GCP - Cloudscheduler Privesc
cloudscheduler
cloudscheduler.jobs.create
, iam.serviceAccounts.actAs
, (cloudscheduler.locations.list
)
cloudscheduler.jobs.create
, iam.serviceAccounts.actAs
, (cloudscheduler.locations.list
)An attacker with these permissions could exploit Cloud Scheduler to authenticate cron jobs as a specific Service Account. By crafting an HTTP POST request, the attacker schedules actions, like creating a Storage bucket, to execute under the Service Account's identity. This method leverages the Scheduler's ability to target *.googleapis.com
endpoints and authenticate requests, allowing the attacker to manipulate Google API endpoints directly using a simple gcloud
command.
Example to create a new job that will use a specific Service Account to create a new Storage bucket on our behalf, we could run the following command:
To escalate privileges, an attacker merely crafts an HTTP request targeting the desired API, impersonating the specified Service Account
References
Last updated