How I got 6000$ from #Google
Hey all ,
Few months back I found a command injection bug in Google Cloud shell
Since the title goes by the name “command injection” , you all might be thinking it as “normal Command injection which affects servers” but this vulnerability is quite different.
We can put this in different way as “Client Side command injection”.
About Google Cloud shell you can refer here “ Google Cloud Shell “
Lets get into the finding
While I was testing “console.cloud.google.com” , There was one url with this pattern
https://console.cloud.google.com/home/dashboard?project="name of the project”
Ok thats cool :v ,
Tested for IDOR ,
Crafted the url as
https://console.cloud.google.com/home/dashboard?project="Random project name”
https://console.cloud.google.com/home/dashboard?project=project-1 (not vulnerable to IDOR)
But reflected the name of project in Cloud shell.
So Tested for XSS ,
Crafted the url as
https://console.cloud.google.com/home/dashboard?project="XSS vector” (not vulnerable to XSS)
On activating cloud shell “there was some syntax error”
Now the creepy mind of mine came with idea :P to use delimiter ,
Crafted the url as ,
There was no syntax error , and cloudshell created successfully!
Now the exploit part ,
In linux we can chain commands in various ways , the one way is by using semi-colon operator
Eg: apt-get update; apt-get upgrade
Once again ->
The above url created cloud shell , and pinged google.com
That worked perfectly
Ok , its self-execution ,it only got executed in my own cloud shell . Now I was clear “I can inject commands which affects my own vm but not Google servers”
To make this as exploitable issue , I came with these ideas,,
Crashing Victim vm :
https://console.cloud.google.com/home/dashboard?project=;sudo cp /dev/zero /dev/mem
Once victim access the above url and click “Activate cloud shell” , his/her vm crashes.
Deleting files: (this one had much impact than previous command)
This will delete victims root directory which also deletes appengine files!
According to my research: Once the victim access the crafted url , Victim must click “Activate cloud shell” , in order to make the attack successful!
But Google Security Team tested and found that , to make attack successful there is no need of (click) user interaction.
Now the issue has been patched , I was rewarded 6000$ for my finding
and also Google Security Team featured this Vulnerability at #Nullcon
Thanks to #Google Security Team :)
For remaining Google’s presentation slides you can refer here “ Secrets Of Google VRP “