Summary
A vulnerability was discovered in Cloud Shell that enabled command injection and remote shell access.
The "Open in Cloud Shell" functionality allowed a user to provide values for both the "git_repo" and "go_get_repo" parameters,
which would clone the target repo in the user's environment. While "git_repo" was validated against a list of trusted repos,
"go_get_repo" was not. Therefore, an attacker could have supplied a trusted repository as "git_repo" and
an arbitrary command in the "go_get_repo" parameter. The command would then be executed in a trusted environment where it is
possible to access the user's home directory and to perform API calls using the user's credentials. However, the impact of this is unclear,
as an attacker would seemingly only be able to gain such a remote shell on their own instance. In theory, phishing
could be used to try and coerce a user into running a command that exposed their credentials to the attacker.
Google mitigated this issue by preventing users from being able to provide both parameters at once.
Affected Services
Cloud Shell
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/ramimac
Disclosure Date
-
Exploitablity Period
Until 2021/01/23
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Ademar Nowasky Junior
