A security researcher exploited a 'pwn request' vulnerability in a public Stripe repository, allowing them to merge unauthorized commits into the main branch and exfiltrate the workflow’s GitHub token to a researcher-controlled endpoint. This breach underscores the severe risks that insecure GitHub Actions workflows pose to repositories, including unauthorized code changes and CI/CD credential leaks.
The Vulnerability Explained
Multiple workflows in the repository were vulnerable to a classic Pwn Request vulnerability. This is one of the vulnerable workflows.
1. The workflow ran on a risky trigger - pull_request_target
2. The vulnerable job checked out code using an explicit ref of the pull request
The pull_request_target event trigger is one of several risky triggers because it runs with higher privileges, including access to sensitive repository secrets like the GitHub token. When workflows check out code from an explicit ref that originates from an untrusted fork, the combination becomes exploitable. This is particularly dangerous when workflows fail to implement proper security controls, such as limiting token scope and using strict branch protection rules.
The Attack Breakdown
The attack unfolded in a few key steps. First, the researcher forked the Stripe repository and submitted a pull request (PR) containing malicious code. The repository’s GitHub Actions workflow, triggered by the pull_request_target event, allowed the researcher’s code to run in the context of the repository, giving access to the repository’s GitHub token. The researcher then exploited this access by exporting the GitHub token. With the token in hand, the researcher was able to automatically merge their PR into the main branch, bypassing typical review processes. In a subsequent PR, the researcher further demonstrated the exploit by exfiltrating the GitHub token to a remote server using wget.
1. This is the pull request from the researcher that was merged. https://github.com/stripe-samples/accept-a-payment/pull/2719
2. The exploit code exports the GITHUB_TOKEN from git config
3. And uses the token to merge the pull request into the main branch
Another pull request was created to exfiltrate the GitHub token to the researcher-controlled endpoint.
https://github.com/stripe-samples/accept-a-payment/pull/2723/files
1. This is exploit pull request that exfiltrates the GitHub token
2. It was exfiltrated using wget to researcher controlled endpoint
Also read: Analysis of Backdoored XZ Utils Build Process with Harden-Runner
Implications and Risks
This incident reveals several critical security risks that apply not only to Stripe's repository but to any repository using GitHub Actions:
1. Unauthorized Code Execution: Malicious actors can execute arbitrary code in the repository’s CI/CD pipeline, potentially injecting backdoors or altering the software being built.
2. CI/CD Credentials Theft: The exposure of GitHub tokens or other CI/CD secrets grants attackers access to package registries, cloud environments, and the code repository.
3. Unauthorized Merges: Automated merging of PRs using stolen tokens allows attackers to bypass manual review processes, leading to significant security risks and potential supply chain compromises.
Preventing Future Attacks
StepSecurity offers essential protection for GitHub Actions workflows with two key features:
1. Vulnerability Scanning: By scanning workflows across an organization, StepSecurity can identify workflows that are vulnerable to pwn request-style attacks and flag risky configurations like pull_request_target before they lead to compromise.
2. Credential Exfiltration Prevention: StepSecurity’s Harden-Runner adds network egress control and runtime security, preventing sensitive data like GitHub tokens from being exfiltrated by malicious code. This feature has proven effective, detecting exfiltration attempts in projects like Google’s open-source Flank - https://www.stepsecurity.io/case-studies/flank
Summary
This incident highlights the importance of adopting secure practices when configuring GitHub Actions workflows. These workflows are a critical part of modern development pipelines, but without proper safeguards, they can become an avenue for attacks like the pwn request vulnerability. Implementing strict workflow configurations, enhancing token security, and adhering to robust branch protection policies are vital steps in securing any CI/CD pipeline.