Polish firm disclosed PoC code for security issues in Google App Engine

Security researchers at Security Explorations firm have published PoCs code for some of security issues in the Google App Engine.

The Polish firm Security Explorations has published online the technical details and a proof-of-concept code for security flaws affecting the Google App Engine (GAE) for Java.

“Security Explorations decided to release technical details as well as accompanying Proof of Concept codes (three complete GAE Java sandbox escapes) for security issues identified in Google App Engine for Java after initial Issues 1-31 [1] have been addressed by the company.” explained Adam Gowdiak, CEO of Security Explorations, in a post on the Full Disclosure mailing list.

In December 2014, the same team of researchers announced to have discovered a number of critical vulnerabilities in the Java environment of the Google App Engine (GAE) that could be exploited by hackers to bypass critical security sandbox defenses.

The Google App Engine is the company PaaS (Platform as a Service) Cloud computing Platform that allow customers to develop and run web applications in Google-managed data centers. The Google App Engine platform allows users to run apps built in a variety of languages and frameworks (i.e. Java and Python).

The researchers at Security Explorations have found more than 30 vulnerabilities in the Google App Engine that allow code execution and sandbox escapes.

The researchers posted an advisory on the Full Disclosure website signed by Adam Gowdiak,  founder and CEO of Security Explorations.
The company discovered over 30 vulnerabilities during their Google App Engine for Java security research project, and notified Google of them late previous year.

In response, Google first suspended the test account used by the Polish researchers, then enabled it again, thusly “blessing” further research, but also noting that Security Explorations should restrict their testing to the Java VM and not try to break into the sandboxing layer. Security Explorations then found additional flaws.

Since then, Google has fixed the majority of the issues, but some of them still affect the Google App Engine, and the Polish experts haven’t received updates from the company.

“It’s been 3 weeks and we haven’t heard any official confirmation/denial from Google with respect to Issues 37-41. It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and/or consult the source code,” added Adam Gowdiak. “This especially concerns the vendor that claims its “Security Team has hundreds of security engineers from all over the world” and that expects other vendors to react promptly to the reports of its own security people.”

The company published a detailed report on the “Google App Engine Java security sandbox bypasses”, it declared that PoCs code are provided purely for educational purposes only. “It is expressly forbidden to use them for any purposes that would violate any domestic or international laws.”

Below the list of PoCs:

• “Google App Engine Java security sandbox bypasses”, Proof of Concept codes, ZIP file, 299KB (download)
• “Google App Engine Java security sandbox bypasses”, Proof of Concept codes for Issues 32-34, ZIP file, 144KB (download)
• “Google App Engine Java security sandbox bypasses”, Proof of Concept codes for Issues 35-41, ZIP file, 97KB (download)

Pierluigi Paganini

(Security Affairs – Google App Engine, hacking)