GCP - Run Privesc
Cloud Run
For more information about Cloud Run check:
pageGCP - Cloud Run Enumrun.services.create
, iam.serviceAccounts.actAs
, run.routes.invoke
run.services.create
, iam.serviceAccounts.actAs
, run.routes.invoke
An attacker with these permissions to create a run service running arbitrary code (arbitrary Docker container), attach a Service Account to it, and make the code exfiltrate the Service Account token from the metadata.
An exploit script for this method can be found here and the Docker image can be found here.
Note that when using gcloud run deploy
instead of just creating the service it needs the update
permission. Check an example here.
run.services.update
, iam.serviceAccounts.actAs
run.services.update
, iam.serviceAccounts.actAs
Like the previous one but updating a service:
run.services.setIamPolicy
run.services.setIamPolicy
Give yourself previous permissions over cloud Run.
run.jobs.create
, run.jobs.run
, (run.jobs.get
)
run.jobs.create
, run.jobs.run
, (run.jobs.get
)Launch a job with a reverse shell to steal the service account indicated in the command. You can find an exploit here.
run.jobs.update
,run.jobs.run
,iam.serviceaccounts.actAs
,(run.jobs.get
)
run.jobs.update
,run.jobs.run
,iam.serviceaccounts.actAs
,(run.jobs.get
)Similar to the previous one it's possible to update a job and update the SA, the command and execute it:
run.jobs.setIamPolicy
run.jobs.setIamPolicy
Give yourself the previous permissions over Cloud Jobs.
References
Last updated