Six winning write-ups ranged from identity management issues and privilege escalation to ‘full blown RCE’

Google awards Uruguayan security researcher $133,337 top prize in cloud security competition

A security researcher who discovered and exploited a remote code execution (RCE) vulnerability in Google Cloud Deployment Manager has been crowned overall winner of Google’s GCP VRP Prize 2020.

Using an internal version of the Google Cloud Platform (GCP) service, Uruguayan researcher Ezequiel Pereira managed to issue requests to internal endpoints via Google’s global software load balancer, as set out in the technical write-up that clinched the top prize.

The discovery earned the bug hunter a Leet-inspired $133,337 in prize money, as well as a $31,337 bug bounty award under Google’s Vulnerability Reward Program (VRP).

This was a significant increase on the $100,000 prize handed out for the inaugural Google cloud security competition, launched in 2019 to bolster the security of the myriad GCP services used to build Google products.

Whereas 2019 had a single victor, Google also awarded cash prizes, on a sliding scale, for the next five most compelling submissions.

‘King of GCP bug hunting’

Pereira said he was “surprised” at the news.

“I think each one of the winning write-ups is an amazing showcase of Google Cloud security research, which other researchers may later base [their own research] on, and I hope to see more amazing write-ups come out in 2021,” he told The Daily Swig.

“I do not yet have any plans for probing GCP or any other platform in 2021, although I will focus on Facebook since I am going to work there as a security analyst for their Whitehat program.”

Pereira has always been “the true king of GCP bug hunting, and now he has been crowned by the Google VRP team,” Wouter ter Maat, the competition’s 2019 winner, told The Daily Swig. “Awesome and totally deserved!”

Popular infosec video channel LiveOverflow, meanwhile, has published an interview with the winner to coincide with the announcement:

Make it rain

Second place went to David Nechuta, who won $73,331 on top of a $31,000 bounty for a server-side request forgery (SSRF) bug in Google Cloud Monitoring.

In exploiting the flaw in the service’s uptime check, the researcher managed to expose “project-level” metadata including the public SSH key and project name, and “ instance-level” metadata like machine type and CPU platform.

The same cash prize was earned by third-placed research duo Dylan Ayrey and Allison Donovan for finding privilege escalation paths associated with default permissions in GCP services, and a write-up that – in contrast to their technically-focused Black Hat talk on the research – dissected the “political mechanics” and “trade-offs” involved in addressing vulnerabilities.

Read more of the latest cloud security news

In fourth place, Bastien Chatelard netted a $31,337 prize after capitalizing on shortcomings in Google Kubernetes Engine’s gVisor-based sandboxing feature to access the metadata API.

Finally, fifth and sixth place prizes of $1,001 and $1,000 were respectively won by Brad Geesaman for his ‘ContainerDrip’ research in which ctr/containerd was duped into leaking registry credentials, and Chris Moberly for achieving privilege escalation in GCP’s OS Login.

‘Wide variety of bug classes’

“2020 turned out to be an amazing year for the Google Vulnerability Reward Program,” said Google in a blog post published yesterday (March 17). “We received many high-quality vulnerability reports from our talented and prolific vulnerability researchers.”

Having read all of the winning write-ups, Wouter ter Maat noted an increase in standards and the number of submissions compared to 2019, when he claimed the sole prize courtesy of a quartet of Google Cloud Shell bugs.

“It is great to see that a wide variety of bug classes” among the winners, “ranging from IAM issues and privilege escalation to full blown RCE,” he said. “These winning articles could provide future GCP researchers with a great place to start their own research.”

Next year’s GCP prize will again see judges choose the six best write-ups of GCP vulnerabilities validated under the VRP, with prize monies also remaining the same.

The deadline for submissions is December 31.

DON’T FORGET TO READ H2C smuggling named top web hacking technique of 2020