irsl / gcp-dhcp-takeover-code-exec Goto Github PK
View Code? Open in Web Editor NEWGoogle Compute Engine (GCE) VM takeover via DHCP flood - gain root access by getting SSH keys added by google_guest_agent
Google Compute Engine (GCE) VM takeover via DHCP flood - gain root access by getting SSH keys added by google_guest_agent
Google changed the script "google_set_hostname":
GoogleCloudPlatform/guest-configs@fac404b#diff-5b7b2f3606d3cd6fc72670c3a7a34873df730bab794d3004382d34240fff1be8
This has been release with the new image version:
https://console.cloud.google.com/compute/imagesDetail/projects/debian-cloud/global/images/debian-10-buster-v20210701
To verify that the change is in the image follow these steps:
I did not check if this stops the attack and if it is sufficient.
I just wanted to note that they addressed the issue somehow.
Attack #2: Targeting a VM on the same subnet (~same project), while it is refreshing the lease (so no reboot is needed). This takes place every half an hour (1800s), making 48 windows/attempts possible a day. Since an F class VM has ~170.000 pps (packet per second), and a day of unixtime + potential pids makes ~86420 potential XIDs, this is a feasible attack vector.
Where you have a day of unixtime + potential pids
,
shouldn't you have a day of unixtime * potential pids
,
thus 2,160,000
instead of ~86420
?
And why a day
and not a week
or a month
or a year
?
Apologies if I have misunderstood something here, but in my tests, if I have Google firewall rules in place denying ingress on UDP port 68 (or no rules explicilty allowing it) then the traffic does not get through. From reading the README, I was led to think this was not possible and it had to be achieved using host based firewall rules.
Can you confirm if I am correct in my assessment that the GCP SDN network based firewall is capable of mitigating this attack?
Also, I checked some Google COS (container optimized OS) based images, and I don't see the DHCP hook google_set_hostname on the filesystem. Can you confirm what images/distros you tested in this exploit?
have you tried ovh ?
when testing the POC on my environment i couldn't find takeover-at-reboot.pl. Is it the same as takeover.pl?
do you have any reference number for min_ts and max_ts?
thanks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.