irsl / gcp-dhcp-takeover-code-exec Goto Github PK
View Code? Open in Web Editor NEWGoogle Compute Engine (GCE) VM takeover via DHCP flood - gain root access by getting SSH keys added by google_guest_agent
gcp-dhcp-takeover-code-exec's Issues
couldn't find takeover-at-reboot.pl
when testing the POC on my environment i couldn't find takeover-at-reboot.pl. Is it the same as takeover.pl?
do you have any reference number for min_ts and max_ts?
thanks
nice work
have you tried ovh ?
Query about network level firewalling
Apologies if I have misunderstood something here, but in my tests, if I have Google firewall rules in place denying ingress on UDP port 68 (or no rules explicilty allowing it) then the traffic does not get through. From reading the README, I was led to think this was not possible and it had to be achieved using host based firewall rules.
Can you confirm if I am correct in my assessment that the GCP SDN network based firewall is capable of mitigating this attack?
Also, I checked some Google COS (container optimized OS) based images, and I don't see the DHCP hook google_set_hostname on the filesystem. Can you confirm what images/distros you tested in this exploit?
Hotfix in new GCE Debian image
Google changed the script "google_set_hostname":
GoogleCloudPlatform/guest-configs@fac404b#diff-5b7b2f3606d3cd6fc72670c3a7a34873df730bab794d3004382d34240fff1be8
This has been release with the new image version:
https://console.cloud.google.com/compute/imagesDetail/projects/debian-cloud/global/images/debian-10-buster-v20210701
To verify that the change is in the image follow these steps:
- create a new instance with the Debian GNU/Linux 10 (buster) image
- log in via ssh
- cat /bin/google_set_hostname
I did not check if this stops the attack and if it is sufficient.
I just wanted to note that they addressed the issue somehow.
How about responsible disclosure too ALL parties involved?
Bad math?
Attack #2: Targeting a VM on the same subnet (~same project), while it is refreshing the lease (so no reboot is needed). This takes place every half an hour (1800s), making 48 windows/attempts possible a day. Since an F class VM has ~170.000 pps (packet per second), and a day of unixtime + potential pids makes ~86420 potential XIDs, this is a feasible attack vector.
Where you have a day of unixtime + potential pids,
shouldn't you have a day of unixtime * potential pids,
thus 2,160,000 instead of ~86420?
And why a day and not a week or a month or a year?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.