Wouter ter Maat received 100 thousand dollars, Google’s very first annual Cloud Platform bug-bounty prize by finding a clever container escape and search for bugs.
Google also announced, that then it will be increasing the payouts for annual Google Cloud Platform prizes in its Vulnerability Reward Programme (VRP). It will offer prizes to the top six vulnerability reports in GCP products submitted in 2020 with a cash prize of up to 313,337 dollars. The first place would win 313,337 dollars and the sixth place will end up with a thousand dollars. In order to be eligible, the bug hunters will have to submit a public write-up with the word limit of 31,337 words.
Google Cloud Shell is an interactive shell environment for Google Cloud Platform. It is a Linux with a browser-based front, that allows administrators to use various resources in the Google Cloud Platform.
Ter Maat noticed several issues in the cloud shell, the way it interacts with resources and authentication problems.
“When the Cloud Shell instance is done starting a terminal window is presented to the user,” ter Maat wrote in his write-up published in December. “Noteworthy is the fact that the gcloud client is already authenticated. If an attacker is able to compromise your Cloud Shell, it can access all your GCP resources.”
The researcher could connect to resources after launching the Cloud Shell, and as very few processes were running he was able to enter a container, escape it and access the full host by examining the file system. “I noticed that there were two Docker UNIX sockets available,” explained ter Maat. “One in ‘/run/docker.sock’, which is the default path for our Docker client running inside the Cloud Shell (Docker inside Docker); the second one in ‘/google/host/var/run/docker.sock.’”
“This second socket was revealed to be a host-based Docker socket, as indicated by its pathname. Anyone who can communicate with a host-based Docker socket can easily escape the container and gain root access on the host at the same time,” the researcher noted, adding that he could do that by just writing a quick script.
“After running it you will find that all containers inside the pod will automatically reboot. Now all containers run in privileged mode,” said ter Maat.
Researchers say, if malicious actors gain control of privileged containers, the possibilities for abuse are seemingly endless. They can view software and exploit their vulnerabilities, codes can be re-written, coin miners can be executed and effectively hidden and much more.