[Contribution] AWS CodeBuild (2023) - leak the access token used to connect AWS CodeBuild with GitHub or Bitbucket

[ramimac]

Summary (give a brief description of the issue)

The vulnerability was a post-exploitation attack on AWS's CodeBuild service. It required high privileges to exploit, but with these privileges, an attacker could exfiltrate tokens to third-party applications stored within CodeBuild. This could potentially enable an attacker to pivot from AWS CodeBuild to other platforms, such as GitHub or Bitbucket. The leaked token could be used to access the platform and the token’s authorized repositories.

In addition to providing potentially unauthorized access to these repositories, the vulnerability also allowed an attacker to abuse the token’s potential write access. Since legitimate use of this token via CodeBuild does not allow this, the vulnerability broke the intended functionality of the CodeBuild platform and introduced potential supply chain security risks if an attacker used it to introduce vulnerabilities or malicious code into a company’s products.

References (provide links to blogposts, etc.)

https://www.halborn.com/blog/post/halborn-discovers-and-discloses-vulnerability-in-aws-code-build