GCP - Cloudfunctions Privesc
cloudfunctions
More information about Cloud Functions:
pageGCP - Cloud Functions Enumcloudfunctions.functions.create
, cloudfunctions.functions.sourceCodeSet
, iam.serviceAccounts.actAs
cloudfunctions.functions.create
, cloudfunctions.functions.sourceCodeSet
, iam.serviceAccounts.actAs
An attacker with these privileges can create a new Cloud Function with arbitrary (malicious) code and assign it a Service Account. Then, leak the Service Account token from the metadata to escalate privileges to it. Some privileges to trigger the function might be required.
Exploit scripts for this method can be found here and here and the prebuilt .zip file can be found here.
cloudfunctions.functions.update
, cloudfunctions.functions.sourceCodeSet
, iam.serviceAccounts.actAs
cloudfunctions.functions.update
, cloudfunctions.functions.sourceCodeSet
, iam.serviceAccounts.actAs
An attacker with these privileges can modify the code of a Function and even modify the service account attached with the goal of exfiltrating the token. Some privileges to trigger the function might be required.
The exploit script for this method can be found here.
cloudfunctions.functions.sourceCodeSet
cloudfunctions.functions.sourceCodeSet
With this permission you can get a signed URL to be able to upload a file to a function bucket (but the code of the function won't be changed, you still need to update it)
Not really sure how useful only this permission is from an attackers perspective, but good to know.
cloudfunctions.functions.setIamPolicy
, iam.serviceAccounts.actAs
cloudfunctions.functions.setIamPolicy
, iam.serviceAccounts.actAs
Give yourself any of the previous .update
or .create
privileges to escalate.
cloudfunctions.functions.update
cloudfunctions.functions.update
Only having cloudfunctions
permissions, without iam.serviceAccounts.actAs
you won't be able to update the function SO THIS IS NOT A VALID PRIVESC.
Bucket Write Permissions
An attacker with write permissions over the bucket where the Cloud Functions code is stored will be able to modify the code overwriting the function_code.zip
and will be able to execute arbitrary code once it's executed.
References
Last updated