Google Cloud Storage

Slack Group

Before we get started I have started a slack group dedicated to hacking. We welcome everyone from beginner to advanced to join. I will be on everyday answer questions, doing CTFs, and talking about cool hacks. If you enjoy hacking and are looking for like minded people join below:

NEW Hacking Group Slack Channel

Introduction

With this rise of the cloud it makes since that there is cloud storage. Basically cloud storage is a place to store files without having to store them locally on your system.

Googles S3

You have probably heard of S3 buckets and how every one seems to be hacking these things. Basically there is a permission on S3 buckets that will allow anonymous users to list all files in the bucket. You can also do other things such as upload files depending on the permissions set. Im not here to write another S3 bucket blog their are plenty of those, we are hear to learn about google cloud storage the S3 bucket alternative.

Google cloud storage like Amazons S3 buckets is a place to store files. Like S3 buckets Google cloud storage is also vulnerable to anonymous file listing. The url for Google cloud storage endpoints looks like:

www.googleapis.com/storage/v1/b/<BUCKET NAME>o/

Now you just need some potential bucket names of your target. If the bucket name doesn’t exists you will get a 404 code as shown in the below response:

{
  "error": {
    "code": 404,
    "message": "Not Found",
    "errors": [
      {
        "message": "Not Found",
        "domain": "global",
        "reason": "notFound"
      }
    ]
  }
}

If the bucket does exists you will a 401 code as shown in the below response:

{
  "error": {
    "code": 401,
    "message": "Anonymous caller does not have storage.buckets.get access to facebook.",
    "errors": [
      {
        "message": "Anonymous caller does not have storage.buckets.get access to facebook.",
        "domain": "global",
        "reason": "required",
        "locationType": "header",
        "location": "Authorization"
      }
    ]
  }
}

As you can see in the above response we get the following error message:

Anonymous caller does not have storage.buckets.get access

This means the endpoint isnt vulnerable because anonymous users cant access the bucket. By default buckets will be set to disallow anonymous users. This means that some one must make a mistake and change this setting for the vulnerability to be introduced.

If the bucket is vulnerable and has this misconfiguration you should see a list of files as shown in the below response:

{
  "kind": "storage#objects",
  "items": [
    {
      "kind": "storage#object",
      "id": "<BUCKET_NAME>/000a1d72-316c-4966-b1f0-232578fe18d6-executive-summary/1480372714305000",
      "selfLink": "https://www.googleapis.com/storage/v1/b/<BUCKET_NAME>/o/000a1d72-316c-4966-b1f0-232578fe18d6-executive-summary",
      "name": "000a1d72-316c-4966-b1f0-232578fe18d6-executive-summary",
      "bucket": "<BUCKET_NAME>",
      "generation": "1480372714305000",
      "metageneration": "1",
      "contentType": "application/pdf",
      "storageClass": "DURABLE_REDUCED_AVAILABILITY",
      "size": "5005843",
      "md5Hash": "7pqOAGvlnkEr2gfvVqvZKQ==",
      "mediaLink": "https://www.googleapis.com/download/storage/v1/b/<BUCKET_NAME>/o/000a1d72-316c-4966-b1f0-232578fe18d6-executive-summary?generation=1480372714305000&alt=media",
      "crc32c": "3wxk8w==",
      "etag": "COjrlY7CzNACEAE=",
      "timeCreated": "2016-11-28T22:38:34.290Z",
      "updated": "2016-11-28T22:38:34.290Z",
      "timeStorageClassUpdated": "2016-11-28T22:38:34.290Z"
    },
    {
      "kind": "storage#object",
      "id": "<BUCKET_NAME>/00462a01-e652-4781-8494-42c0379b3d44-comp-plan-progress-summary-april-2017/1493327003034000",
      "selfLink": "https://www.googleapis.com/storage/v1/b/<BUCKET_NAME>/o/00462a01-e652-4781-8494-42c0379b3d44-comp-plan-progress-summary-april-2017",
      "name": "00462a01-e652-4781-8494-42c0379b3d44-comp-plan-progress-summary-april-2017",
      "bucket": "<BUCKET_NAME>d",
      "generation": "1493327003034000",
      "metageneration": "1",
      "contentType": "application/pdf",
      "storageClass": "DURABLE_REDUCED_AVAILABILITY",
      "size": "1787830",
      "md5Hash": "ogMtmQAYlusgzS/LlQvq1Q==",
      "mediaLink": "https://www.googleapis.com/download/storage/v1/b/<BUCKET_NAME>/o/00462a01-e652-4781-8494-42c0379b3d44-comp-plan-progress-summary-april-2017?generation=1493327003034000&alt=media",
      "crc32c": "i85dTw==",
      "etag": "CJDDsszExdMCEAE=",
      "timeCreated": "2017-04-27T21:03:23.021Z",
      "updated": "2017-04-27T21:03:23.021Z",
      "timeStorageClassUpdated": "2017-04-27T21:03:23.021Z"
    },

Each file in the exposed bucket can easily be download by visiting the value contained in the “mediaLink” parameter. Now you only have to find some sensitive files that shouldn’t be exposed.

As you can see Google cloud storage shares the exact same vulnerabilities as S3 buckets they are just a little less talked about because Amazon completly owns the cloud services market, but that doesn’t mean you wont find people using other services.

Conclusion

Everyone knows about the vulnerabilities in S3 buckets but no one ever talks about the other cloud providers. Google cloud storage shares the same vulnerabilities as S3 buckets, its just a little less known.

1 thought on “Google Cloud Storage”

  1. Hi there I am so happy I found your weblog, I really found you by accident, while I was browsing on Bing for something else, Nonetheless I am here now and would just like to say cheers for a tremendous post and a all round entertaining blog (I also love the theme/design), I don’t have time to go through it all at the moment but I have bookmarked it and also added your RSS feeds, so when I have time I will be back to read more, Please do keep up the great work.

Leave a Reply

Your email address will not be published. Required fields are marked *