One Port to Serve Them All — Google GCP Cloud Shell Abuse

good afternoon everyone my name is H from Nesco the laabs uh today we're going to going to uh talk about an abuse methodology regarding the Google gcp Cloud shell so let's get started uh today's agenda is like this first we're going to talk about what's a have a quick glimpse of the what's a cloud shell and once we have the cloud shell initiated we have a quick MF scan about what we found during our the discovery process and finally we'll talk about how we abuse the findings we found to the open port we found and what the impact as well as the medication uh that could be counter measured in the future so what is a cloud shell Cloud

shell is basically a web based interface a command line interface that can be used by the end users to manage their Cloud resources or even develop their small apps to to to the Comm line interface from their webshell and the cloud sh is also preloaded with a lot of utilities especially those Cloud specific utilities from different uh cloud share providers such as for for Google we have uh gcloud or gso pre-installed so you don't have to worry about those uh Tools installation and also uh they also have uh programming language Prett install so you can have your preferred programming language pre uh ready to have some development to the test things out and one of the best thing is there

are a few few gigabyt of persistent dis drives in your home directory so once you have some development or some stuff you need to keep it there you'll be persistance forever for gcp I think we have about 5 gab of storage and maybe 1 gab for AWS so once we have the clal instance initiated we have a quick scan again this inre public IP as well as this private IP and we found that there are two open ports public to to the internet the 22 and the 6,000 and the result is quite inconsistent compared to what we found against the private IP from the private IP we found that the only consistence from public or private is the open SSH

version 8.9 that's the only consis we found and by observing the N States as well as the TCP T dump from the S pack same from our external map scanner we can have a flow diagram like like this with the uh 46,000 exposed to the internet and it will map to our internal contain costal containers board 982 which will further redirect to the port2 that that's listening by the SSH demon before we move on we uh let's take a look at another feature called the web preview a web preview is another features from the cloud shell uh which is actually an htbs layer of found end that points to your HTV back end and without uh the hazard of applying SSL

certificate from the developer the developer can just focus on its own app development on or running on the internal HTTP back end and the other thing to be noticed is that the cl uh the web preview is not public accessible so if you share the link above that end closure. to someone else they're not able to access this and the Google authenticate prompt will be displayed uh basically it's only accessible to the user that runs the closure just or or yourself

so by add adding what we found to the web web web preview the diagram now could look like this on the left hand side the authenticated user can access the internal HTP service running on the cloud sh container through the identity aware proxy or the IP over the uh https

Channel and let's take a look at how we can abuse it uh from the diagram something we can control is the blue area that that's in in container so the the traffic that comes in from external six ,000 and then through 4 99 we can further control the packet flow through the firew world RS to abuse this

feature so on the right hand side is the diagram of the Linux net filter and we can control how packet flow to internal service through the pre r chain in the n tables so with one thing in mind that uh in IP tables the priority of the rules is the uh first match wins so we keeping this mind that we will insert different rules that have the most wider box first and then the narrowest one first uh in the last so we could Define three different CER blocks here with uh the first one with the narrowest block and the last one measuring all the ipb4 address spaces so after we inserting these three rules we

could have a different uh package flow path like this so after applying the firewall users are connecting from different CER blocks could have different service access but they all through the external 6,000

ports and from the last the the uh the bottom line path here we could find that by uh going through this path we could uh bypass the iip proxy which uh is some kind of ab the the impact that can be abused so by dumping the original official URL paths that require Google authentication we could now use the a different URL that's public accessible over 6,000 and if we have DNS managed we can also make this scheme and https as well if we can apply for uh TL certificate in the future and also know that since the UR the fqdn that ends with Google user content.com it somehow give us uh extra immunity over some uh someone security

[Music]

controls regarding the impacts and medications the first impact is the web both uh web preview of bypass we earlier mentioned so by doing so we can expose or deliver stuff we want for example we could deliver malous malicious stuff as well as uh confidential stuff that's been accessible through the cloud share instance to further access your organizational data to the public both do the CL show instance and the second one is by adding extra SHP key to the folder here we can G control to the cloud shell to again to the port 6000 without the access of the web shell to the to the web web user interface

and through the Su server we created earlier we can also pivoting the traffic through the cloud Network either to bypass certain restrictions or either create an interact C2 channel to some kind of C2 service to further mitigate those findings uh the first thing is the MFA Harding from Google's uh best practice uh time based onetime password is visable and from my previous rating exercises uh I confirmed that the tltp is truly visable so uh the best practice will be using the hardware based security key and second is we could review our access control of the cloud shell to see if certain group of user is really need that access or not and from the Google

admin console not the call console we can Define or control this access for example we could uh configure certain ous like this one and then further disabled access to the C

shell and the third one is the public Port we discovered from my standpoint is pretty up uh unusual to discover two open ports to to the public so from my understanding uh the culture on AWS or Azure don't have open ports discovered so Google's been working on

that and last but fin least is the principle of this privilege so it's always a good practice to further review if the IM rules is overly granted or not and Google also provides several tools such as policy analyzer or the recommender in recommender it will analyze your permission usage in the past 90 days and it will give you insights about if certain permissions hasn't been used in the past 90 days so you can revoke it or even use a lower privileged IM IM rule this is the closure timeline that I've been disclos this abuse method to Google around April late April and they should happen around more than 100 days [Music] but uh current status is that they will

decide if a fix is needed or not and regarding Financial award not me not meeting the bar yeah it's not my point and at the first uh in the first place I disclose this as a methodology to abuse the claure but not the vity so I I think it's pretty fair it's it's not in vulnerability even we can by bypass some authentication but I think since we have real privilege it's also possible to bypass that through third party proxy Edge as well so that's all of me and

questions um do you H did you discover any uh indicators of compromise in the Google Cloud audit logs that might indicate this uh type of either compromise or attack happening okay I I I uh I couldn't find anything from from the log explore by abusing this yeah I couldn't find relevant logs by abusing this this uh C shell well I was thinking presumably when you made those uh Port uh you made those changes wouldn't those logs show up not maybe not the access but at least the changes you made to uh to change the port or to set up the the redirect from from the other site I couldn't find Reven logs from the uh console inter

interface right there any other questions all right well thank you hubo for your talk today thanks for thank you