Google recently patched a privilege escalation vulnerability in OS Config, a Google Cloud Platform service for Compute Engine that is designed for managing operating systems running on virtual machine instances.
Security researcher Imre Rad analyzed the service, which he says is still in beta. He noticed that the agent process associated with the service, google_osconfig_agent, is running by default, with root privileges.
Google says the OS Config service API and agent allow users to perform various tasks across a group of VM instances, including applying patches, collecting and reviewing OS information, and installing, removing and updating software packages.
According to Rad, tasks executed via OS Config are called recipes, and one type of recipe that is supported executes a shell script. When the agent processed this type of recipe, it temporarily saved files in /tmp/osconfig_software_recipes before executing them. This enabled a low-privileged attacker with access to this folder to replace the files stored in this location with their own, malicious files, leading to those files getting executed with root privileges.
Exploitation of the vulnerability required access to the targeted system: either having a low-privileged shell on the affected VM or control over a compromised network service. However, one additional condition needed to be met for the attack to work: the hacker needed to have control over the folder storing recipes, which, Rad said, was only possible if no recipes were processed in the current session. This requirement made exploitation more difficult.
“A practical privilege escalation exploit is something you just execute and it elevates your privileges in a few seconds,” Rad told SecurityWeek via email. “This one depends on some external events — a new recipe to be deployed via osconfig — via a service that is not yet promoted to be production yet. I think it would be rare to see exploitable systems in the real world.”
Nevertheless, Google thought this was an interesting finding and while the likelihood of exploitation was low, the tech giant apparently agreed that using a predictable location to store recipes was not a good security practice.
Google was informed about the vulnerability, which the company described as a “nice catch,” on August 7 and a patch was rolled out on September 5. The issue was addressed by using a random temporary directory instead of a predictable one. Rad pointed out that users will need to upgrade their OS package in order to prevent potential attacks exploiting this vulnerability.
Rad has made available technical details on how the vulnerability could have been exploited and a proof-of-concept (PoC) exploit. The researcher does not want to disclose the exact bug bounty he has received from Google for his findings, but he told SecurityWeek that it’s in the thousands of dollars range.
Rad noted that Microsoft is offering a much higher reward for similar elevation of privilege vulnerabilities, although it does not have a research grant program, like Google does.