GCP - BigQuery Privesc
BigQuery
For more information about BigQuery check:
pageGCP - Bigquery EnumRead Table
Reading the information stored inside the a BigQuery table it might be possible to find sensitive information. To access the info the permission needed is bigquery.tables.get
, bigquery.jobs.create
and bigquery.tables.getData
:
Export data
This is another way to access the data. Export it to a cloud storage bucket and the download the files with the information.
To perform this action the following permissions are needed: bigquery.tables.export
, bigquery.jobs.create
and storage.objects.create
.
Insert data
It might be possible to introduce certain trusted data in a Bigquery table to abuse a vulnerability in some other place. This can be easily done with the permissions bigquery.tables.get
, bigquery.tables.updateData
and bigquery.jobs.create
:
bigquery.datasets.setIamPolicy
bigquery.datasets.setIamPolicy
An attacker could abuse this privilege to give himself further permissions over a BigQuery dataset:
bigquery.datasets.update
, (bigquery.datasets.get
)
bigquery.datasets.update
, (bigquery.datasets.get
)Just this permission allows to update your access over a BigQuery dataset by modifying the ACLs that indicate who can access it:
bigquery.tables.setIamPolicy
bigquery.tables.setIamPolicy
An attacker could abuse this privilege to give himself further permissions over a BigQuery table:
bigquery.rowAccessPolicies.update
, bigquery.rowAccessPolicies.setIamPolicy
, bigquery.tables.getData
, bigquery.jobs.create
bigquery.rowAccessPolicies.update
, bigquery.rowAccessPolicies.setIamPolicy
, bigquery.tables.getData
, bigquery.jobs.create
According to the docs, with the mention permissions it's possible to update a row policy.
However, using the cli bq
you need some more: bigquery.rowAccessPolicies.create
, bigquery.tables.get
.
It's possible to find the filter ID in the output of the row policies enumeration. Example:
Last updated