Google Storage Bucket Takeover which is getting used in github repository "github.com/wardviaene/kubernetes-course" in wardviaene/kubernetes-course

Valid

Reported on

May 8th 2022

Description

wardviaene have a opensource project for kubernetes-course In the project, there is a README file which is contains installation instruction of helm. Those instructions are suggesting to download helm binary from a google bucket which was not registered on GCP. So I was able to takeover the bucket for PoC

Proof of Concept

curl -s https://storage.googleapis.com/kubernetes-helm/takeover.html | base64 --decode

Impact

An attacker can takeover the bucket and host malicious helm binaries on it, when any one uses the project, they will end up downloading malicious binary which could lead to RCE on the host machine.

Occurrences

Go to https://github.com/wardviaene/kubernetes-course/blob/master/helm/README.md#install-helm-helm-30

Search for kubernetes-helm

You will see storage.googleapis.com/kubernetes-helm bucket getting used in setup instructions

Try accessing the bucket using this url https://storage.googleapis.com/kubernetes-helm/takeover.html

You will see a base64 string, try decoding the string you will see takeover message

We are processing your report and will contact the wardviaene/kubernetes-course team within 24 hours. 17 days ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 16 days ago
Edward Viaene validated this vulnerability 13 days ago
Arshad Kazmi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Edward Viaene confirmed that a fix has been merged on 627b9b 13 days ago
The fix bounty has been dropped
README.md?plain=1#L5 has been validated
Arshad Kazmi
13 days ago

Researcher

Hi,

I have verified the fix. The link has been updated.

to join this conversation