No bucket gets left behind
A new tool is helping security researchers discover misconfigured Google data storage, as more and more businesses move their workflow over to the cloud.
GCPBucketBrute – the open source tool recently released by Rhino Security – allows pen testers to discover open buckets found on the Google Cloud Platform (GCP). The tool can also determine if privilege escalation can occur on a particular cloud instance.
“There are countless AWS S3 bucket enumerators out there online, but none (that we could find, at least) that targeted other similar storage services, such as Google Storage,” said Rhino in a blog post on February 26.
“This tool is necessary because of the lack of multi-cloud research and as time goes on, more and more companies are expanding their environments across multiple cloud providers and companies that never have used the cloud are making the leap.”
Rhino highlighted a survey taken this year by network operator Kentik, which revealed that 97% of organizations were using Amazon Web Services (AWS) for their cloud deployment, followed by Microsoft Azure (35%), and GCP (24%).
The questions posed to 310 technology and business executives also reported that businesses were increasingly choosing a multi-cloud architecture, with AWS and Azure the most common combination.
“GCPBucketBrute is bringing something new to the idea of ‘bucket brute-forcing’ in that it is expanded to another cloud outside of AWS,” Rhino said.
A script allows tool users to search for public GCP buckets with names or other identifiers that match a user-submitted keyword.
“Then, it [GCPBucketBrute] will start brute-forcing buckets by sending HTTP requests to the Google APIs and it will determine the existence of a bucket based on the HTTP response code,” Rhino said.
“For any bucket that is discovered, the Google Storage TestIamPermissions API will be used to determine what level of access (if any) we have to the target bucket.”
Google Storage Buckets can be vulnerable to privilege escalation flaws in a similar way to ASW S3 buckets. If an unprivileged user has access to the setIamPolicy function, they can use this to escalate privileges and become an administrator. The tool includes a test for this dangerous misconfiguration.
GCPBucketBrute has already proven successful in practical tests. Scanning Alexa.com’s top 10,000 sites, Rhino was able to discover 18,616 buckets, 13 of which that were vulnerable to privilege escalation.
Other findings included:
- 18,618 total buckets were discovered
- 29 buckets of the total 18,618 (~0.16%) allowed read access to all authenticated GCP users, but not unauthenticated users (allAuthenticatedUsers)
- 715 buckets of the total 18,618 (~3.84%) allowed read access to any user on the web (allUsers)
- The remaining 17,874 (~96%) were locked down
Rhino added: “Even though buckets are created private-by-default, time and time again we see users misconfiguring the permissions on their assets and exposing them to malicious actors in the public and simple APIs like the Google Storage TestIamPermissions just make it easier.”
According to 2017 report by cloud security experts at Red Talk, 53% of organizations had at least some misconfigured cloud storage systems.