Privilege Escalation via a service account impersonation chain

Transcript

1. Privilege Escalation via a service account impersonation chain Story behind

   the most creative report from Google Cloud bugSWAT 2025 Jakub Domeracki OH MY HACK 2025 OH MY HACK 2025 OH MY HACK 2025

2. whoami Sr. Security Engineer @ Coder Started reporting bugs to

   Google in late 2023 Currently ranked top 100 all time on Google VRP Leaderboard Agenda Live Hacking Event 101 Why Google SecOps SOAR? Abusing non-human identities Connecting the dots Vertical Privilige Escalation Full attack scenario Remediation

3. Live Hacking Event 101 Invite only Collaboration is encouraged Bounty

   multipliers Duplicate window Predefined scope Final couple days onsite https://x.com/GoogleVRP/status/1974546816772239699/photo/1

4. Getting invited Google typically considers the performance of individual researchers

   from the past year of Cloud VRP reports as well as previous bugSWAT event performance when deciding who to invite.

5. Picking the target Scope consisted of 9 Google Cloud Products

   Due to limited time I decided to pick a single target and stay with it throughout the event

6. Why Google SecOps SOAR? Acquisition doesn’t use Google’s battle tested

   frameworks Enterprise license hard to access by individual hunters → untouched scope Large attack surface feature creep → tech debt aggregates over time

7. Reading the docs First thing I recommend to do is

   go through the docs and then do it again

8. Methodology 1.Mapping the attack surface Unauthenticated Authenticated External & Internal

   APIs 2.Attack scenario ideation Verifiable hypotheses based on current context Overarching aim is maximum impact (go big or go home) Repeat steps #1 and #2 in a loop

9. Python execution environment aka RCE-as-a-Service One of the first features

   which stood out after documentaion review was the Secure implementation of code sandboxing is notoriously hard https://docs.cloud.google.com/chronicle/docs/soar/respond/ide/using-the-ide#custom-code-validation

10. IDE custom code validation 🤨 The denylist approach seemed almost

    certainly insufficient https://web.archive.org/web/20250419131143/https://cloud.google.com/chronicle/docs/soar/respond/ide/ide-custom-code-

11. IDE custom code validation bypass Bypassing the validation with __import__()

    dunder was quite trivial

12. Reverse shell demo

13. We are in, what next? Linux Privilige Escalation goal: go

    from user nonroot → root issue: no straightforward pathway (SUID/SGID binaries etc.) Pivot to other services within the Cluster goal: get access to privileged services issue: blocked by Cloud Service Mesh (managed Istio) Call the K8s apiserver goal: attempt to take advantage of the default bound KSA token issues: blocked by Network Policies

14. Abusing non-human identities Intuitevily focused on the GCP Service Account

    bound to the Python execution environment

15. Service Accounts 101 https://github.com/priyankavergadia/GCPSketchnote/blob/main/images/IAMAuthorization.jpg

16. Workload Identity Federation for GKE Elegant solution to grant per

    Service permissions to call Google APIs https://medium.com/google-cloud/whoami-the-quest-of-understanding-gke-workload-identity-federation-e951e5e4a03f

17. Fetching the OAuth Access Token

18. Access token introspection Service account access tokens are opaque (can’t

    be decoded locally) One can introspect them using the https://oauth2.googleapis.com/tokeninfo API https://docs.cloud.google.com/docs/authentication/token-types#sa-access-tokens

19. What is gke-init-python used for? Yet again documentation came in

    handy https://docs.cloud.google.com/docs/authentication/token-types#sa-access-tokens

20. Service Account impersonation When an authenticated principal, such as a

    user or another service account, authenticates as a service account to gain the service account's permissions, it's called impersonating the service account. https://docs.cloud.google.com/iam/docs/service-account-impersonation

21. Prior art The fact that the service account impersonation mechanism

    opens room for privilige escalation scenarios has been known since at least 2020 Some research examples: Plundering GCP - Escalating Privileges, Moving Laterally, and Stealing Secrets in Google Cloud by Chris Moberly from GitLab EP60 Impersonating Service Accounts in GCP and Beyond: Cloud Security Is About IAM? with Dylan Ayrey, cofounder of Truffle Security Privilege Escalation in GCP A Transitive Path by Kat Traxler

22. What can gke-init-python do? Running following gcloud CLI commands as

    gke-init-python yielded surprising results https://docs.cloud.google.com/iam/docs/testing-permissions

23. Malachite enters the scene Malachite is the internal name of

    Chronicle which in now called SecOps SIEM

24. Revised architecture diagram

25. Auth flow is complex

26. Method generateSoarAuthJwt https://docs.cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances/generateSoarAuthJwt

27. Examining SOAR JWT

28. Issuer found (!)

29. How can a Service Account sign JWTs? https://docs.cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt

30. Connecting the dots 1.Attacker can perform API calls as the

    gke-init-python Service Account 2.gke-init-python can impersonate the secops-auth Service Account 3.secops-auth Service Account is the issuer of Signed JWTs

31. Let’s sign our own JWTs!

32. Live demo 404 🚧 Google broke the chain by removing

    misconfigured IAM bindings soon after the event I couldn’t record a demo nor do it live (yeah, I know)

33. Vertical Privilige Escalation

34. Permission delta Predefined groups: Admins (practically godmode) Managed-Plus User Managed

    User Collaborators Basic (default) Readers View-Only

35. Full-read SSRF via the predefined HTTPv2 integration Trivial SSRF to

    get the OAuth access token of the Service Account bound to the Python execution environment https://docs.cloud.google.com/chronicle/docs/soar/marketplace-integrations/http-v2#execute-request

36. Code Execution via SSTI in TemplateEngine PowerUp Classic Jinja2 Server

    Side Template Injection subprocess.Popen was imported making exploitation trivial https://docs.cloud.google.com/chronicle/docs/soar/marketplace-and-integrations/power-ups/templateengine

37. Jinja SSTI PoC

38. Full attack scenario

39. The aftermath Reports which weren’t considered impactful got payed out

    retroactively 💰 I showcased a live demo during show & tell Ended up winning the most creative report award! 🎉

40. Remediation https://docs.cloud.google.com/chronicle/docs/soar/admin-tasks/advanced/migrate-to-gcp#set_up_auth_to_soar

41. Key Takeaways Read the docs Follow curiosity IAM matters

42. Q&A

43. Thank you for attending! Please rate the talk and provide

    feedback Contact information: https://x.com/j_domeracki https://www.linkedin.com/in/jakub-domeracki/