attack compilation stage (1)

Posted by punzalan at 2020-04-13


Let's review again what security practitioners have done in the operation stage in order to do a good job in software security.

We will promote network security awareness education, business code of conduct requirements and human resource policies and processes from the top, and continue to improve the network security awareness and network security capacity of all staff through training and publicity.

We establish the definition of software security requirements, ensure that the requirements are assessed in the software security design stage, and meet the special security protection requirements through security functions. Developers document it.

We have drawn a lot of DFD diagrams with seaspogne, OWASP thread dragon and PTA to do the security analysis of architecture design. The R & D personnel iterate and modify the model.

We use code defect rate, vulnerability number and repair rate to pay attention to the data of security development, and conduct quarterly evaluation.

We use static analysis + review to evaluate the software deliverables and check whether they meet the security coding specifications. Developers fix security flaws.

We continue to use DAST to find security vulnerabilities and take pride in higher coverage, lower false positives and missed positives. The operators feedback the work orders to repair them in time.

And now there is a hot spot of supply chain security.

After xcodeghost event, developers are required to use genuine development software to ensure the safety of "firewood cutter".

Xshell and CCleaner events remind you to ensure the security of desktop office environment, upgrade to the latest version, and keep good habit of using some anti-virus products.

Event stream package events require the responsible developer to check the component dependencies referenced by the project. Use safecode, Cobot and blackduck to check the license and backdoor status of various open source components.

"Reflections on trusting trust" even requires checking the compiler!

Google's practice is to use the grafeas API to manage Unicom software supply chain security projects.

When I contacted security in the early stage, I used to obtain the class file of dispatcher servlet in jar package and add special instructions to the official release package of a CMS. Now I think I also contributed to the "insecurity" of supply chain. At that time, my thinking was too limited. Key code based will have a huge impact on performance. In addition, the expected security threats are tampering and elevation of privileges privilege promotion. The intention has not reached information disclosure. In the real and complex attack scenarios, it is necessary to continue to "fight guerrillas", and supply chain attacks need to have the "spoofing" disguise to hide and spread rapidly. When necessary, denial of service and repudiation are needed to actively clean up traces and eliminate residues.

So from the perspective of defense, how can we do such a test? How to ensure the consistency between the production end and the consumer end of the software supply chain? How to identify complex binary and open source components? How to follow up the introduction of iterative open source fragments in time? It's worth thinking about.

The author has participated in the assessment of UK CSEC. At present, a good practice is to set up strict version management through the whole process of IPD, carry out traceability management and defect management through structural identification of the third-party software package, integrate safety into the product development process, pay attention to safety in everyone's work at hand, and PMO organizes business empowerment. When using the third-party software and open source components, they must pass the legal affairs, technical review, use the components of the company's entity library and provide technical services. During the validation, the compiled image is provided to ensure that the code and binary attachment list are completely consistent with the final release product, and they are in line with the software security baseline and free of internal and external public vulnerabilities. In addition, suppliers are required to follow a consistent security mechanism. When purchasing, it is important to sign security agreements and guide suppliers to provide patches and solutions in a timely manner.

However, in the discussion of supply chain security, in addition to the malicious operation of various externally reported means to replace components, the author also thinks whether we have missed a key point -- the requirements for continuous integration personnel and code inspectors? Check the compile phase? How to ensure the security of compilation instructions? What if the attacker is aiming at compile time, not post compile breakthrough? The extended practical problem is how to ensure the internal security of ci| CD system. Here, I will write an article to demonstrate how to attack these systems and discuss solutions with you.


In this paper, we mainly discuss the compilation phase, and we will not discuss the direct attack of Jenkins, gitlab Ci and spinnaker with CVE and weak password.

In JPDA system, the format of interaction data between the front-end debugger process and the back-end debuggee process is jdwp To describe, it defines the request command, response data and error code in detail and completely, ensuring the smooth communication between the front-end and back-end JVMTI and JDI. Through the establishment of this tunnel, malicious debugging scripts directly connect to the back door for communication.

At compile time, you can specify commands.

“-Xdebug -Xrunjdwp:transport=dt_socket,address=port,server=y,suspend=y”

Of course, you can also look at the official documents of adaptation:

Use client mode:

"- Xdebug - xrunjdwp: Transport = dt_socket, address = IPv4 \ IPv6: port, server = n, suspend = y" connects the specified malicious jdpa server with TCP protocol.

Use the tool reference


Maven mainly serves project construction based on Java platform, dependency management and project information management. For example, there is a parent project Maven parent, which has a child project A. if JUnit is dependent on the parent project, JUnit can still be used in the child project even if JUnit is not introduced in the child project a, because the child project naturally inherits the JUnit dependency in the parent project. In pom.xml file, it is very convenient to hide malicious script and third-party components.

The first attack point of Maven platform is test case. When MVN test command is executed, the source code of test case will be run.

In addition, Maven defines three life cycles: clean, default and site. Each life cycle contains some phases. The core event of the most critical default phase is compile. The principle is that org.codehaus.plexus.compiler.javac.javaxtoolscompiler.compileinprocess calls javac. Javac is the compiler of Java language, which is located in the bin directory of JDK. You can Compile the source file with suffix. Java to bytecode that can run in Java virtual machine with suffix. Class. The core entry location is / library / Java / javavirtualmachines / jdk1.8.0_.jdk/contents/home/lib/tools.jar! / COM / sun / tools / javac / main.class. For detailed explanation of javac parameters, please refer to:

So for the direct compilation of javac commands, you can use @ < filename > read from file option and filename, @ can follow the absolute path to get the configuration information of parameters from the local file. The attack point here is to judge whether the local file exists. Of course, only one line before and after the space can be obtained according to the echo error, and it is limited by the file permission setting. However, the software and version installed as probe detection machine are enough.

Another way is to read large files as a way of running out of resources, which affects system availability.

We also note its support

-Proc: {none, only} controls whether annotation processing and / or compilation is performed.

- processor < Class1 > [, < class2 >, < class3 >...] the name of the comment handler to run; bypasses the default search process

- processorpath < Path > specifies where to find the comment handler

In short, when compiling the source code of annotation type, specify the custom class file. Take the demonstration project as an example,

We specify an annotation in the samples project, which we hope to be processed by the program under processor module in the compilation phase. Attackprocessor inherits from abstractprocessor and rewrites process.

Fill in our attack vectors and perform MVN clean compile - E - x to view the compilation process once.


From the console, we can see that -processorpath is added to the command line parameter of javac, and our custom code is executed to obtain the sensitive information of environment variables. That is to say, the implementation does not run the code and triggers the attack at compile time.

Note that our goal is to attack the compilation process of the code, and the goal will be the continuous integration platform or code scanning tool (of course, the continuous integration directly provides the function of the run shell..... In the code of concept verification, the execution test routine will rebound the shell, and the common compilation will print sensitive information).

The security of cloud compilation platform is different. Generally, it will run in docker for efficiency and isolation, and it will also be affected by vulnerabilities such as cve-2019-5736runc. The author found that the current commercial CI platform, running different user permissions, external network connectivity is also different, does not conform to the principle of minimum permissions, which needs to be included in the security vision of enterprises.


During the compilation phase, the shell is rebounded, and the user is Travis.

Alibaba cloud codepipeline and Jenkins users cannot bounce shells.

Huawei cloud cloudbuild, root does not support rebound shell.

Tencent hub

Supports shell bounce with root privileges.

In addition, there is a case in the software deployment phase, which is worth looking at:。


It is possible for the persistence platform to provide the application's Javadoc to automatically generate help documents. The function of replacing maven Javadoc plugin can be realized by modifying the URL node of plugin repository.

In addition, for Javadoc, the official Oracle document points out the insecurity of introducing JavaScript.

Malicious code can be injected into XSS with the following configuration.

HTML generated through MVN Javadoc: Javadoc has XSS risk.

In addition, cve-2013-1571 is available at The fix is to add the applyjavadocsecurityfix tag.

Another security risk of Javadoc is that maven Javadoc plugin supports custom doclet, that is to say, when parsing comments and annotations directly, it is allowed to refer to third-party jar packages to execute mojo methods.

For writing method, please refer to, as shown in the example code,

When generating annotation documents, main.xml will also be generated. The content includes the code results (in fact, command execution) in the start function.

If you configure in build in pom.xml, execute MVN Javadoc: Javadoc to trigger. If you configure in reporting node, execute MVN site command to trigger as well.

Warehouse safety

One of Maven's project level functions is that the repositories command in pom.xml supports the specified repository, so attackers can replace jar packages to destroy integrity and generate tamper threat. The ID of the self-contained central warehouse is central. If other warehouse declarations also use this ID, the configuration of the central warehouse will be overwritten. In this way, when the MVN compile command is executed, the plug-in version of stealing beams and changing posts will be used, which contains malicious code. Trigger security risks.

Set up your own hosting server, replace maven Javadoc plugin, version 3.11.2, modify malicious plug-ins.

If the POM file is configured with a higher version that does not exist in the local warehouse, we will go to the nexus server we built to download the jar package.

The above loopholes have been fed back to relevant manufacturers and fixed.

The jar file in the repository is a big problem. Using DNS to pollute settings.xml is also a good way,

CDN cache attack is also a way of thinking, the key is how to maintain in the later stage, and how to realize various scripts in malicious components.


For the above Javadoc, gradle can use


Ant uses < jvmargvalue = "${JVM. Arg}" / > for configuration. Of course, gradle and ant also support shell command writing.

At the end of the first section, I'd like to know what's going on, and listen to the next chapter.