A group of security researchers in Poland say they have discovered a long list of vulnerabilities in the Google App Engine, some of which enable an attacker to escape the Java sandbox.
The researchers at Security Explorations say that they have found more than 30 vulnerabilities in the App Engine, some of which allow code execution and sandbox escapes. The Google App Engine is a platform that enables customers to run their own apps on Google’s massive cloud infrastructure. The platform allows users to run apps built in a variety of languages, including Python and Java, and frees customers from having to deal with server maintenance and other details.
In an advisory posted to Full Disclosure, Adam Gowdiak from Security Explorations listed several of the issues the company found in GAE:
– we bypassed GAE whitelisting of JRE classes / achieved complete Java VM security sandbox escape (17 full sandbox bypass PoC codes exploiting 22 issues in total),
– we achieved native code execution (ability to issue arbitrary library / system calls),
– we gained access to the files (binary / classes) comprising the JRE sandbox, that includes the monster libjavaruntime.so binary (468416808 bytes in total),
– we extracted DWARF info from binary files (type information and such),
– we extracted PROTOBUF definitions from Java classes (description of 57 services in 542 .proto files),
– we extracted PROTOBUF definition from binary files (description of 8 services in 68 .proto files),
– we analyzed the above stuff and learned a lot about the GAE environment for Java sandbox (among others).
However, while the researchers were performing their tests on the platform, Google suspended the test account that Security Explorations had set up.
“Without any doubt this is an opsec failure on our end (this week we did poke a little bit more aggressively around the underlying OS sandbox/issued various system calls in order to learn more about the nature of the error code 202, the sandbox itself, etc.),” Gowdiak said in the advisory.
The team at Security Explorations hasn’t completed all of the research into the App Engine and Gowdiak appealed to Google to restore the test account so they could finish the work.
“Taking into account an educational nature of the security issues found in GAE Java security sandbox and what seems to be an appreciation Google has for arbitrary security research / all sorts of sandbox escapes, we hope the company makes it possible for us to complete our work and reenables our GAE account,” he wrote.
In an email, Security Explorations representatives said that they’re hopeful the test account will be restored so they can finish the project.
“We were told that someone will look into it,” the company said, and added that it would like to issue a full advisory at some point. “We’d love to as this is the usual way we operate when it comes to our non-commercial security research projects. Unfortunately, the status of the project is unknown at this point of time. We would simply need to do more work in a real GAE environment in order to produce a quality technical advisory / writeup and release any codes.”