Google recently patched a privilege escalation vulnerability in OS Config, a Google Cloud Platform service for Compute Engine that is designed for managing operating systems running on virtual machine instances.
Security researcher Imre Rad analyzed the service, which he says is still in beta. He noticed that the agent process associated with the service, google_osconfig_agent, is running by default, with root privileges.
Google says the OS Config service API and agent allow users to perform various tasks across a group of VM instances, including applying patches, collecting and reviewing OS information, and installing, removing and updating software packages.
According to Rad, tasks executed via OS Config are called recipes, and one type of recipe that is supported executes a shell script. When the agent processed this type of recipe, it temporarily saved files in /tmp/osconfig_software_recipes before executing them. This enabled a low-privileged attacker with access to this folder to replace the files stored in this location with their own, malicious files, leading to those files getting executed with root privileges.
Exploitation of the vulnerability required access to the targeted system: either having a low-privileged shell on the affected VM or control over a compromised network service. However, one additional condition needed to be met for the attack to work: the hacker needed to have control over the folder storing recipes, which, Rad said, was only possible if no recipes were processed in the current session. This requirement made exploitation more difficult.
“A practical privilege escalation exploit is something you just execute and it elevates your privileges in a few seconds,” Rad told SecurityWeek via email. “This one depends on some external events — a new recipe t ..