Google App Engine affected by more than 30 vulnerabilities

Security researchers at Security Explorations have found more than 30 vulnerabilities in the Google App Engine that allow code execution and sandbox escapes

A team of security researchers in Poland announced to have discovered a number of critical vulnerabilities in the Java environment of the Google App Engine (GAE) that could be exploited by hackers to bypass critical security sandbox defenses.

The Google App Engine is the company PaaS (Platform as a Service) Cloud computing Platform that allow customers to develop and run web applications in Google-managed data centers. The Google App Engine platform allows users to run apps built in a variety of languages and frameworks (i.e. Java and Python).

The researchers at Security Explorations have found more than 30 vulnerabilities in the Google App Engine that allow code execution and sandbox escapes.

The researchers posted an advisory on Full Disclosure website signed by Adam Gowdiak,  founder and CEO of Security Explorations.

“We discovered multiple security issues in Google App Engine that allow for a complete Java VM security sandbox escape. There are more issues pending verification – we estimate them to be in the range of 30+ in total. ” states the advisory.

The advisory includes several of the issues the team at Security Explorations found in the Google App Engine:

– we bypassed GAE whitelisting of JRE classes / achieved complete Java VM security sandbox escape (17 full sandbox bypass PoC codes exploiting 22 issues in total),

– we achieved native code execution (ability to issue arbitrary library  / system calls),

– we gained access to the files (binary / classes) comprising the JRE sandbox, that includes the monster libjavaruntime.so binary (468416808 bytes in total),

– we extracted DWARF info from binary files (type information and such),

– we extracted PROTOBUF definitions from Java classes (description of 57 services in 542 .proto files),

– we extracted PROTOBUF definition from binary files (description of 8 services in 68 .proto files),

– we analyzed the above stuff and learned a lot about the GAE environment for Java sandbox (among others).

It’s curious to note that the experts haven’t completed their test because while they were performing them on the platform, Google suspended the test account that Security Explorations had set up.  Gowdiak requested Google to restore the test account so they could finish their tests.

“Without any doubt this is an opsec failure on our end (this week we did poke a little bit more aggressively around the underlying OS sandbox/issued various system calls in order to learn more about the nature of the error code 202, the sandbox itself, etc.),” said Gowdiak.

Let’s hope Google will restore the account.

“Taking into account an educational nature of the security issues found in GAE Java security sandbox and what seems to be an appreciation Google has for arbitrary security research / all sorts of sandbox escapes, we hope the company makes it possible for us to complete our work and reenables our GAE account,” Gowdiak added.

Pierluigi Paganini

(Security Affairs –  Google App Engine, hacking)