An undocumented AWS CodeBuild endpoint can be exploited to extract privileged GitHub App or BitBucket JWT tokens from AWS CodeConnections, enabling lateral movement and privilege escalation within an organization's codebase. The attack vector involves hooking a CodeBuild job to monitor its bootstrapping requests, which reveals the internal endpoints used to retrieve these raw, highly privileged tokens. The article does not provide a CVSS score, specific affected AWS service versions, a fixed version, or a recommended workaround.
My write up around a research project I've been doing in my spare time around investigating the security of AWS CodeConnections. This post covers the techniques I used to hook a CodeBuild job to monitor the requests the CodeBuild bootstrapping makes before user code is run. Using this information I then also show the endpoints I found that can be used to retrieve the raw GitHub App token or BitBucket JWT App token CodeConnections uses which tends to be very privileged in a lot of environments, granting far more access than to just the single repository where the CodeBuild job is being run. submitted by /u/thomaspreece [link] [comments]