Google Vulnerability Rewards Program

Vulnerability Details The following writeup describes a vulnerability that allows remote code execution on the Istio control plane. However, this vulnerability requires high privilege access to the Kubernetes cluster in which Istio is deployed. This would normally be a low / informational risk vulnerability, but in a managed Istio context, it becomes higher risk. To demonstrate, I focused on the Google-managed Anthos Service Mesh (ASM), which runs the Istio control plane in a Google-managed project using a per-product per-project service account (P4SA) that authenticates to the user’s GKE cluster....

Vulnerability Details GKE Autopilot provides many default security controls to protect the node, including protections against privileged pods and limitations on hostPath volume mounts. There is a race condition during provisioning of the Autopilot OPA policies that allows an attacker to bypass the intended controls by simply creating their malicious resource while the OPA policies are being provisioned. To demonstrate, use the following steps: Download the file deploy.yaml Create an Autopilot cluster While the cluster is being created, run the following commands (replacing $name): while true; do gcloud container clusters get-credentials $name && break; done while true; do timeout 1 kubectl apply -f deploy....

Vulnerability Details GKE Autopilot provides many default security controls to protect the node, including protections against privileged pods and limitations on hostPath volume mounts. The nodes are configured to pull from the compute metadata SSH keys list. As documented here, a user with compute.projects.setCommonInstanceMetadata can set project-wide SSH keys. To prevent users from simply logging in to the nodes directly, the nodes use an sshd configuration to set all user shells to /sbin/nologin....

Vulnerability Details GKE Autopilot provides many default security controls to protect the node, including protections against privileged pods and limitations on hostPath volume mounts. The Autopilot nodes do not have a startup-script defined in their instance metadata. As documented here, a user with compute.projects.setCommonInstanceMetadata can set a project-wide startup script. Since the nodes do not have this attribute set, they will use the project-wide attribute and allow arbitrary code execution from the startup-script....

Vulnerability Details GKE Autopilot provides many default security controls to protect the node, including protections against privileged pods and limitations on hostPath volume mounts. However, these security configurations did not prevent PersistentVolumes with the “local-storage” storage class. The “local-storage” class can be used to mount files from the node into a pod, similar to hostPath volume mounts. This can be abused to mount sensitive files/directories from the node into a pod and elevate permissions....

Vulnerability Details The formatter action is triggered on pull_request_target events, which run with the context of the base repository and is therefore allowed to mount secrets. However, the formatter action specifically checks out the reference from the Pull Request (which is attacker controlled code). This breaks the security benefits of pull_request_target and exposes secrets to the attack code. This might be acceptable when the action does not allow for code exec....

Vulnerability Details Google Cloud Functions accept code from users and build this code into a deployable container via Cloud Build. Before building, the code is uploaded to a cloud storage bucket whose name matches the format gcf-sources-<numeric-project-id>-<location> (e.g. gcf-sources-928967777810-us-central1). When uploading user provided code to the gcf-sources bucket, the backend does not verify that the bucket owner matches the current project. As the bucket name is not a domain, nor does it contain the word Google, an attacker can register these scratch buckets for any target accounts....

Vulnerability Details gcloud has subcommands for importing/exporting compute images. These commands create Cloud Build tasks which launch an instance in your project to perform the import/export task. They use the open source GoogleCloudPlatform/compute-image-tools repo to execute these workflows. Both workflows use a “scratch” storage bucket for storing logs, scratch data, and startup scripts. The bucket name formats are below: export: "<project-id>-daisy-bkt-us" import: "<project-id>-daisy-bkt" If this bucket does not exist, it creates it within the user’s project, otherwise, it simply attempts to write to the bucket....

Vulnerability Details This vulnerability assumes a compromise of the renderer process as described in this post: https://groups.google.com/a/chromium.org/forum/#!msg/chromium-extensions/0ei-UCHNm34/IDaXwQhzBAAJ From a compromised renderer process, we can send a message to the extension background script (chext_backgroundpage.js) and break site isolation by triggering a POST request with credentials to an arbitrary origin, with arbitrary headers, and the ability to read the response. Steps to reproduce: Install the Google Input Tools extension: https://chrome.google.com/webstore/detail/google-input-tools/mclfklkfljcocdinagocijmpgbhab Visit an “attacker” domain (e....

The Instance Metadata Service has protections against server-side request forgery. This vulnerability describes a bypass for these protections due to URL parsing issues.