Google Cloud Platform (GCP) Eventarc PE to Service Agent with Pipelines

By
Editor Dataproof
-
0
21

Google Cloud Platform (GCP) Eventarc PE to Service Agent with Pipelines

Tenable Research has identified and responsibly disclosed a critical privilege escalation vulnerability in GCP Eventarc. This flaw allowed an attacker with restricted Eventarc permissions to exfiltrate access tokens for any service account in a project, including the highly privileged Eventarc Service Agent.

 

An attacker with only Eventarc access (roles/eventarc.messageBusUser, roles/eventarc.developer) can create a pipeline in Eventarc that authenticates using arbitrary service accounts in the project, even without iam.serviceAccounts.actAs permissions. Additionally, the user can manipulate the Eventarc service agent to authenticate with its own access token. The attacker can therefore create an Eventarc Pipeline that will authenticate to a public Cloud Run in the attacker’s control, exfiltrating the access tokens.

 

The Eventarc service agent has the following notable permissions, which allow the attacker to use a single exfiltration to escalate privileges to any service account:

 

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

 

Since service agents use predictable naming schemes, the attacker does not even need permissions to list all service accounts to exploit this vulnerability.

 

Proof of Concept:

Setup:

  1. Create a public Cloud Run in the attacker’s project that logs the Authorization header
  2. Give the attacker the Eventarc roles mentioned above in the victim’s project
  3. Create an Eventarc Message Bus in the victim’s project

Attack:

  1. Go to https://console.cloud.google.com/eventarc/pipelines/create
  2. Choose a name and region for the pipeline
  3. Under ‘Enrollments’, add an enrollment for the Eventarc Advanced bus, with the expression ‘true’, then press ‘Continue’
  4. Press ‘Continue’ again
  5. Under ‘Destination type’, choose ‘Cloud Run service (via HTTP)’, and choose the Cloud Run from the attacker’s project
  6. Check ‘Enable authentication’, and choose ‘OAuth token’ for ‘Auth header’
  7. Under ‘Service account’, click ‘Enter manually’, and enter a unique name (it doesn’t need to exist)
  8. In your intercepting proxy, enable a ‘Match and Replace’ rule from <UNIQUE-NAME>@<VICTIM-PROJECT>.iam.gserviceaccount.com to service-<VICTIM-PROJECT-NUMBER>@gcp-sa-eventarc.iam.gserviceaccount.com
  9. Click ‘Create’ (the creation may take a few minutes)
  10. Once the pipeline is created, send a message to the Event Bus:

gcloud eventarc message-buses publish <VICTIM-MESSAGE-BUS> –location=<BUS-LOCATION> –json-message='{“specversion”: “1.0”, “type”: “test.event”, “source”: “manual.test”, “id”: “abc-123”, “data”: {“hello”: “world”}}’

  1. Wait a little while for the pipeline to trigger, and you will find the authorization header in the logs of the Cloud Run in the attacker’s project

Ben Smith
– Read more

RELATED ARTICLESMORE FROM AUTHOR