Full Disclosure mailing list archives

By Date By Thread [SE-2014-02] Unconfirmed / unpatched vulnerabilities in Google App Engine From: Security Explorations <contact () security-explorations com>

Date: Fri, 15 May 2015 08:19:12 +0200

Hello All, Security Explorations decided to release technical details as well as accompanying Proof of Concept codes (three complete GAE Java sandbox escapes) for security issues identified in Google App Engine for Java after initial Issues 1-31 [1] have been addressed by the company. All relevant materials can be found at our SE-2014-02 project details page (original Google reports 3-6, POC codes for Issues 35-41): http://www.security-explorations.com/en/SE-2014-02-details.html The reasons for the disclosure of unconfirmed and unpatched issues are briefly outlined below: 1) We need to treat all vendors equal. In the past, unconfirmed, denied or silently fixed issues were the subject to an immediate release by us, 2) it's been 3 weeks and we haven't heard any official confirmation / denial from Google with respect to Issues 37-41 [2]. It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and / or consult the source code. This especially concerns the vendor that claims its "Security Team has hundreds of security engineers from all over the world" [3] and that expects other vendors to react promptly to the reports of its own security people [4], 3) we again found out that some of our Proof of Concept codes developed as part of SE-2014-02 project stopped working in a production GAE. Google has not communicated to us that Issues 35-36 would be / have been patched. This is the 3rd time we experience this "silent fix" approach from the company, 4) Google rewards cannot influence the way a vulnerability handling / disclosure of a security research is made. They cannot be a hostage of any vulnerability reward, bug bounty, etc. Please, note that a Proof of Concept code for the unpatched Issues 37-39 allows to gain access to the GAE Java environment only (it does not break the OS sandbox). We anticipate that its release is unlikely to raise any eyebrow at Google as: - GAE Java VM is the first layer of defense and Google "considers the remaining, lower sandboxing layers sufficiently robust", - 5 months after notifying Google, GAE JVM layer still contains 645 PROTOBUF definitions for 62 internal Google RPC services (including Borg [5]), - GAIA [6] Frontend configuration files describing configuration for 354 Google services have been finally removed from the environment, - libjavaruntime.so does not expose as much debugging information as it used to. Published reports again show the impact of a decision to allow custom Class Loaders in GAE. They also manifest inconsistency in the way security checks are implemented by GAE Reflection API interception layer. They prove again that "working as intended" issues are actually security bugs contrary to Google's claims. We have exceeded our initially suspected bug count of 30+ security issues and started to get closer to the level reached for Oracle Java SE [7]. The irony is that all of the bugs reported to Google so far were specific to the "extra security" layer implemented on top of JRE that aimed to protect GAE against...security vulnerabilities in Java. At the end, it's worth to note that we are completely aware that this publication may lead to the cancelling of additional VRP rewards from Google (including the $20k that were to be paid for Issues 32-34 and improperly patched Issue 2 #2). Thank you. Best Regards, Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to the new level" --------------------------------------------- References: [1] "Google App Engine Java security sandbox bypasses", technical report http://www.security-explorations.com/materials/se-2014-02-report.pdf [2] SE-2014-02 Vendors status http://www.security-explorations.com/en/SE-2014-02-status.html [3] Use your native language - Bughunter University https://sites.google.com/site/bughunteruniversity/improve/use-your-native-language [4] Project Zero http://googleprojectzero.blogspot.com/ [5] Large-scale cluster management at Google with Borg https://research.google.com/pubs/pub43438.html [6] Hackers Attack Google's 'Gaia' Password System http://www.pcmag.com/article2/0,2817,2362858,00.asp [7] SE-2012-01 Security vulnerabilities in Java SE http://www.security-explorations.com/en/SE-2012-01.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: [SE-2014-02] Unconfirmed / unpatched vulnerabilities in Google App Engine Security Explorations (May 14)