irsl / gcp-dhcp-takeover-code-exec Goto Github PK

Google changed the script "google_set_hostname":
GoogleCloudPlatform/guest-configs@fac404b#diff-5b7b2f3606d3cd6fc72670c3a7a34873df730bab794d3004382d34240fff1be8

This has been release with the new image version:
https://console.cloud.google.com/compute/imagesDetail/projects/debian-cloud/global/images/debian-10-buster-v20210701

To verify that the change is in the image follow these steps:

• create a new instance with the Debian GNU/Linux 10 (buster) image
• log in via ssh
• cat /bin/google_set_hostname

I did not check if this stops the attack and if it is sufficient.
I just wanted to note that they addressed the issue somehow.

Attack #2: Targeting a VM on the same subnet (~same project), while it is refreshing the lease (so no reboot is needed). This takes place every half an hour (1800s), making 48 windows/attempts possible a day. Since an F class VM has ~170.000 pps (packet per second), and a day of unixtime + potential pids makes ~86420 potential XIDs, this is a feasible attack vector.

Where you have a day of unixtime + potential pids,
shouldn't you have a day of unixtime * potential pids,
thus 2,160,000 instead of ~86420?

And why a day and not a week or a month or a year?

Apologies if I have misunderstood something here, but in my tests, if I have Google firewall rules in place denying ingress on UDP port 68 (or no rules explicilty allowing it) then the traffic does not get through. From reading the README, I was led to think this was not possible and it had to be achieved using host based firewall rules.

Can you confirm if I am correct in my assessment that the GCP SDN network based firewall is capable of mitigating this attack?

Also, I checked some Google COS (container optimized OS) based images, and I don't see the DHCP hook google_set_hostname on the filesystem. Can you confirm what images/distros you tested in this exploit?

have you tried ovh ?

when testing the POC on my environment i couldn't find takeover-at-reboot.pl. Is it the same as takeover.pl?
do you have any reference number for min_ts and max_ts?

thanks