Detailed Technical Analysis of "From SSRF to RCE: Pivoting Between Protocols to Pwn Google Cloud"

Overview:
In this video presentation from Black Hat USA 2020, Alex Birsan describes a sophisticated method of exploiting Server-Side Request Forgery (SSRF) vulnerabilities to achieve Remote Code Execution (RCE) on Google Cloud Services. The research showcases how SSRF can be leveraged to pivot between different protocols and reach internal services within a cloud environment.

Key Technical Details:

1. Understanding SSRF:
   SSRF allows an attacker to make requests from a server-side application, theoretically giving access to internal networks and services that are not directly exposed to the internet. This is particularly dangerous in cloud environments where internal metadata services can be accessed.

2. Google Cloud Metadata API:

3. Google Cloud, similar to AWS and Azure, has a metadata service accessible at a known internal IP (169.254.169.254). This service provides crucial information like authentication tokens and service accounts.

4. SSRF can be used to query this API and obtain sensitive information. For example, an attacker can fetch metadata about the instance, service accounts, and tokens.

5. Pivoting to RCE:

6. Initial Footing: Exploit the SSRF to query the metadata API. By doing this, the attacker can extract tokens that provide access to Google Cloud resources.
7. Gaining Access: Use the token obtained from the metadata service to interact with Google Cloud APIs. These tokens can provide significant access depending on the IAM permissions of the associated service account.

8. Protocol Pivoting: Utilize the SSRF payloads to force the application to interact with services over different protocols. For example, using gopher:// or file:// schemes to navigate through internal services or execute unintended actions.

9. Exploiting Google Cloud Functions:

10. Cloud Functions: Once the token is obtained, it can be used to interact with Google Cloud Functions.

11. Code Execution: By injecting payloads into the function’s HTTP handlers or leveraging misconfigurations in the function code, remote code execution can be achieved. For example, an attacker can craft API calls to deploy or overwrite functions with malicious code.

12. Mitigations:

13. SSR: Web applications should employ strict input validation to mitigate SSRF vulnerabilities. This includes whitelisting IP addresses and domains that can be accessed or filtering out internal IP ranges.
14. Metadata Service Access: Implement network policies to restrict access to the metadata services from application containers. Use instance metadata headers to validate incoming requests (for Google Cloud, set Metadata-Flavor: Google).
15. IAM Permissions: Follow the principle of least privilege for service accounts. Regularly audit IAM permissions to ensure that unnecessary permissions are not granted to service accounts.

Key Takeaways:

• SSRF Vulnerability Impact: SSRF can be used as an entry point to gain access to sensitive internal metadata, which can escalate to compromised tokens and other credentials.
• Protocol Pivoting: Pivoting between protocols (e.g., http, gopher, ftp) can widen the attack surface and lead to different types of exploits.
• Cloud Service Exploitation: Gaining access to cloud service tokens via SSRF can lead to severe consequences, especially if these tokens have broad permissions.
• Comprehensive Mitigation: Protect against SSRF by not relying only on traditional firewall rules but by implementing both input validation and robust access control mechanisms in cloud environments.

Conclusion:

Birsan’s research brings to light the critical vulnerabilities associated with SSRF in cloud environments, especially Google Cloud. By showing the path from SSRF to RCE, it underscores the importance of securing metadata services and maintaining stringent IAM policies. With the increasing reliance on cloud services, such research serves as an essential guide for securing cloud-native applications.

For full details, watch the original video presentation here.