Overview

In just over a week from now, I’ll be speaking at Black Hat 2024 and DEF CON 32 along with my co-presenter John Stawinski. Our talks will focus on attacks against self-hosted runners on public repositories, illustrated by real world case studies involving companies you’ve definitely heard of.

Our research campaign leading to these talks exceeded every expectation that I had when we started it. One of the bug bounties was for a whopping $100,000!

The Journey

This research has been quite a journey for me personally and professionally. If you had asked me two years ago whether it was possible for an average guy that no one knew about to lead a 2-man nights and weekends research campaign that touched some of the largest companies in the world I’d say “I don’t know a world where that can happen, that’s the stuff of fantasy.”

The beauty of offensive security is that it can reward those who always ask “What if?” The chain of events that led to Black Hat 2024 and DEF CON 32 started with me revisiting previous research that had fizzled, and asking “What if I fixed a typo?” That led to One Supply Chain Attack to Rule Them All – Poisoning GitHub’s Runner Images. After that, I asked John if he wanted to collaborate outside of work to rake in some bounties - we signed bounty sharing contract and the rest was history.

Of course - there is far more to it then that, but that’s why we’ve lined up two information packed talks where we will share it all!

The Talks

John and I will be presenting two distinct talks at Black Hat 2024 and DEF CON. Each will cover case studies against real companies. We have already blogged about some of them, but there is one case study that will be a surprise. The details are known only by a handful of people involved in the Coordinated Vulnerability Disclosure and approval process. Those who attend our Black Hat talk in person are in for a treat.

As the lead researcher for this effort, I want to emphasize and make the following clear:

The research we are about to present was conducted entirely in our capacity as independent security researchers.

The case studies that we are about to present along with views expressed in the presentations are our own.

Self-Hosted GitHub CI/CD Runners: Continuous Integration, Continuous Destruction

Our first presentation will serve as an overview of the risks of self-hosted runners and how impactful misconfigured self-hosted runners can be. We’ll drive this point with case studies, and I’ll be sharing a new case study that has not been publicly discussed outside of my disclosure process to the featured company. You’ll leave the talk with actionable changes organizations that use self-hosted runners can make and plenty of evidence to convince stakeholders why it is critical to securely deploy self-hosted runners.

  • When: Wednesday, August 7th, 1:30 PM-2:10 PM
  • Where: South Seas AB, Level 3

Black Hat 2024 will also be the official, version 1.0 launch date of Gato-X. The tool is a fork of Gato under the Apache 2.0 license and improves upon the original tool in every way. Gato-X automates the attacks we will showcase, and contains improvements to scanning speed, coverage, and user experience. As an added bonus, it also includes a scanner for GitHub Actions Injection and Pwn Requests - something that the original tool does not check for, and is a vulnerability class that can sometimes be chained into self-hosted runner takeover for extreme impact.

Grand Theft Actions

For Grand Theft Actions, we’re going to dive deep. We’ll present an in-depth walkthrough of one of our most impactful submissions, including some as-it-happened, never before seen video recorded during the original attack. After that, we’ll walk through an arsenal of post-exploitation techniques that you can use to obtain maximum impact after taking over a self-hosted runner.

  • When: Saturday, August 10th, 12:00 PM
  • Where: Las Vegas Convention Center - L1 - HW1-11-04

Hope to See You There!

If we’ve connected online or you’ve read our research or received a report from myself or John, or just have questions, then feel free to say hi in-person!