Google has prized a young cybersecurity researcher $36.337 for revealing a serious exposure in the Google App Engine.
The 18-year-old student from the Uruguay University of the Republic detected a severe remote code execution (RCE) bug in the system. It is a framework and cloud platform availed for the hosting and improvement of web applications in Google data centers.
The report informs in early 2018, the researcher gets an opportunity to a non-production Google App Engine deployment environment. The researcher used internal APIs in that environment. Every Google App Engine (GAE) application replies to HTTP requests with an “X-Cloud-Trace-Context” header.
Appengine.google.com runs on GAE. After studying, the researcher found, the method GAE apps perform internal actions. Also, including log writing and retrieving OAuth tokens.
However, in the Java 8 environment, internal actions were performed by sending Protocol Buffer (PB) messages to an internal HTTP endpoint. The response would be the corresponding PB message that represents the reply from the API, or an error message.
The bug hunter then went on to a statically linked version of Nmap to GAE. This led to the discovery that port four was open, and building a C++ client and running it on GAE. the researcher uncovered an RPC service which was running an “app hosting.API Host’ API.
Later, the researcher builds a Java library in C++ which reads arguments passed to launchers before returning them. It also leading to the discovery of API names including “log service” and “stubby.”
With the help of these scripts, the researcher was able to gain access to the staging. The researcher also tests GAE deployment environments, which are usually restricted and cannot be accessed by standard users.
The researcher says, “After discovering this, I did some testing. But I was not able to find any stubby call that I considered dangerous. Nevertheless, I reported this to Google and it got a P1 priority. The university student was then awarded the large bounty for what Google considers a severe RCE bug”.
The researcher added, “I was not aware until then that this was regarded as Remote Code Execution (The highest tier of bugs), it was a very pleasant surprise. I asked one of the Googlers in the reward panel about it, and he told me it is RCE for the way Google works and also that the extra $5k (Since they pay $31,337 for RCE bugs) was for a lesser bug”.