Google recently patched a privilege escalation vulnerability in OS Config, a Google Cloud Platform service for Compute Engine that is designed for managing operating systems running on virtual machine instances.
Security researcher Imre Rad analyzed the service, which he says is still in beta. He noticed that the agent process associated with the service, google_osconfig_agent, is running by default, with root privileges.
Google says the OS Config service API and agent allow users to perform various tasks across a group of VM instances, including applying patches, collecting and reviewing OS information, and installing, removing and updating software packages.
According to Rad, tasks executed via OS Config are called recipes, and one type of recipe that is supported executes a shell script. When the agent processed this type of recipe, it temporarily saved files in /tmp/osconfig_software_recipes before executing them. This enabled a low-privileged attacker with access to this folder to replace the files stored in this location with their own, malicious files, leading to those files getting executed with root privileges.
Exploitation of the vulnerability required access to the targeted system: either having a low-privileged shell on the affected VM or control over a compromised network service. However, one additional condition needed to be met for the attack to work: the hacker needed to have control over the folder storing recipes, which, Rad said, was only possible if no recipes were processed in the current session. This requirement made exploitation more difficult.
“A practical privilege escalation exploit is something you just execute and it elevates your privileges in a few seconds,” Rad told SecurityWeek via email. “This one depends on some external events — a new recipe to be deployed via osconfig — via a service that is not yet promoted to be production yet. I think it would be rare to see exploitable systems in the real world.”
Nevertheless, Google thought this was an interesting finding and while the likelihood of exploitation was low, the tech giant apparently agreed that using a predictable location to store recipes was not a good security practice.
Google was informed about the vulnerability, which the company described as a “nice catch,” on August 7 and a patch was rolled out on September 5. The issue was addressed by using a random temporary directory instead of a predictable one. Rad pointed out that users will need to upgrade their OS package in order to prevent potential attacks exploiting this vulnerability.
Rad has made available technical details on how the vulnerability could have been exploited and a proof-of-concept (PoC) exploit. The researcher does not want to disclose the exact bug bounty he has received from Google for his findings, but he told SecurityWeek that it’s in the thousands of dollars range.
Rad noted that Microsoft is offering a much higher reward for similar elevation of privilege vulnerabilities, although it does not have a research grant program, like Google does.
Related: Researcher Details Google Maps Vulnerability That Earned Him $10,000
Related: Google Awards $10,000 for Remote Code Execution Vulnerability in Chrome
Related: Google Patches Email Spoofing Vulnerability After Public Disclosure

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Siemens License Manager Vulnerabilities Allow ICS Hacking
- CISA Releases Open Source Recovery Tool for ESXiArgs Ransomware
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
Latest News
- Skybox Security Raises $50M, Hires New CEO
- Spies, Hackers, Informants: How China Snoops on the US
- Australian Man Sentenced for Scam Related to Optus Hack
- Chrome 110 Patches 15 Vulnerabilities
- Application Security Protection for the Masses
- Tor Network Under DDoS Pressure for 7 Months
- Siemens License Manager Vulnerabilities Allow ICS Hacking
- UN Experts: North Korean Hackers Stole Record Virtual Assets
