Exetools

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   GitHub Source Code Leak (https://forum.exetools.com/showthread.php?t=19694)

atom0s 11-05-2020 18:14

GitHub Source Code Leak
 
On Nov. 3, someone uploaded the full source code to GitHub to GitHub's own DMCA repo using a GitHub staff account. GitHub responded to the upload after taking it down within the hour of it being posted saying:

Quote:

GitHub hasn't been hacked. We accidentally shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers a couple of months ago. It shares code with github.com. As others have pointed out, much of GitHub is written in Ruby.
This response came from the same name of the account that posted the source code.

However, the commits log says otherwise, with the commit saying:
Quote:

felt cute, might put gh source code on dmca repo now idk
This appears to be similar to the previous leaks where an auth token was stolen that was used to access multiple private repos owned by Microsoft.

You can view the archive entry of the commit here:
Code:

https://web.archive.org/web/20201104050026if_/https://github.com/github/dmca/tree/565ece486c7c1652754d7b6d2b5ed9cb4097f9d5
You can find a full download of the commit here:
Code:

https://anonfiles.com/Jax980m9p6/dmca-565ece486c7c1652754d7b6d2b5ed9cb4097f9d5_zip
The current speculation as to why this happened is due to the recent RIAA takedowns of various repos on GitHub via DMCA'ing. Most notable is the 'youtube-dl' repo. That repo has been mirroed in several locations such as:

Code:

https://gitlab.com/ytdl-org/youtube-dl
https://git.rip/mirror/youtube-dl


atom0s 11-05-2020 18:41

Some additional info, someone has taken credit for the leak on Reddit saying the following:
Code:

I am the one who did this. You can find on my profile that I was the first one to post it on Reddit.

The commit author is a joke and can be easily done, there's even a CLI tool to do this: git-blame-someone-else

As for the code itself, I just ran a deobfuscator through the officially provided GitHub Enterprise image. Turns out they use the same codebase as GitHub (dotcom), you can even find the billing and subscriptions management in the repo.

As they claim, the leaked code is a copy of GitHub Enterprise deobfuscated. According to them, it matches the actual GitHub site setup (which makes sense since enterprise is for self-hosting etc.)

The push author was faked but access to the DMCA repo still required a leaked auth token or similar. (No info was provided for that part of the hack; but again I assume this is similar to the past hacks I mentioned above.)

atom0s 11-08-2020 09:30

Here are links to all of GitHub Enterprises images:
Code:

HyperV              : https://github-enterprise.s3.amazonaws.com/hyperv/releases/github-enterprise-2.22.0.vhd
OpenStack KVM      : https://github-enterprise.s3.amazonaws.com/kvm/releases/github-enterprise-2.22.0.qcow2
VMWare ESXi/VSphere : https://github-enterprise.s3.amazonaws.com/esx/releases/github-enterprise-2.22.0.ova
Xen                : https://github-enterprise.s3.amazonaws.com/xen/releases/github-enterprise-2.22.0.vhd

After you deploy the images, you can use the following script to decrypt the Ruby files:
Code:

https://gist.githubusercontent.com/jacobbednarz/e2f08812664c6d689f9bafeff040aa5c/raw/e10d488571acf59da024e50b2af9a0c2d913ab5e/ghe-revealer.rb


All times are GMT +8. The time now is 06:06.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2021, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX