
$36k Google App Engine RCE - louis-paul
https://sites.google.com/site/testsitehacking/-36k-google-app-engine-rce
======
gnl
Those skills at 18, the integrity to not sell something like this on the black
market (assuming here that an 18 year old in Uruguay isn't exactly swimming in
money), and a bounty from Google under his belt - he won't have trouble
finding work. If I was considering hiring him, the creative bit of guerilla
marketing for The Expanse he threw in there wouldn't hurt his chances either.

~~~
tptacek
Let's try a thought experiment. To make things easier, imagine you're 21 years
old, not 18, and have made up those 3 years working in the industry. You found
this vulnerability, and have decided not to submit it for a bounty, but rather
to the black market.

Who do you sell it to? I assume your answer will involve putting it up on some
darknet version of Craigslist. That's fine, but then tell me: who's paying for
it? What price do they assign to it? For instance: if you think you can sell
it for $50k, who's paying that, and for what purpose?

Finally, what are the steps you take to safely complete the transaction?

(This is intended only to clarify arguments about the market for
vulnerabilities like these, and not to suggest that the finding and the
writeup aren't excellent, which they sure appear to be.)

~~~
was_boring
You don't have to think about it too hard, there's companies that will help
you with the transaction.
[https://www.zerodium.com/](https://www.zerodium.com/)

~~~
tptacek
First, you can just go look at Zerodium's website and see what they'll buy.
Notice that one-off vulnerabilities aren't there at all: there are no
vulnerability types on their rate sheet that a single vendor can
instantaneously fix worldwide with a single patch.

Notice also that with just a couple exceptions, RCEs in _extremely widespread_
serverside web components are valued at $10k (if you believe their price list;
I'm skeptical of it). Those are vulnerabilities that all have half-lives after
patches are issued --- that's a _ceiling_ for what anything like this could be
worth.

Second, Zerodium isn't "the black market".

~~~
gnl
I was in fact thinking of exploit brokers as well, so my wording was unclear.
Let's call it the grey/black market.

In the scenario you described, without any other contacts and/or experience
with transactions like this, I would approach an exploit broker. As for the
payout - I assumed that any RCE vulnerability that qualifies for Google's
highest bounty is likely to fetch a higher price elsewhere.

My experience with the field is limited and considering yours, if you are
suggesting that this particular exploit would not fetch a significantly higher
price, I shall stand corrected.

~~~
blattimwind
It actually turns out to be not that simple to approach organized crime for an
one-off transaction. If that would be simple for you, then it would be
exceedingly easy for LEO to get to these players as well.

~~~
gnl
Clearly. As pointed out/clarified in another comment I was mostly thinking of
the grey area companies who buy 0-days and sell them to governments, law
enforcement and god knows who.

------
guessmyname
> _I am 18-year-old student at the University of the Republic [Uruguay]
> interested in computer security_

Someone could say that he could have gotten even more money by selling his
findings in the black market, very difficult but doable. However, as someone
who understands how studying computer science in a 3rd-world country is,
getting USD +36k in a legal way and from a company that is considered one of
the best in the industry, it must have felt very good to get that mail.

Congratulations, and keep the good work.

~~~
foepys
That's pretty advanced stuff for an 18y/o, even for most senior developers. No
doubt Google will try to recruit him after he finishes university.

~~~
jcims
(Edit: I appear to be a broken record) I spent a spell on a bug bounty
program. There are some beasts out there in the 16-20yo age range, it's pretty
crazy.

~~~
toomanybeersies
Their minds probably haven't been numbed by years of fixing shoddy code and
writing CRUD apps yet.

------
Artemis2
This report showcases a ton of tenacity and thoroughness. Not his first time
as well: [https://sites.google.com/site/testsitehacking/10k-host-
heade...](https://sites.google.com/site/testsitehacking/10k-host-header). Very
impressive.

“Please stop exploring this further, as it seems you could easily break
something” has got to be the best reply one can receive to a bug bounty
report.

~~~
ben_jones
That's what struck me. From the well told story I feel like there were several
points of "welp probably can't go further then this better move on to
something else" but he kept going and going and sure enough he got somewhere.
Hope to see more work published by him over the next few years!

------
mabbo
"When issuing the reward, we'll take into account what you could have achieved
with this access" makes me laugh.

How scary must that be for the Google team? You know you've messed up so badly
and the person who is investigating is doing so blindly with no knowledge or
accountability if he breaks something. Yikes.

Kudos to everyone for doing the right things. And great bounty- the average
yearly income in Uruguay is $2000-$3000 USD per household. This guy just got
awarded more than ten times that.

~~~
gnl
Are you sure that's accurate? According to this [1] it's about 10 000 USD per
capita.

[1] [https://www.ceicdata.com/en/indicator/uruguay/annual-
househo...](https://www.ceicdata.com/en/indicator/uruguay/annual-household-
income-per-capita)

~~~
mabbo
Ah you may be right- I did a cursory Google search only. Still, multiple years
of income in one bug isn't bad at all.

------
funkjunky
I used to work support for GAE and recognize all of this. This is really
impressive, congrats on the great work and huge bounty. Keep it up!

~~~
haldean
Same; I worked on GAE in 2013 and it's so funny to read the story of someone
exploring, discovering, and being so close to breaking something you know
really well. There's a few moments in here where I thought "oh man, you could
have done XXXX and that would have been so bad!". Definitely understand why
they gave them the big bucks for this one.

~~~
eyeareque
XXXX == what types of things?

I’m curious why there was no auth required for his calls.

~~~
londons_explore
* Grab nearly all of googles source code (no extra auth required for that, since so many libraries read config etc from the source code repo)

* Make the right requests to one endpoint he found and retrieve company financials, number of hits to every google service, the name of every application running in every datacenter, etc.

* With the above two things, you know the location of services and every RPC endpoint on them, and all access control configs. You can take your sweet time to audit the 10's of millions of lines of code to find vulnerabilities and get to attack as an authenticated (albeit low privilege) user. A lot of stuff is open to all authenticated internal users.

* For example, you could take down any google service by quitting all the application servers at the same time by calling the right debugging RPC. You'd be caught obviously tho.

~~~
eyeareque
Wow, that is quite significant.

36k is not a small bounty for an RCE, but I feel like this is more critical to
Google than the highest Android payout, for which they pay up to 200k for:
[https://www.google.com/about/appsecurity/android-
rewards/](https://www.google.com/about/appsecurity/android-rewards/)

~~~
londons_explore
Android is wormable, and potentially not repairable by google.

For example, with a decent remote android exploit, I could distribute a
patched Google Play Services to all vulnerable handsets which disables updates
and then listens to my own command and control infrastructure for further
actions.

I can now hold the phones hostage and extort google for money to regain
control of them.

~~~
eyeareque
That would be pretty brutal and cause people to quit trusting android phones.

But I think the same could be accomplished with the access he had, or worse,
but would have taken a lot more work. He also would have needed to avoid
detection too. His access sounds more troubling than the Aroura attacks they
had years ago.

------
throwaway66666
Another thing that is very admirable and bold is that he had no actual idea
that he discovered a RCE vuln but went ahead and confidently contacted google.

How many would stop at "Eh I managed to fire requests to a hidden RPC service
in google, but couldn't figure out how to make it do anything useful to
qualify".

Put yourselves and your work/findings out there people!

~~~
puzzle
Yes, if he had known more about Google infrastructure, he could have done some
damage, both active and passive. He had access to a lot of internals. I was
surprised by them at first, too, but they all make sense. On the other hand,
he would have probably been caught fairly rapidly.

~~~
saalweachter
One thing to note is that Google, like any responsible organization should,
has layered security and threat models that include insiders as a potential
threat; _hopefully_ , while he could make RPC calls to internal services
(which is itself a serious problem, hence the giant bounty) he _hopefully_
could not authenticate to do anything any serious damage or access any
sensitive information.

~~~
puzzle
I agree that there are multiple layers of security in place, which is why I
said he would have been caught fairly quickly. I'm not going to go into
details, but, at the very least, he had access to quite a bit of proprietary
information, i.e. private to Google, not necessarily user data. I talked to
another former Googler and we agreed that this is at least as bad as a
previous disclosure: [https://packetstormsecurity.com/files/129406/Google-App-
Engi...](https://packetstormsecurity.com/files/129406/Google-App-Engine-Java-
VM-Sandbox-Escape.html)

------
londons_explore
He was about 2 API calls from being able to grab nearly all of googles source
code from Google3 there...

~~~
tejasmanohar
Source? Is there really no authentication around it?

~~~
sulam
He had read access to G3. Exfiltrating it all would have been hard, but he
could have gotten a chunk of it for sure.

------
pcardoso
Cute base amount, $31337... :)

~~~
gitgud
For anyone not informed like me...

[https://www.urbandictionary.com/define.php?term=31337](https://www.urbandictionary.com/define.php?term=31337)

------
sailfast
This is not an inconsequential amount of cash, for sure. Especially at 18!
Congrats! And a great write-up to boot. Just awesome.

All that said an honest question: why would a company like Google not pay
insane amounts of money for these kinds of bug finds? What would they pay
their own people to find them? Seems like RCE on App Engine should be worth
100K+ and then some on top for giggles just because they can.

Obviously having a standard policy makes sense so that your community
understands what to expect but as Google, what's your operational impact if
you triple / quadruple vs. market value of the exploits?

~~~
dgacmu
They pay their own people a salary - having a dependable living (at a very,
very nice rate) is a pretty awesome thing. Sometimes there are bonuses
involved, but they're usually not on the order of magnitude of external bug
bounties.

My understanding of the pricing is that it's designed to make ethical behavior
profitable enough that fewer people are tempted to sell the exploits on the
black market, not necessarily to out-compete the black market entirely. I
think this person's find is a great example - it's a resume-booster, a great
experience, a very nice cash infusion, and _helps_ , instead of hindering,
their job prospects with future employers.

------
degenerate
Looks like the "Hall of Fame" link in the bounty confirmation email is broken
/ not rendering:

[https://www.google.com/about/appsecurity/hall-of-
fame/](https://www.google.com/about/appsecurity/hall-of-fame/)

~~~
splonk
It appears to be hosted at
[https://bughunter.withgoogle.com/rank/hof](https://bughunter.withgoogle.com/rank/hof)

(From following this error: "Refused to display
'[https://bughunter.withgoogle.com/0x0A?embed=1'](https://bughunter.withgoogle.com/0x0A?embed=1')
in a frame because it set 'X-Frame-Options' to 'deny'.")

------
neosavvy
Google should send this guy a request to be hired. Clearly he's as good as
their internal engineering team and his write up was great.

~~~
hinkley
As has been discussed to death here, Google’s hiring process doesn’t care what
you did last week, or last year (eg Max Howell).

This would not improve his odds.

~~~
nyxxie
Anecdotal, but I got my job at Google through participating in their bug
bounty program. The first set of interviews you have that ask general CS
questions might not care what you did last week or last year, but when you
talk with the team who wants to hire you they certainly do care.

~~~
GFischer
That's the thing, he might get rejected from the screening questions...

------
gigatexal
I sure as hell wasnt this competent at 18 let alone now. Kudos to him.

------
russum
Huh, so you can run binaries in GAE by downloading a statically linked app to
/tmp, chmod'ing & executing it? And there would be no limits on how it's run?
That's crazy & pretty cool!

~~~
thesandlord
GCP Developer Advocate here:

The Java 8, Node.js (just announced at I/O) and GCF environments use a new
sandbox that should allow you to run any binary. Of course there are limits,
and you have to pay to run things on App Engine past the free tier, but most
things should run just fine.

The older GAE sandboxes didn't let you do this (and had a ton of other
limitations as well)

------
ggg9990
It would be no skin of Google’s back to multiply these bug bounties by 10, and
they should.

~~~
jhall1468
But that's would be counter to their interests. They want to hire this kid
when he graduates. If they paid 10x their current bounty rates they'd have
paid over $400,000 to him in the last couple of years of his _free time_.
That's a great way to never be able to hire him.

~~~
Reedx
> That's a great way to never be able to hire him.

Why's that? It's not retirement money. 400k (salary+stock) is one year of
compensation for some Google engineers.

~~~
jhall1468
Dude has cashed out a $10k and $30k bug bounty at the age of 18. Either he's
lucky or he's very good. If he's the latter that $400k turns into an annual
bounty.

And very, _very_ few Google engineers make that kind of money.

~~~
murderfs
> And very, very few Google engineers make that kind of money.

You'd be surprised. In Mountain View, everyone level 6 or above makes at least
that amount, and most level 5s probably do as well. I'd guess that probably
20% of engineers are T5 or above, which is a ton of people when you multiply
by tens of thousands of engineers.

~~~
jhall1468
Very few as a ratio. There aren't that many T6's and I'm not sold on the idea
that "most" T5's are making $400,000 when the average is around $350,000
according to levels.fyi.

------
jotadambalakiri
I don't think it's so easy to sell a vulnerability on the black market. If you
send the code first they will have no incentive to send the money, if you get
the money, you might not send the code.

~~~
dannyw
You don't have to send the quote, you can demonstrate it, e.g. on a dummy
shared account where you bypass all quotas.

------
doesnt_know
I have almost 15 years on the OP and aren't even half as talented. It looks
like they've received almost $60k from Google across five bug bounties, very
impressive.

------
Karishma1234
Any idea how such rewards get taxed ?

~~~
q3k
On the receiving end if you're non-US-based? You're supposed to figure it out
yourself (ie. pay local applicable income tax), they just want a W8BEN.

Source: got a Google VRP reward.

~~~
Karishma1234
so US government does not take an cut ?

~~~
dannyw
The US govt doesn't take a cut if you pay an overseas contractor X for Y.

