[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SE-2014-02] Unconfirmed / unpatched vulnerabilities in Google App Engine

Hello All,

Security Explorations decided to release technical details as well as
accompanying Proof of Concept codes (three complete GAE Java sandbox
escapes) for security issues identified in Google App Engine for Java
after initial Issues 1-31 [1] have been addressed by the company. All
relevant materials can be found at our SE-2014-02 project details page
(original Google reports 3-6, POC codes for Issues 35-41):


The reasons for the disclosure of unconfirmed and unpatched issues are
briefly outlined below:
1) We need to treat all vendors equal. In the past, unconfirmed, denied
   or silently fixed issues were the subject to an immediate release
   by us,
2) it's been 3 weeks and we haven't heard any official confirmation /
   denial from Google with respect to Issues 37-41 [2]. It should not
   take more than 1-2 business days for a major software vendor to run
   the received POC, read our report and / or consult the source code.
   This especially concerns the vendor that claims its "Security Team
   has hundreds of security engineers from all over the world" [3] and
   that expects other vendors to react promptly to the reports of its
   own security people [4],
3) we again found out that some of our Proof of Concept codes developed
   as part of SE-2014-02 project stopped working in a production GAE.
   Google has not communicated to us that Issues 35-36 would be / have
   been patched. This is the 3rd time we experience this "silent fix"
   approach from the company,
4) Google rewards cannot influence the way a vulnerability handling /
   disclosure of a security research is made. They cannot be a hostage
   of any vulnerability reward, bug bounty, etc.

Please, note that a Proof of Concept code for the unpatched Issues 37-39
allows to gain access to the GAE Java environment only (it does not break
the OS sandbox). We anticipate that its release is unlikely to raise any
eyebrow at Google as:
- GAE Java VM is the first layer of defense and Google "considers the
  remaining, lower sandboxing layers sufficiently robust",
- 5 months after notifying Google, GAE JVM layer still contains 645
  PROTOBUF definitions for 62 internal Google RPC services (including
  Borg [5]),
- GAIA [6] Frontend configuration files describing configuration for
  354 Google services have been finally removed from the environment,
- libjavaruntime.so does not expose as much debugging information as
  it used to.

Published reports again show the impact of a decision to allow custom
Class Loaders in GAE. They also manifest inconsistency in the way
security checks are implemented by GAE Reflection API interception
layer. They prove again that "working as intended" issues are actually
security bugs contrary to Google's claims.

We have exceeded our initially suspected bug count of 30+ security
issues and started to get closer to the level reached for Oracle Java
SE [7]. The irony is that all of the bugs reported to Google so far
were specific to the "extra security" layer implemented on top of JRE
that aimed to protect GAE against...security vulnerabilities in Java.

At the end, it's worth to note that we are completely aware that this
publication may lead to the cancelling of additional VRP rewards from
Google (including the $20k that were to be paid for Issues 32-34 and
improperly patched Issue 2 #2).

Thank you.

Best Regards,
Adam Gowdiak

Security Explorations
"We bring security research to the new level"

[1] "Google App Engine Java security sandbox bypasses", technical report
[2] SE-2014-02 Vendors status
[3] Use your native language - Bughunter University

[4] Project Zero
[5] Large-scale cluster management at Google with Borg
[6] Hackers Attack Google's 'Gaia' Password System
[7] SE-2012-01 Security vulnerabilities in Java SE