One Port to Serve Them All - Google GCP Cloud Shell Abuse
0 likes165 views
The document discusses vulnerabilities associated with Google Cloud Shell, specifically its potential for unauthorized access and the associated risks like malware distribution and data exfiltration. It details the exploitation methods, impacts of abuse, and offers suggestions for mitigation such as multi-factor authentication and access controls. The timeline of the disclosure process to Google and references for further reading are also included.
One Port to Serve Them All - Google GCP Cloud Shell Abuse
- 1. 1 Netskope
- 2. Agenda 2 • Cloud Shell in a glimpse • Recon • The Abuse • Impact • Mitigation
- 3. What’s a Cloud Shell ? 3 • A web-based CLI terminal window • Preloaded with utilities such as gcloud, gsutil or other CSP-specific command-line tools • A developer-ready environment • Few Gigs of persistent disk storage (Session Life: 40 mins - 12 hrs)
- 4. Recon - Nmap (public IP v. private IP) 4 -------------- Public IP -------------- 22/tcp open ssh OpenSSH 9.6 (protocol 2.0) 6000/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) -------------- Private IP ------------- 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) 900/tcp open http BaseHTTPServer 0.6 (Python 3.9.2) 922/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) 970/tcp open unknown 980/tcp open ssl/unknown 981/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) 3000/tcp open ppp?
- 5. Path to Exposed Service 5
- 6. Web Preview in GCP Cloud Shell 6 • https://8080-cs-xxxxxx-default.cs-asia-east1-jnrc.cloudshell.dev ⎻ HTTPS frendend to the HTTP backend ⎻ Not public accessible (auth needed)
- 8. Simplified Path to Exposed Services 8
- 9. 9 The Abuse
- 10. Port Redirection 10 cidr_ssh="A.B.C.D/32" cidr_socks="A.B.C.0/28" cidr_web="0.0.0.0/0" iptables -t nat -I PREROUTING -p tcp -s $cidr_web --dport 922 -j REDIRECT --to-port 8080 iptables -t nat -I PREROUTING -p tcp -s $cidr_socks --dport 922 -j REDIRECT --to-port 1080 iptables -t nat -I PREROUTING -p tcp -s $cidr_ssh --dport 922 -j REDIRECT --to-port 22 • NAT table’s PREROUTING chain • First match wins ⎻ Insert to the top https://www.frozentux.net/iptables-tutorial/chunkyhtml/c962.html
- 13. IAP Auth Bypass (cont.) 13 • Official URL (auth required) ⎻ https://8080-cs-xxxxx-default.cs-asia-east1-vger.cloud shell.dev • New URL (public access, over port 6000) ⎻ http://x.x.x.x.bc.googleusercontent.com:6000 ⎻ https://your.dns.domain:6000
- 15. Impact 15 • Web Preview auth bypass ⎻ Public access without Google authentication ⎻ Malware distribution ⎻ Data exfiltration
- 16. Impact 16 • Web Preview auth bypass ⎻ Public access without Google authentication ⎻ Malware distribution ⎻ Data exfiltration • Direct cloud shell access ⎻ By appending extra ssh pubkey to /etc/ssh/keys/authorized_keys
- 17. Impact 17 • Web Preview auth bypass ⎻ Public access without Google authentication ⎻ Malware distribution ⎻ Data exfiltration • Direct cloud shell access ⎻ By appending extra ssh pubkey to /etc/ssh/keys/authorized_keys • (Malicious) traffic pivoting through the Google network ⎻ Access restriction bypass ⎻ Indirect access to C2 server infrastructure
- 18. Mitigation 18 1. MFA hardening: a. TOTP (phishable!) b. Hardware security keys (✔)
- 19. Mitigation 19 1. MFA hardening: a. TOTP (phishable!) b. Hardware security keys (✔) 2. Cloud Shell access control (at Org or OU levels)
- 20. Mitigation 20 1. MFA hardening: a. TOTP (phishable!) b. Hardware security keys (✔) 2. Cloud Shell access control (at Org or OU levels) 3. More restricted access to current exposed open ports 22/tcp open ssh OpenSSH 9.6 (protocol 2.0) 6000/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
- 21. Mitigation 21 1. MFA hardening: a. TOTP (phishable!) b. Hardware security keys (✔) 2. Cloud Shell access control (at Org or OU levels) 3. More restricted access to current exposed open ports 4. Principle of least privilege a. IAM Policy Analyzer b. IAM Recommender
- 22. Disclosure Timeline 22 • Apr. 23 - Disclosed abuse methodology to Google VRP ⎻ Possible disclosure date set to Aug 8 (~ 110 days) • June 21 - Ticket severity changed from S4 to S2 • July 19 - Bar of financial award not met. Will decide if a fix is required
- 24. References 24 • https://cloud.google.com/shell • https://cloud.google.com/shell/docs/how-cloud-shell-works • https://cloud.google.com/shell/docs/resetting-cloud-shell • https://cloud.google.com/storage/docs/gcsfuse-quickstart-mount-bucket • https://cloud.google.com/policy-intelligence/docs/role-recommendations-overview • http://www.faqs.org/docs/iptables/targets.html#REDIRECTTARGET • https://www.inet.no/dante/doc/1.4.x/config/server.html