GCP - IAM Privesc

IAM

Pata maelezo zaidi kuhusu IAM katika:

iam.roles.update (iam.roles.get)

Mshambuliaji mwenye ruhusa zilizoelezwa atakuwa na uwezo wa kuboresha jukumu lililotolewa kwako na kukupa ruhusa za ziada kwa rasilimali nyingine kama:

gcloud iam roles update <rol name> --project <project> --add-permissions <permission>

You can find a script to automate the creation, exploit and cleaning of a vuln environment here and a python script to abuse this privilege here. For more information check the original research.

iam.serviceAccounts.getAccessToken (iam.serviceAccounts.get)

Mshambuliaji mwenye ruhusa zilizoelezwa ataweza kuomba tokeni ya ufikiaji inayomilikiwa na Akaunti ya Huduma, hivyo inawezekana kuomba tokeni ya ufikiaji ya Akaunti ya Huduma yenye ruhusa zaidi kuliko zetu.

gcloud --impersonate-service-account="${victim}@${PROJECT_ID}.iam.gserviceaccount.com" \
auth print-access-token

You can find a script to automate the creation, exploit and cleaning of a vuln environment here and a python script to abuse this privilege here. For more information check the original research.

iam.serviceAccountKeys.create

Mshambuliaji mwenye ruhusa zilizotajwa ataweza kuunda ufunguo unaosimamiwa na mtumiaji kwa Akaunti ya Huduma, ambayo itaturuhusu kufikia GCP kama Akaunti hiyo ya Huduma.

gcloud iam service-accounts keys create --iam-account <name> /tmp/key.json

gcloud auth activate-service-account --key-file=sa_cred.json

You can find a script to automate the creation, exploit and cleaning of a vuln environment here and a python script to abuse this privilege here. For more information check the original research.

Note that iam.serviceAccountKeys.update haitafanya kazi kubadilisha funguo ya SA kwa sababu ili kufanya hivyo ruhusa iam.serviceAccountKeys.create inahitajika pia.

iam.serviceAccounts.implicitDelegation

If you have the iam.serviceAccounts.implicitDelegation permission on a Service Account that has the iam.serviceAccounts.getAccessToken permission on a third Service Account, then you can use implicitDelegation to create a token for that third Service Account. Here is a diagram to help explain.

Note that according to the documentation, the delegation of gcloud only works to generate a token using the generateAccessToken() method. So here you have how to get a token using the API directly:

curl -X POST \
'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/'"${TARGET_SERVICE_ACCOUNT}"':generateAccessToken' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer '"$(gcloud auth print-access-token)" \
-d '{
"delegates": ["projects/-/serviceAccounts/'"${DELEGATED_SERVICE_ACCOUNT}"'"],
"scope": ["https://www.googleapis.com/auth/cloud-platform"]
}'

You can find a script to automate the creation, exploit and cleaning of a vuln environment here and a python script to abuse this privilege here. For more information check the original research.

iam.serviceAccounts.signBlob

Mshambuliaji mwenye ruhusa zilizotajwa ataweza kusaini payloads za kiholela katika GCP. Hivyo itakuwa inawezekana kuunda JWT isiyo na saini ya SA na kisha kuisafirisha kama blob ili kupata JWT iliyosainiwa na SA tunayoelekeza. Kwa maelezo zaidi soma hii.

You can find a script to automate the creation, exploit and cleaning of a vuln environment here and a python script to abuse this privilege here and here. For more information check the original research.

iam.serviceAccounts.signJwt

Mshambuliaji mwenye ruhusa zilizotajwa ataweza kusaini JSON web tokens (JWTs) zilizo na muundo mzuri. Tofauti na njia ya awali ni kwamba badala ya kumfanya google asaini blob inayoshikilia JWT, tunatumia njia ya signJWT ambayo tayari inatarajia JWT. Hii inafanya iwe rahisi kutumia lakini unaweza kusaini JWT tu badala ya bytes zozote.

You can find a script to automate the creation, exploit and cleaning of a vuln environment here and a python script to abuse this privilege here. For more information check the original research.

iam.serviceAccounts.setIamPolicy

Mshambuliaji mwenye ruhusa zilizotajwa ataweza kuongeza sera za IAM kwa akaunti za huduma. Unaweza kuitumia ku jipatia ruhusa unazohitaji ili kujifanya kuwa akaunti ya huduma. Katika mfano ufuatao tunajipatia nafasi ya roles/iam.serviceAccountTokenCreator juu ya SA ya kuvutia:

gcloud iam service-accounts add-iam-policy-binding "${VICTIM_SA}@${PROJECT_ID}.iam.gserviceaccount.com" \
--member="user:username@domain.com" \
--role="roles/iam.serviceAccountTokenCreator"

# If you still have prblem grant yourself also this permission
gcloud iam service-accounts add-iam-policy-binding "${VICTIM_SA}@${PROJECT_ID}.iam.gserviceaccount.com" \ \
--member="user:username@domain.com" \
--role="roles/iam.serviceAccountUser"

You can find a script to automate the creation, exploit and cleaning of a vuln environment here.

iam.serviceAccounts.actAs

The iam.serviceAccounts.actAs permission is like the iam:PassRole permission from AWS. It's essential for executing tasks, like initiating a Compute Engine instance, as it grants the ability to "actAs" a Service Account, ensuring secure permission management. Without this, users might gain undue access. Additionally, exploiting the iam.serviceAccounts.actAs involves various methods, each requiring a set of permissions, contrasting with other methods that need just one.

Huduma akaunti uigaji

Impersonating a service account can be very useful to obtain new and better privileges. There are three ways in which you can impersonate another service account:

• Authentication using RSA private keys (covered above)

• Authorization using Cloud IAM policies (covered here)

• Deploying jobs on GCP services (more applicable to the compromise of a user account)

iam.serviceAccounts.getOpenIdToken

An attacker with the mentioned permissions will be able to generate an OpenID JWT. These are used to assert identity and do not necessarily carry any implicit authorization against a resource.

According to this interesting post, it's necessary to indicate the audience (service where you want to use the token to authenticate to) and you will receive a JWT signed by google indicating the service account and the audience of the JWT.

You can generate an OpenIDToken (if you have the access) with:

# First activate the SA with iam.serviceAccounts.getOpenIdToken over the other SA
gcloud auth activate-service-account --key-file=/path/to/svc_account.json
# Then, generate token
gcloud auth print-identity-token "${ATTACK_SA}@${PROJECT_ID}.iam.gserviceaccount.com" --audiences=https://example.com

Kisha unaweza tu kuitumia kufikia huduma na:

curl -v -H "Authorization: Bearer id_token" https://some-cloud-run-uc.a.run.app

Baadhi ya huduma zinazounga mkono uthibitishaji kupitia aina hii ya token ni:

• Google Cloud Run

• Google Cloud Functions

• Google Identity Aware Proxy

• Google Cloud Endpoints (ikiwa unatumia Google OIDC)

Unaweza kupata mfano wa jinsi ya kuunda token ya OpenID kwa niaba ya akaunti ya huduma hapa.

Marejeleo

• https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/