Social engineering techniques were used to trick developers into exposing repositories.

Using the GitHub Pages build process, a security researcher discovered a way to launch code execution attacks.

According to a recent blog post, Joren Vrancken received a $4,000 reward for reporting a command injection bug through GitHub’s HackerOne bug bounty programme.

The vulnerability was discovered in GitHub Pages, a static hosting service that can pull data from repositories, run code through a build process, and then publish websites, according to Vrancken.

Path to code execution

GitHub Pages supports the Jekyll static site generator to make the process easier.

Jekyll settings are stored in a YAML configuration file, and GitHub automates some aspects of the service, such as themes, in which GitHub will issue a POST request. This automatically creates a new commit to issuing changes to the source.

These processes require administrator privileges, and only two directories can be specified: the root of a branch and /or docs. User-input directories, on the other hand, can be specified in the theme chooser URL.

You could use any directory as a GitHub Pages source and then run the GitHub job workflow. They include launching Jekyll, deploying static files, and uploading page artefacts. This process can eventually trigger a payload via a tar command, resulting in arbitrary code execution.

However, because the attacker already has admin privileges, this isn’t necessarily a major issue.

Vrancken discovered a way to make this workflow functionality more serious. An attacker only needs a URL and user interaction to gain access to code hosted in a private repository.

Attackers could use phishing or other social engineering tactics to trick an admin user into clicking the link and following the Select Theme process. This triggers a malicious payload and exposes the repository, by crafting a malicious URL that downloads and executes a script from a third-party source. Attackers only need to provide a URL; they do not need a GitHub account or any connection to the target repository.

‘Hack The Box-esque’

Vrancken received a response from GitHub on the same day he informed on July 27 and confirmed on August 2. The GitHub security team resolved the issue by removing the Theme Chooser functionality by August 23.

 Vrancken received a GitHub Pro subscription as well as a $4,000 bug bounty for his efforts.

 The researcher said it combines multiple GitHub-specific features with some more traditional Hack the Box-esque techniques. I heartily endorse the GitHub bug bounty programme.”

“Each submission to our bug bounty programme is a chance to make GitHub, our products, and our customers more secure,” Jill Moné-Corallo, GitHub’s director of product security engineering. Joren has an interest in security research, and because of these researchers continued value in our bug bounty programme.”