Pierluigi Paganini May 21, 2018

Google awarded the 18-year-old student Ezequiel Pereira a total of $36,337 for the discovery of a critical remote code execution vulnerability that affected the Google App Engine.

The Google App Engine is a framework that allows Google users to develop and host web applications on a fully managed serverless platform.

In February, Pereira gained access to a non-production Google App Engine development environment, then he discovered that it was possible to use some of Google’s internal APIs.

Pereira ethically reported the issue through the Google’s Vulnerability Reward Program (VRP). The experts at Google ranked the flaw as a P1 priority, a level that is assigned to vulnerabilities that could have a significant impact on a large number of users and that for this reason must be addressed as soon as possible.

Meantime Pereira continued his test and submitted a second report to Google after discovering further issues, then Google invited Pereira to stop his activities due to the risk to “easily break something using these internal APIs.”

Google security team discovered that the flaw reported by the youngster could led to remote code execution.

Pereira published a detailed analysis of its finding after Google has fixed them and awarded him.

“In early 2018 I got access to a non-production Google App Engine deployment environment, where I could use internal APIs and it was considered as Remote Code Execution due to the way Google works. Thanks to this I got a reward of $36,337 as part of Google Vulnerability Rewards Program.” reads the blog post published by the researcher.

“Some time ago, I noticed every Google App Engine (GAE) application replied to every HTTP request with a “X-Cloud-Trace-Context” header, so I assumed any website returning that header is probably running on GAE.
Thanks to that, I learned “appengine.google.com” itself runs on GAE, but it can perform some actions that cannot be done anywhere else and common user applications cannot perform, so I tried to discover how was it able to do those actions.
Obviously, it has to make use of some API, interface or something only available to applications ran by Google itself, but maybe there was a way to access them, and I looked for that.”

Below the timeline for the flaw:

• February 2018: Issue found
• February 25th, 2018: Initial report (Only the “stubby” API)
• March 4th and 5th, 2018: The “app_config_service” API discovered and reported
• March between 6th and 13th, 2018: The access to non-prod GAE environments was blocked with a 429 error page
• March 13th, 2018: Reward of $36,337 issued
• May 16th, 2018: Issue confirmed as fixed

Pierluigi Paganini

(Security Affairs – Google App Engine, remote code execution flaw)

[adrotate banner=”5″]

[adrotate banner=”13″]