GCP 叠叠乐：用单个软件包入侵数百万台谷歌服务器（以及更多功能）.pdf

《GCP 叠叠乐：用单个软件包入侵数百万台谷歌服务器（以及更多功能）.pdf》由会员分享，可在线阅读，更多相关《GCP 叠叠乐：用单个软件包入侵数百万台谷歌服务器（以及更多功能）.pdf（51页珍藏版）》请在三个皮匠报告上搜索。

1、The GCP Jenga TowerHacking Millions of Google Servers With a Single Package(and More)Liv MatanSenior Security Researcher,Tenable terminatorLM 2CloudImposer34GCP Cloud Functions5 Liv Matan,Senior Security Researcher Tenable A Microsoft“Most Valuable Researcher”Hunt across the major cloud providersWho

2、 IAM?Azure EmojiDeploy:Smile!Your Azure Web Service just got RCEd._.Azure Abusing Service Tags to Bypass Azure Firewall Rules AWS FlowFixation:AWS Apache Airflow Service Takeover Google ConfusedFunction:Privilege Escalation Vulnerability Google CloudImposer:RCE on GCP Composer6Notable Published Rese

3、arch8Supply Chain Attacks(in the Cloud)legit-package 0.3legit-package 0.29CloudImposer the PrequelPyPIPrivate Registrylegit-package0.1pip install-extra-index-url https:/pip install-extra-index-url https:/Package Managers Are Dangerous1011Google Cloud Function Misconfiguration12Just Dork ItGoogle Clo

4、ud App Engine Misconfiguration13GCP Composer Misconfiguration1415The Question Arises:Why?16Misconfigurations Followed by.MisconfigurationsSource:GCP Artifact Registry Docs18“pip,Should I Trust You?”PEP 708 Python Work in Progress1920CloudImposer-It All Started Here Libraries,packages or modules that

5、 come bundled with an application or OS Users dont need to install them manually or separately21What Are Pre-Installed Dependencies?22An Idea Scan23An Idea-Exploit24Diving Into the GCP Composer File System25Confuse It Even MorePyPIPrivate Registrygoogle-cloud 0.1google-cloud 0.1pip install-extra-ind

6、ex-url https:/pip install-extra-index-url https:/google-cloud=0.126Emulating27Crafting the POC28Crafting the POC29Crafting The POC30Speculations:A defense mechanism Im not aware of PyPI partnership with Google31What Just Happened?Confirmed and classified as RCE Google fixed the vulnerable script tha