Black Hat 2017 – GitPwnd tool could be used by attackers to communicate with compromised devices via Git repositories

Pierluigi Paganini August 04, 2017

Black Hat 2017 – Security experts develop GitPwnd, a tool that could be used by attackers to communicate with compromised devices via Git repositories.

Even if the Black Hat conference was ended a few days ago, here we are discussing interesting talks of cyber security experts that participated at the event.

Clint Gibler, a security researcher at NCC Group, and Noah Beddome, security researcher and Director of Infrastructure Security at Datadog, have illustrated how threat actors can abuse GitHub and similar services that host Git repositories for launching stealthy attacks against software development communities.

While the experts were testing the systems of organizations involved in software development, they noticed serious issues related to improper management of trust relationships.

These issues can be exploited in attacks to bypass the target’s defenses and gain persistent access to its systems.

“The lack of proper management or understanding of these various trust relationships is a leading cause of security exposure.” states the presentation for the talk.

Black Hat 2017  GitPwnd

Main components in the development environments are workstations, code repositories, continuous integration systems, staging and production systems, version control systems, and of course general users, and local and remote developers.

The security duo demonstrated that it is possible to exploit the trust relationships between the above components to target developers. The experts highlighted that the problem is very serious in software development environments that adopt the Agile methodology.

Sometimes operative choices could introduce unintended levels of trust relationships.

The two experts developed a penetration testing tool named GitPwnd that could be used by attackers to communicate with compromised devices via Git repositories. GitPwnd exploits GitHub to host the attacker’s Git repo, it is able to send commands to a compromised machine via the Git repository and the response is received over the same transport layer, the malicious traffic will be impossible to detect because it is disguised as traffic normally generated by developers.

“GitPwnd is a tool to aid in network penetration tests. GitPwnd allows an attacker to send commands to compromised machines and receive the results back using a git repo as the command and control transport layer. By using git as the communication mechanism, the compromised machines don’t need to communicate directly with your attack server that is likely at a host or IP that’s untrusted by the compromised machine.” states the description of the tool.

“Currently GitPwnd assumes that the command and control git repo is hosted on GitHub, but this is just an implementation detail for the current iteration. The same technique is equally applicable to any service that can host a git repo, whether it is BitBucket, Gitlab, etc.”

The experts pointed out that other services like BitBucket or GitLab are affected by the same issues and could be exploited by attackers in the same way.

The attackers can abuse Git hooks that scripts that run automatically when a developer runs Git commands in a repository, malicious changes to hooks are difficult to discover because their codes are not under version control.

The GitPwnd could be used to automate the attack once hackers gain access to the target systems, for example by compromising it via spear-phishing. The hackers can then run arbitrary Python commands to exfiltrate data or to perform other malicious activities.

In the past, threat actors exploited GitHub to power cyber attacks, in March security experts at Trend Micro while monitoring the hacking campaigns of the Chinese Winnti hacker group, noticed it was abusing the repository for command and control (C&C) communications.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – GitPwnd, hacking)

[adrotate banner=”13″]



you might also like

leave a comment