GCP - Cloud Functions Enum
Cloud Functions
Google Cloud Functions are designed to host your code, which gets executed in response to events, without necessitating the management of a host operating system. Additionally, these functions support the storage of environment variables, which the code can utilize.
Storage
The Cloud Functions code is stored in GCP Storage. Therefore, anyone with read access over buckets in GCP is going to be able to read the Cloud Functions code. The code is stored in a bucket like one of the following:
gcf-sources-<number>-<region>/<function-name>-<uuid>/version-<n>/function-source.zip
gcf-v2-sources-<number>-<region>/<function-name>function-source.zip
For example:
gcf-sources-645468741258-us-central1/function-1-003dcbdf-32e1-430f-a5ff-785a6e238c76/version-4/function-source.zip
Any user with read privileges over the bucket storing the Cloud Function could read the executed code.
Artifact Registry
If the cloud function is configured so the executed Docker container is stored inside and Artifact Registry repo inside the project, anyway with read access over the repo will be able to download the image and check the source code. For more info check:
GCP - Artifact Registry EnumSA
If not specified, by default the App Engine Default Service Account with Editor permissions over the project will be attached to the Cloud Function.
Triggers, URL & Authentication
When a Cloud Function is created the trigger needs to be specified. One common one is HTTPS, this will create an URL where the function can be triggered via web browsing. Other triggers are pub/sub, Storage, Filestore...
The URL format is https://<region>-<project-gcp-name>.cloudfunctions.net/<func_name>
When the HTTPS tigger is used, it's also indicated if the caller needs to have IAM authorization to call the Function or if everyone can just call it:
Inside the Cloud Function
The code is downloaded inside the folder /workspace
with the same file names as the ones the files have in the Cloud Function and is executed with the user www-data
.
The disk isn't mounted as read-only.
Enumeration
Privilege Escalation
In the following page, you can check how to abuse cloud function permissions to escalate privileges:
GCP - Cloudfunctions PrivescUnauthenticated Access
GCP - Cloud Functions Unauthenticated EnumPost Exploitation
GCP - Cloud Functions Post ExploitationPersistence
GCP - Cloud Functions PersistenceReferences
Last updated