Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closes #236: Open in Cloud Shell injection #240

Merged
merged 3 commits into from
Dec 26, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
title: "Open In" Google Cloud Shell command injection
slug: gcp-cloudshell-open-in-command-injection
cves: null
affectedPlatforms:
- GCP
affectedServices:
- Google Cloud Shell
image: https://images.unsplash.com/photo-1541427914209-ef891bee99fd?ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D&auto=format&fit=crop&w=3174&q=80
severity: Medium
discoveredBy:
name: Ademar Nowasky Junior
org: null
domain: null
twitter: nowaskyjr
publishedAt: 2021/12/28
disclosedAt: null
exploitabilityPeriod: Until 2021/01/23
knownITWExploitation: false
summary: |
A vulnerability was discovered in Cloud Shell that enabled command injection and remote shell access.
The "Open in Cloud Shell" functionality allowed a user to provide values for both the "git_repo" and "go_get_repo" parameters,
which would clone the target repo in the user's environment. While "git_repo" was validated against a list of trusted repos,
"go_get_repo" was not. Therefore, an attacker could have supplied a trusted repository as "git_repo" and
an arbitrary command in the "go_get_repo" parameter. The command would then be executed in a trusted environment where it is
possible to access the user's home directory and to perform API calls using the user's credentials. However, the impact of this is unclear,
as an attacker would seemingly only be able to gain such a remote shell on their own instance. In theory, phishing
could be used to try and coerce a user into running a command that exposed their credentials to the attacker.
Google mitigated this issue by preventing users from being able to provide both parameters at once.
manualRemediation: |
None required
detectionMethods: null
contributor: https://github.com/ramimac
references:
- https://docs.google.com/document/d/1-TTCS6fS6kvFUkoJmX4Udr-czQ79lSUVXiWsiAED_bs
Loading