventsBasic Workflow of CI/CD A typical CI/CD workflow looks like#BHAS BlackHatEventsKey Components of CIServerWorkersCI/CD Platform#BHAS BlackHatEventsKey Components of
3、 CIServer Integrating with SCM Audit log of changes Design your own pipelines Send command to Workers Maintains build records#BHAS BlackHatEventsKey Components of CIWorkers Workers/Agents/Runners They are all the same!Runs on any OS Could be a machine,a container/pod Run jobs in a pipeline#BHAS Blac
4、kHatEventsIsolation MechanismsBy default,Server configure jobs and let workers finish themWorkers and server are isolated by physical machine boundaries or container mechanisms#BHAS BlackHatEventsIsolation MechanismsCommand executes on different machinesCode may built in isolated ContainersCode shou
5、ld be separated in filesystem-levelFile Isolationmachine-amachine-b#BHAS BlackHatEventsIsolation MechanismsSever and worker are isolated by physical boundaries Projects are built in isolated virtualized environmentProjects implement access control through RBAC policiesData Isolation#BHAS BlackHatEve
6、ntsIsolation MechanismsIt looks like all CI/CD functionalities follow the isolation mechanisms But is that really the case?Lets see if flaws of isolation mechanisms lead to Security Problems#BHAS BlackHatEventsOutline2.Exploit the Isolation in CI/CD#BHAS BlackHatEventsAttack the CI/CDAttack Ways#BHA