high

Google Cloud Shell XSS to RCE Vulnerability

Published Thu, Oct 1st, 2020

Platforms

Summary

A vulnerability in Google Cloud Shell allowed escalation from XSS to full instance takeover as root. The attack exploited an XSS in the markdown preview functionality to read sensitive files, obtain the instance's private key and hostname, and gain SSH access as root. The issue affected the Eclipse Theia-based editor used in Cloud Shell.

Affected Services

Cloud Shell

Remediation

None required. The vulnerability was fixed by Google.

Tracked CVEs

No tracked CVEs

References

https://omespino.com/write-up-google-bug-bounty-xss-to-cloud-shell-instance-takeover-rce-as-root-5000-usd/

Contributed by https://github.com/korniko98

Entry Status

Stub (AI-Generated)

Disclosure Date

Thu, Feb 6th, 2020

Exploitablity Period

Until 2020/03/18

Known ITW Exploitation

Detection Methods

Monitor for unexpected SSH access to Cloud Shell instances, especially from external IP addresses. Review Cloud Shell access logs for anomalous activity.

Piercing Index Rating

Discovered by

Omar Espino

More vulnerabilities...

low

S3 bucket tagging not restricted

Lack of the privilege s3:PutBucketTagging did not restrict the ability to tag S3 buckets.

Ian Mckay

Mon, Sep 28th, 2020

low

Encryption SDK vulnerabilities

AWS KMS and all versions of AWS Encryption SDKs prior to version 2.0.0 were susceptible to information leakage (an attacker could create ciphertexts that would leak the user’s AWS account ID, encry...

Thai Duong (thaidn), Google

Mon, Sep 28th, 2020

low

CloudFormer review

An audit of an AWS open-source project identified a great deal of issues, and as a result AWS made the decision to take it down.

Karim El-Melhaoui, O3 Cyber

Fri, Sep 25th, 2020

View all