[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SE-2014-02] Google App Engine Java security sandbox bypasses (status update)




Hello All,

We would like to provide a status update to the initial
announcement [1] made a week ago regarding our SE-2014-02
security research project targeting Google App Engine
for Java.

Information regarding vulnerabilities and associated PoC
codes (Issues 1-22 / unconfirmed Issues 23-35) was sent
to Google on Dec 07, 2014.

Google has been able to reproduce the issues locally, but
when tried in production some of them didn't seem to work
(27 unexploitable issues with barely 7 candidates to work).
The reason was that our custom local GAE environment didn't
properly emulate Google App Engine production environment
(we did check availability of selected classes, but in this
particular class loader case, not all classpath JAR files
were immediately available to user code in production GAE).

At the same time, Google said that it would be OK for the
company that we continue the research as long as it is done
within the Java VM and not moved on to the next sandboxing
layer (OS sandbox).

We agreed and 5 days ago started playing with GAE again.

We used those extra days to discover new issues in GAE Java
sandbox, rewrite old / develop new POC codes and gather the
necessary data for a planned publication on the topic.

We ended up with 21 Issues "confirmed in production" (and
pending Google confirmation) with some quite interesting
findings among them (i.e. in core GAE Java security layer).

Being back on track, we can now refer you to the official
SE-2014-02 project pages that present a summary of our
communication process with the vendors and a project FAQ:

http://www.security-explorations.com/en/SE-2014-02-status.html
http://www.security-explorations.com/en/SE-2014-02-faq.html

We take this opportunity to thank Google for reenabling our
GAE account and making it possible to complete our project.
We really appreciate it.

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] [SE-2014-02] Google App Engine Java security sandbox
    bypasses (project pending completion / action from Google)
    http://seclists.org/fulldisclosure/2014/Dec/26