In OS Config, a Google Cloud Platform Compute Engine service designed for managing operating systems running on virtual machine instances, Google recently patched a privilege escalation vulnerability.
The service, which he says is still in beta, was analysed by security researcher Imre Rad. He noticed that the service-related agent process, google osconfig agent, runs by default, with root privileges.
Google says the API and agent of the OS Config service enables users to perform different tasks across a group of VM instances, including applying patches, gathering and reviewing OS information, and installing, removing and updating software packages.
Tasks executed via OS Config, according to Rad, are called recipes, and a shell script is executed by one type of recipe that is supported. When this type of recipe was processed by the agent, files in /tmp / osconfig software recipes were temporarily saved before they were executed. This made it possible for a low-privileged attacker with access to this folder to substitute their own malicious files for the files stored in this location, resulting in those files being executed with root privileges.
To exploit the vulnerability, access to the targeted system was required: either to have a low-privileged shell on the affected VM or to control a compromised network service. For the attack to work, however, one additional condition had to be met: the hacker needed to have control over the folder storing recipes, which, Rad said, was only possible if no recipes in the current session were processed. This requirement made it harder for exploitation.
Rad told via email, “A practical privilege escalation exploit is something you just execute and it raises your privileges in a few seconds.” This one relies on some external events through a service that is not yet advertised for production, a new recipe to be deployed via osconfig. In the real world , I think it would be rare for exploitable systems to be seen.
Nevertheless, Google thought this was an interesting finding and while the probability of exploitation was low, the technology giant apparently agreed that it was not a good security practise to use a predictable location to store recipes.
On August 7 and a patch was rolled out on September 5, Google was informed about the vulnerability, which the company described as a “nice catch.” By using a random temporary directory instead of a predictable one, the problem was addressed. Rad pointed out that in order to avoid potential attacks exploiting this vulnerability, users will need to upgrade their OS package.
Technical details on how the vulnerability could have been exploited and a proof-of – concept (PoC) exploit were made available by Rad. The researcher does not want to reveal the exact bug bounty he has received for his findings from Google, but he told that it is in the range of thousands of dollars.
Rad noted that, although it does not have a research grant programme, as Google does, Microsoft offers a much higher reward for similar increased privilege vulnerabilities.