lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <55558FE0.70005@security-explorations.com>
Date: Fri, 15 May 2015 08:19:12 +0200
From: Security Explorations <contact@...urity-explorations.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [SE-2014-02] Unconfirmed / unpatched vulnerabilities in Google App
 Engine


Hello All,

Security Explorations decided to release technical details as well as
accompanying Proof of Concept codes (three complete GAE Java sandbox
escapes) for security issues identified in Google App Engine for Java
after initial Issues 1-31 [1] have been addressed by the company. All
relevant materials can be found at our SE-2014-02 project details page
(original Google reports 3-6, POC codes for Issues 35-41):

http://www.security-explorations.com/en/SE-2014-02-details.html

The reasons for the disclosure of unconfirmed and unpatched issues are
briefly outlined below:
1) We need to treat all vendors equal. In the past, unconfirmed, denied
    or silently fixed issues were the subject to an immediate release
    by us,
2) it's been 3 weeks and we haven't heard any official confirmation /
    denial from Google with respect to Issues 37-41 [2]. It should not
    take more than 1-2 business days for a major software vendor to run
    the received POC, read our report and / or consult the source code.
    This especially concerns the vendor that claims its "Security Team
    has hundreds of security engineers from all over the world" [3] and
    that expects other vendors to react promptly to the reports of its
    own security people [4],
3) we again found out that some of our Proof of Concept codes developed
    as part of SE-2014-02 project stopped working in a production GAE.
    Google has not communicated to us that Issues 35-36 would be / have
    been patched. This is the 3rd time we experience this "silent fix"
    approach from the company,
4) Google rewards cannot influence the way a vulnerability handling /
    disclosure of a security research is made. They cannot be a hostage
    of any vulnerability reward, bug bounty, etc.

Please, note that a Proof of Concept code for the unpatched Issues 37-39
allows to gain access to the GAE Java environment only (it does not break
the OS sandbox). We anticipate that its release is unlikely to raise any
eyebrow at Google as:
- GAE Java VM is the first layer of defense and Google "considers the
   remaining, lower sandboxing layers sufficiently robust",
- 5 months after notifying Google, GAE JVM layer still contains 645
   PROTOBUF definitions for 62 internal Google RPC services (including
   Borg [5]),
- GAIA [6] Frontend configuration files describing configuration for
   354 Google services have been finally removed from the environment,
- libjavaruntime.so does not expose as much debugging information as
   it used to.

Published reports again show the impact of a decision to allow custom
Class Loaders in GAE. They also manifest inconsistency in the way
security checks are implemented by GAE Reflection API interception
layer. They prove again that "working as intended" issues are actually
security bugs contrary to Google's claims.

We have exceeded our initially suspected bug count of 30+ security
issues and started to get closer to the level reached for Oracle Java
SE [7]. The irony is that all of the bugs reported to Google so far
were specific to the "extra security" layer implemented on top of JRE
that aimed to protect GAE against...security vulnerabilities in Java.

At the end, it's worth to note that we are completely aware that this
publication may lead to the cancelling of additional VRP rewards from
Google (including the $20k that were to be paid for Issues 32-34 and
improperly patched Issue 2 #2).

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] "Google App Engine Java security sandbox bypasses", technical report
     http://www.security-explorations.com/materials/se-2014-02-report.pdf
[2] SE-2014-02 Vendors status
     http://www.security-explorations.com/en/SE-2014-02-status.html
[3] Use your native language - Bughunter University
 
https://sites.google.com/site/bughunteruniversity/improve/use-your-native-language
[4] Project Zero
     http://googleprojectzero.blogspot.com/
[5] Large-scale cluster management at Google with Borg
     https://research.google.com/pubs/pub43438.html
[6] Hackers Attack Google's 'Gaia' Password System
     http://www.pcmag.com/article2/0,2817,2362858,00.asp
[7] SE-2012-01 Security vulnerabilities in Java SE
     http://www.security-explorations.com/en/SE-2012-01.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ