From 4f1dba2a8a8fee44c3608cdda3b3a5d6f68c5e96 Mon Sep 17 00:00:00 2001 From: Rami McCarthy Date: Sun, 24 Sep 2023 12:31:15 -0400 Subject: [PATCH 1/3] Closes #236: Open in Cloud Shell injection --- ...-cloudshell-open-in-command-injection.yaml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml diff --git a/vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml b/vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml new file mode 100644 index 0000000..495c896 --- /dev/null +++ b/vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml @@ -0,0 +1,34 @@ +title: "Open In" Google Cloud Shell command injection +slug: gcp-cloudshell-open-in-command-injection +cves: null +affectedPlatforms: +- GCP +affectedServices: +- Google Cloud Shell +image: https://raw.githubusercontent.com/wiz-sec/open-cvdb/main/images/gcp-cloudshell-command-injection.jpg +severity: Medium +discoveredBy: + name: Ademar Nowasky Junior + org: null + domain: null + twitter: nowaskyjr +publishedAt: 2022/12 +disclosedAt: 2022/01 +exploitabilityPeriod: null +knownITWExploitation: false +summary: | + A vulnerability was discovered in Cloud Shell that enabled command injection and remote shell access. + The "Open in Cloud Shell" functionality allowed a user to provide both the "git_repo" and "go_get_repo" parameters. + In that case, an attacker could have supplied a "trusted" repository as "git_repo" and + an arbitrary command in the "go_get_repo" parameter. The command would then be executed in + a trusted environment where it is possible to access the user's home directory and + to perform API calls using the users credentials. However, the impact of this is unclear, + as an attacker would seemingly only be able to gain such a remote shell on their own instance. Phishing + could be used to try and coerce a user into running a command that exposed their credentials to the + attacker. +manualRemediation: | + None required +detectionMethods: null +contributor: https://github.com/ramimac +references: +- https://docs.google.com/document/d/1-TTCS6fS6kvFUkoJmX4Udr-czQ79lSUVXiWsiAED_bs From 2146b010523db4282eba05bbaa20e4617e3e97c1 Mon Sep 17 00:00:00 2001 From: Rami McCarthy Date: Sun, 24 Sep 2023 12:32:37 -0400 Subject: [PATCH 2/3] fix image --- vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml b/vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml index 495c896..6fe8d97 100644 --- a/vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml +++ b/vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml @@ -5,7 +5,7 @@ affectedPlatforms: - GCP affectedServices: - Google Cloud Shell -image: https://raw.githubusercontent.com/wiz-sec/open-cvdb/main/images/gcp-cloudshell-command-injection.jpg +image: https://images.unsplash.com/photo-1541427914209-ef891bee99fd?ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D&auto=format&fit=crop&w=3174&q=80 severity: Medium discoveredBy: name: Ademar Nowasky Junior From ba5b3ef02cbbc5f68e1cca7acd4af2468e5b89a5 Mon Sep 17 00:00:00 2001 From: Amitai Cohen <71866656+korniko98@users.noreply.github.com> Date: Tue, 26 Dec 2023 13:57:11 +0200 Subject: [PATCH 3/3] Update gcp-cloudshell-open-in-command-injection.yaml --- ...-cloudshell-open-in-command-injection.yaml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml b/vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml index 6fe8d97..723ddb8 100644 --- a/vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml +++ b/vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml @@ -12,20 +12,20 @@ discoveredBy: org: null domain: null twitter: nowaskyjr -publishedAt: 2022/12 -disclosedAt: 2022/01 -exploitabilityPeriod: null +publishedAt: 2021/12/28 +disclosedAt: null +exploitabilityPeriod: Until 2021/01/23 knownITWExploitation: false summary: | A vulnerability was discovered in Cloud Shell that enabled command injection and remote shell access. - The "Open in Cloud Shell" functionality allowed a user to provide both the "git_repo" and "go_get_repo" parameters. - In that case, an attacker could have supplied a "trusted" repository as "git_repo" and - an arbitrary command in the "go_get_repo" parameter. The command would then be executed in - a trusted environment where it is possible to access the user's home directory and - to perform API calls using the users credentials. However, the impact of this is unclear, - as an attacker would seemingly only be able to gain such a remote shell on their own instance. Phishing - could be used to try and coerce a user into running a command that exposed their credentials to the - attacker. + The "Open in Cloud Shell" functionality allowed a user to provide values for both the "git_repo" and "go_get_repo" parameters, + which would clone the target repo in the user's environment. While "git_repo" was validated against a list of trusted repos, + "go_get_repo" was not. Therefore, an attacker could have supplied a trusted repository as "git_repo" and + an arbitrary command in the "go_get_repo" parameter. The command would then be executed in a trusted environment where it is + possible to access the user's home directory and to perform API calls using the user's credentials. However, the impact of this is unclear, + as an attacker would seemingly only be able to gain such a remote shell on their own instance. In theory, phishing + could be used to try and coerce a user into running a command that exposed their credentials to the attacker. + Google mitigated this issue by preventing users from being able to provide both parameters at once. manualRemediation: | None required detectionMethods: null