GCP - BigQuery Privesc
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more information about BigQuery check:
GCP - Bigquery EnumReading the information stored inside the a BigQuery table it might be possible to find sensitive information. To access the info the permission needed is bigquery.tables.get
, bigquery.jobs.create
and bigquery.tables.getData
:
This is another way to access the data. Export it to a cloud storage bucket and the download the files with the information.
To perform this action the following permissions are needed: bigquery.tables.export
, bigquery.jobs.create
and storage.objects.create
.
It might be possible to introduce certain trusted data in a Bigquery table to abuse a vulnerability in some other place. This can be easily done with the permissions bigquery.tables.get
, bigquery.tables.updateData
and bigquery.jobs.create
:
bigquery.datasets.setIamPolicy
An attacker could abuse this privilege to give himself further permissions over a BigQuery dataset:
bigquery.datasets.update
, (bigquery.datasets.get
)Just this permission allows to update your access over a BigQuery dataset by modifying the ACLs that indicate who can access it:
bigquery.tables.setIamPolicy
An attacker could abuse this privilege to give himself further permissions over a BigQuery table:
bigquery.rowAccessPolicies.update
, bigquery.rowAccessPolicies.setIamPolicy
, bigquery.tables.getData
, bigquery.jobs.create
According to the docs, with the mention permissions it's possible to update a row policy.
However, using the cli bq
you need some more: bigquery.rowAccessPolicies.create
, bigquery.tables.get
.
It's possible to find the filter ID in the output of the row policies enumeration. Example:
If you have bigquery.rowAccessPolicies.delete
instead of bigquery.rowAccessPolicies.update
you could also just delete the policy:
Another potential option to bypass row access policies would be to just change the value of the restricted data. If you can only see when term
is Cfba
, just modify all the records of the table to have term = "Cfba"
. However this is prevented by bigquery.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)