Liv Matan

Liv Matan is a Senior Security Researcher at Tenable, where he specializes in application and web security.
As a bug bounty hunter, Liv has found several vulnerabilities in popular software platforms, such as Azure, Google Cloud, AWS, Facebook, Gitlab, was recognized as Microsoft's Most Valuable Researcher, and presented at conferences such as DEF CON Cloud Village and fwd:cloudsec. In his free time, he boxes, lift weights and plays Capture the Flag (CTF).


Session

06-17
09:40
20min
One Click, Six Services: Abusing The Dangerous Multi-service Orchestration Pattern
Liv Matan

Cloud providers build their services a little like Jenga towers. They use their core services as the foundation of more popular customer-facing offerings. You may think you’re just creating a GCP cloud function in an empty account. In reality, with one click, you’re creating resources in six different services: a Cloud Build instance, a Storage Bucket, an Artifact Registry or a Container Registry, and possibly a Cloud Run instance and Eventarc triggers. The security of the entire stack is only as strong as the weakest link.
By looking at the entire stack, we can find privilege escalation techniques and even vulnerabilities that are hidden behind the stack. In my research, I was able to find a novel privilege escalation vulnerability and several privilege escalation techniques in GCP.

The talk will showcase a key concept, sometimes not discussed enough: cloud services are built on top of each other, and one click in the console can cause many things to happen behind the scenes. More services mean more risks and a larger attack surface.

The next part will dive deep into the vulnerable GCP cloud functions deployment flow. I will showcase the vulnerability I found in this flow, which enables an attacker to run code as the default Cloud Build service account by exploiting the deployment flow and the flawed trust between services resulting in a large fix and change in GCP IAM and Cloud Functions. This would grant an attacker high privileges to key services such as Storage, Artifact Registry, and Cloud Build.

However, this talk is about more than just a vulnerability. By understanding cross-service dependency, we can reveal a broad attack surface for many possible privilege escalation vectors between services. I will demo a simple tool I wrote to find the hidden APIs that are called by the CSP when performing an action.

By the end of this talk, the audience will learn the dangers of treating cloud services like a black box. The talk explains the hidden deployment flow behind one important stack, and provides the tools to uncover the risks of many more.

A Long Train of Abuses and Usurpations
Breakout 2