Six payouts issued for bugs uncovered in Theia, Vertex AI, Compute Engine, and Cloud Workstations

Vulnerabilities in four Google Cloud Platform (GCP) projects have earned a pair of security researchers more than $22,000 in bug bounties.

The most lucrative project for hacker duo Sreeram KL and Sivanesh Ashok was machine learning training and deployment platform Vertex AI, which netted them a pair of $5,000 payouts for a server-side request forgery (SSRF) bug and subsequent patch bypass.

Documented in a blog post by Sreeram, the flaw resided in Vertex AI’s workbench feature, which enables the creation of Jupyter notebook-based development environments on the cloud.

By abusing the SSRF vulnerability and duping victims into clicking a malicious URL, attackers could potentially seize control of an authorization token and thereafter all of the victim’s GCP projects, as demonstrated in the video below.



SSRF bug

When the researchers found a URL that seemed to offer scope for SSRF, “requesting the original URL resulted in a response that looked like the output of an authenticated request sent to compute.googleapis.com,” said Sreeram. “From previous experience, I know these endpoints use the authorization header for credentials.”

Fuzzing surfaced a URL – https://{INSTANCE-ID}-dot-us-central1.notebooks.googleusercontent.com/aipn/v2/proxy/{attacker.com}/compute.googleapis.com/ – that bypassed this check, said Sreeram. “Furthermore, the vulnerable endpoint was a GET request with no CSRF protection (pretty common),” said Sreeram.


YOU MIGHT ALSO LIKE US government announces third Hack The Pentagon challenge


As for finding attack targets, a victim’s subdomain is readily ascertained because subdomains are leaked to several third-party domains, such as github.com, “via referer in the general application flow”.

Google addressed the issue by adding cross-site request forgery (CSRF) protection to the GET endpoints and improving verification of the domain.

Patch bypass

After the fix was rolled out, however, Sreeram and Ashok noticed that changing compute.googleapis.com to something.google.com failed to trigger an error as it had previously.

Circumventing the fix therefore needed an open redirection in *.google.com, they surmised.

With JavaScript-based redirections not an option – since the server didn’t parse the language – they turned to Google web feed management service FeedBurner. The researchers found that when the user deactivates the proxy, the service will redirect URLs to their domain rather than proxying their RSS feed.

The exploit concluded with a CSRF bypass that leveraged a technique developed in 2020 by ‘@s1r1us’ targeting Jupyter Lab.

The second fix involved ending support for *.google.com as a proxy URL.

“While finding this issue, we gained insight into the workings of managed GCP products, which helped us find other bugs in GCP,” Sreeram told The Daily Swig.



Theia, Compute Engine, Workstations bugs

This included exploiting the workbench feature again in Theia, the integrated development environment (IDE) Google uses in Cloud Shell, as disclosed in a separate blog post published by Sreeram.

Because user-managed instances used the project’s default compute engine service account, the research duo were able to compromise the entire project by exploiting a known XSS vulnerability (CVE-2021-41038) to fetch the service account token from the metadata server. This earned the pair a further $3133.70 bounty.


Catch up with the latest bug bounty news


The first security flaw they found in GCP, as documented by Ashok, was an SSH key injection issue in Google Cloud’s Compute Engine.

Generating a $5,000 windfall with a $1,000 bounty bonus, the vulnerability resided in the SSH-in-browser function and could lead to remote code execution (RCE) in a victim’s Compute Engine instance (as demonstrated in the proof-of-concept video above).

The researchers also earned a further $3,133.70 for an authorization bypass in Cloud Workstations, which provides fully managed development environments for security-sensitive enterprises. Ashok outlined this find in a fourth blog post.

The pair earned a total of $22,267 from six separate bug bounty payouts.

The Daily Swig has invited Google to comment on these vulnerabilities but no response yet. We’ll update the article should that change.


DON’T FORGET TO READ Squaring the CircleCI: DevOps platform publishes post-mortem on recent breach