Flaw left Deployment Manager open to remote code execution attacks

更新The discovery of a critical vulnerability in a component of Google Cloud has earned a security researcher a bumper $31,337 bug bounty payout.

Ezequiel Pereira, who boasts aback catalogueof research in this area, uncovered a security flaw in Google’s Cloud Deployment Manager that posed aremote code execution(RCE) risk.

Google Cloud Json API中的安全漏洞允许乌拉圭计算机科学学生指定IssueTracker.Corp.Googleapis.com等内部服务,并使用GSLBtarget参数对这些API进行调用。

The security bug was paid out in full because potentially it could be used to get RCE on谷歌’s internal infrastructure.

Here’s the science bit

Deployment Manager is a Google Cloud service that offers a mechanism to handle resources’ creation, deletion, and modification through a given API. The vulnerability discovered by Pereira involves the interaction of this technology with Google’s Global Service Load Balancer (GSLB).

“By using an internal test (dogfood) version of Google Cloud Deployment Manager, I was able to issue some requests to some Google internal endpoints (through GSLB), which could have led to RCE,” Pereira explained in a summary added to his post in response to questions from每日SWbeplay2018官网IG.

“This could be achieved through an request to the Deployment Managerwith this format, which begins anasync operation。“

He continued: “The operation attempts to send a GET request to the specified endpoint'sdescriptor URL, and expects adescriptor documentas an answer.

“If it fails, it might still provide internal information in the error message, if it succeeds, it would allow more complex internal requests to be issued,” according to Pereira.

The issue was quickly fixed soon after Pereira reported the problem to Google on May 7. Pereira received a reward for his hack earlier this week, giving the green light to publish adetailed technical write-upof his research.

Google told每日SWbeplay2018官网IG.: "An external researcher through our Vulnerability Rewards Program recently reported a Remote Code Execution vulnerability in Cloud Deployment Manager. The issue has been fixed and our investigation found no evidence of abuse or active exploitation of the reported vulnerability.”


This story has been updated to add comment from Google.


有关的XSS vulnerability uncovered in Google Voice browser extension