GCP — Domain Wide Delegation Abuses

In today’s dynamic technological landscape, the shift to cloud environments has become a cornerstone of business innovation. As companies embrace the flexibility of the cloud — either solely or through hybrid models — a fresh array of security challenges emerges.

In this blog post, our focus narrows to the realm of offensive security within Google Cloud Platform (GCP). We shine a light on the obscure domain-wide delegation abuses in GCP.

Domain Wide Delegation 101

Within GCP services accounts can be granted rights and permissions to programatically access users data within Google Workspace also known as GSuite (Gmail, Google Drive, Google Docs…). This is possible by impersonating legitimate users with Google Workspace and define as domain-wide delegation.

Google Workspace benefits from its own API and the permission model is based on Gsuite/Workspace API calls. In the same way you can use GCP API calls using service account access token. All of the authorization and underlying permissions are managed by the OAuth2 authorization protocol and assigned scopes.

Enabling Domain Wide Delegation

For the actual POC we first create a Google Compute Engine (GCE) instance within our project and assign Default Compute Engine Service Account to this instance with full access to all cloud APIs (OAuth2 scopes).

Domain Wide Delegation abuse exploitation path

This type of configuration has been observed in a large number of customer engagements. Usage of Default Compute Engine Service Account is pretty dominante and sometimes you will also find customer configuring the Access Scope with full Cloud APIs access (No scope limitation)

https://www.googleapis.com/auth/cloud-platform

The default access scope for Compute Engine Default Service Account is the following:

https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring.write
https://www.googleapis.com/auth/servicecontrol
https://www.googleapis.com/auth/service.management.readonly
https://www.googleapis.com/auth/trace.append

Usage of Compute Engine Default Service Account with full scope access

Although we use a wider access scope than the default for the purpose of this POC, it is not uncommon to identify or compromise other customer created service accounts other than the Default Compute Engine service account and have full access to all cloud APIs.

The next step for the GCP administrator is to enable Domain Wide Delegation within Google Workspace admin panel (admin.google.com)

Google Workspace admin panel — Manage Domain Wide Delegation

And to create a new API client using the GCE instance client ID from the previously created instance.

Create nbew API clients with GCE client ID

Then the GCP administrator will be able to provide OAuth2 scopes for which the service account/API client will be able to interact/impersonate the Google Workspace user.

In our case we will provide classic scope of Drive and Gmail access.

https://www.googleapis.com/auth/drive
https://mail.google.com/

Providing OAuth2 scopes to the client ID

Exploitation path

From an attacker perspective we assume we compromised the GCE instance named instance-delegation.

Using the GCP Metadata API we are able to retrieve the associated Default Compute Engine Service account access token and related scope.

Retrieving access token and scope using Metadata API

Using gcloud CLI we can create a new service account key for the default compute engine service account (691578440296-compute@developer.gserviceaccount.com).

Using the previously created service account key for the default compute engine service account (691578440296-compute@developer.gserviceaccount.com) we are able using Domain Wide Delegation to access Gmail and Drive data from any existing Workspace user.

Listing targeted.delegated@mackinsoncloud.com user Gmail email using gmailDumper module from Delegate

Targeted user Gmail/Drive

A brief examination of the present workspace user (targeted.delegated@mackinsoncloud.com) reveals the existence of Gmail emails, as well as Drive documents and folders associated with this user corresponding to the dump and retrieved email from Delegate tool.

Targeted user Gmail Inbox

Targeted user Drive documents and folders

Introducing Delegate tool

Delegate is a Python script created to abuse Domain Wide Delegation with ease using Gmail and Drive available APIs.

Delegate tool

This Python tool allow an attacker to use Service Account Key (JSON format) and perform Domain Wide Delegation and abuse Gmail and Drive access to perform the following actions against a Google Workspace user.

GMAIL

• List emails within the primary mail box
• List folders (Labels in Gmail)
• List Emails in folders
• Read emails from the primary mail box or any folders (Labels) created by the user
• Download all attachments from all emails
• Send email as the impersonated user to perform further spear phishing attacks

Listing targeted.delegated@mackinsoncloud.com user Gmail email using gmailDumper module from Delegate

DRIVE

• List files and folders within the user GDrive container
• Download locally files or entire folders
• Upload files within root folder or any folders
• Modify permissions on file/folder

Sharing secrets.txt file from targeted.delegated@mackinsoncloud.com user Drive folder to an arbitrary external account

The tool and full detail can be found within the following Github repository.