GCP - AppEngine Privesc
App Engine
For more information about App Engine check:
pageGCP - App Engine Enumappengine.applications.get
, appengine.instances.get
, appengine.instances.list
, appengine.operations.get
, appengine.operations.list
, appengine.services.get
, appengine.services.list
, appengine.versions.create
, appengine.versions.get
, appengine.versions.list
, cloudbuild.builds.get
,iam.serviceAccounts.actAs
, resourcemanager.projects.get
, storage.objects.create
, storage.objects.list
appengine.applications.get
, appengine.instances.get
, appengine.instances.list
, appengine.operations.get
, appengine.operations.list
, appengine.services.get
, appengine.services.list
, appengine.versions.create
, appengine.versions.get
, appengine.versions.list
, cloudbuild.builds.get
,iam.serviceAccounts.actAs
, resourcemanager.projects.get
, storage.objects.create
, storage.objects.list
Those are the needed permissions to deploy an App using gcloud
cli. Maybe the get
and list
ones could be avoided.
You can find python code examples in https://github.com/GoogleCloudPlatform/python-docs-samples/tree/main/appengine
By default, the name of the App service is going to be default
, and there can be only 1 instance with the same name.
To change it and create a second App, in app.yaml
, change the value of the root key to something like service: my-second-app
Give it at least 10-15min, if it doesn't work call deploy another of times and wait some minutes.
It's possible to indicate the Service Account to use but by default, the App Engine default SA is used.
The URL of the application is something like https://<proj-name>.oa.r.appspot.com/
or https://<service_name>-dot-<proj-name>.oa.r.appspot.com
appengine.instances.enableDebug
, appengine.instances.get
, appengine.instances.list
, appengine.operations.get
, appengine.services.get
, appengine.services.list
, appengine.versions.get
, appengine.versions.list
, compute.projects.get
appengine.instances.enableDebug
, appengine.instances.get
, appengine.instances.list
, appengine.operations.get
, appengine.services.get
, appengine.services.list
, appengine.versions.get
, appengine.versions.list
, compute.projects.get
With these permissions, it's possible to login via ssh in App Engine instances of type flexible (not standard). Some of the list
and get
permissions could not be really needed.
appengine.applications.update
, appengine.operations.get
appengine.applications.update
, appengine.operations.get
I think this just change the background SA google will use to setup the applications, so I don't think you can abuse this to steal the service account.
appengine.versions.getFileContents
, appengine.versions.update
appengine.versions.getFileContents
, appengine.versions.update
Not sure how to use these permissions or if they are useful (note that when you change the code a new version is created so I don't know if you can just update the code or the IAM role of one, but I guess you should be able to, maybe changing the code inside the bucket??).
Write Access over the buckets
Even with write access over the buckets where the source code is located it WASN'T possible to execute arbitrary code by modifying the source code and the manifest.json
.
Maybe if you are monitoring the bucket and detect the moment where a new version is created and the source code and manifest is uploaded, it might be possible to change them so the new version uses the backdoored ones??
It also looks like container layers are stored in the bucket, maybe changing those?
Last updated