Hello All,
Security Explorations decided to release technical details as well as
accompanying Proof of Concept codes (three complete GAE Java sandbox
escapes) for security issues identified in Google App Engine for Java
after initial Issues 1-31 [1] have been addressed by the company. All
relevant materials can be found at our SE-2014-02 project details page
(original Google reports 3-6, POC codes for Issues 35-41):
http://www.security-explorations.com/en/SE-2014-02-details.html
The reasons for the disclosure of unconfirmed and unpatched issues are
briefly outlined below:
1) We need to treat all vendors equal. In the past, unconfirmed, denied
or silently fixed issues were the subject to an immediate release
by us,
2) it's been 3 weeks and we haven't heard any official confirmation /
denial from Google with respect to Issues 37-41 [2]. It should not
take more than 1-2 business days for a major software vendor to run
the received POC, read our report and / or consult the source code.
This especially concerns the vendor that claims its "Security Team
has hundreds of security engineers from all over the world" [3] and
that expects other vendors to react promptly to the reports of its
own security people [4],
3) we again found out that some of our Proof of Concept codes developed
as part of SE-2014-02 project stopped working in a production GAE.
Google has not communicated to us that Issues 35-36 would be / have
been patched. This is the 3rd time we experience this "silent fix"
approach from the company,
4) Google rewards cannot influence the way a vulnerability handling /
disclosure of a security research is made. They cannot be a hostage
of any vulnerability reward, bug bounty, etc.
Please, note that a Proof of Concept code for the unpatched Issues 37-39
allows to gain access to the GAE Java environment only (it does not break
the OS sandbox). We anticipate that its release is unlikely to raise any
eyebrow at Google as:
- GAE Java VM is the first layer of defense and Google "considers the
remaining, lower sandboxing layers sufficiently robust",
- 5 months after notifying Google, GAE JVM layer still contains 645
PROTOBUF definitions for 62 internal Google RPC services (including
Borg [5]),
- GAIA [6] Frontend configuration files describing configuration for
354 Google services have been finally removed from the environment,
- libjavaruntime.so does not expose as much debugging information as
it used to.
Published reports again show the impact of a decision to allow custom
Class Loaders in GAE. They also manifest inconsistency in the way
security checks are implemented by GAE Reflection API interception
layer. They prove again that "working as intended" issues are actually
security bugs contrary to Google's claims.
We have exceeded our initially suspected bug count of 30+ security
issues and started to get closer to the level reached for Oracle Java
SE [7]. The irony is that all of the bugs reported to Google so far
were specific to the "extra security" layer implemented on top of JRE
that aimed to protect GAE against...security vulnerabilities in Java.
At the end, it's worth to note that we are completely aware that this
publication may lead to the cancelling of additional VRP rewards from
Google (including the $20k that were to be paid for Issues 32-34 and
improperly patched Issue 2 #2).
Thank you.
Best Regards,
Adam Gowdiak
---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------
References:
[1] "Google App Engine Java security sandbox bypasses", technical report
http://www.security-explorations.com/materials/se-2014-02-report.pdf
[2] SE-2014-02 Vendors status
http://www.security-explorations.com/en/SE-2014-02-status.html
[3] Use your native language - Bughunter University
https://sites.google.com/site/bughunteruniversity/improve/use-your-native-language
[4] Project Zero
http://googleprojectzero.blogspot.com/
[5] Large-scale cluster management at Google with Borg
https://research.google.com/pubs/pub43438.html
[6] Hackers Attack Google's 'Gaia' Password System
http://www.pcmag.com/article2/0,2817,2362858,00.asp
[7] SE-2012-01 Security vulnerabilities in Java SE
http://www.security-explorations.com/en/SE-2012-01.html