Full Disclosure mailing list archives
Google's osconfig agent - local privilege escalation
From: Imre Rad <radimre83 () gmail com>
Date: Sun, 20 Sep 2020 11:59:54 +0200
Osconfig is a beta service by Google, a poll based "desired state configuration" solution: "You can use the OS configuration management service to deploy, query, and maintain consistent configurations (desired state and software) for your VM instance (VM)." VMs on the Compute Engine have a privileged agent process called "google_osconfig_agent" running by default. The agent was vulnerable to local privilege escalation due to relying on a predictable path inside the /tmp directory. An unprivileged malicious process could abuse this flaw to win a race condition and take over the files managed by the high privileged agent process and thus execute arbitrary commands as the root user (full capabilities). Exploitation was possible only during an osconfig recipe being deployed. Google has fixed this issue recently (2020-09-05); remediation is to upgrade the process from the OS package repositories. (VMs that were created since the new version was published, are not affected.) More info and proof of concept code can be found here: https://github.com/irsl/google-osconfig-privesc More info about osconfig: https://cloud.google.com/compute/docs/os-config-management Imre _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Google's osconfig agent - local privilege escalation Imre Rad (Sep 22)