A group of security researchers have announced their findings after encountering more than 30 serious security issues in Google App Engine (GAE) for Java, including a bug that could allow for a complete “sandbox escape.”
As part of Google’s Cloud Platform – a platform-as-a-service (PaaS) for developing and hosting web applications, GAE is widely used by a variety of big name websites, including Best Buy, Feedly and Rovio.
Adam Gowdiak, CEO of Poland-based Security Explorations, announced the discovery in a blog post on Saturday, and outlined his team’s developments:
- We bypassed GAE whitelisting of JRE classes / achieved complete Java VM security sandbox escape (17 full sandbox bypass PoC codes exploiting 22 issues in total),
- We achieved native code execution (ability to issue arbitrary library / system calls),
- We gained access to the files (binary / classes) comprising the JRE sandbox, that includes the monster libjavaruntime.so binary (468416808 bytes in total),
- We extracted DWARF info from binary files (type information and such),
- We extracted PROTOBUF definitions from Java classes (description of 57 services in 542 .proto files),
- We extracted PROTOBUF definition from binary files (description of 8 services in 68 .proto files),
- We analyzed the above stuff and learned a lot about the GAE environment for Java sandbox (among others).
However, Gowdiak noted the firm’s research was left incomplete after the search engine company suspended their GAE account for testing purposes on Saturday.
“Without any doubt, this is an opsec failure on our end,” said Gowdiak, adding the team had aggressively tested the underlying OS sandbox, and issued various system calls in order to learn more about a 202 error code, as well as the sandbox itself.
Craig Young, Tripwire security researcher, said he was surprised by Google’s approach to disable the test account, rather than encouraging the research and working toward a coordinated disclosure.
“Java does not have the best reputation from a security perspective,” said Young. “It’s also surprising that Google – a company well-known for investing R&D money to find vulnerabilities in critical technology – failed to recognize handfuls of seemingly critical issues in their own platform as a service offering.”
Security Explorations provided the results of their findings to Google on Sunday. In response, the company informed the researchers it has begun analyzing the vulnerabilities they reported.
Gowdiak noted the team hopes to continue their analysis in an effort to verify the remaining vulnerabilities and share their research with the security community.