Adam Gowdiak of Polish security consultancy and research outfit Security Explorations claims to have found myriad security holes in Google's App Engine.
Explained here, Gowdiak says he and his colleagues “discovered multiple security issues in Google App Engine that allow for a complete Java VM security sandbox escape.”
Here's how Gowdiak says this went down:
- we bypassed GAE whitelisting of JRE classes / achieved complete Java VM security sandbox escape (17 full sandbox bypass PoC codes exploiting 22 issues in total);
- we achieved native code execution (ability to issue arbitrary library / system calls);
- we gained access to the files (binary / classes) comprising the JRE sandbox, that includes the monster libjavaruntime.so binary (468416808 bytes in total);
- we extracted DWARF info from binary files (type information and such);
- we extracted PROTOBUF definitions from Java classes (description of 57 services in 542 .proto files);
- we extracted PROTOBUF definition from binary files (description of 8 services in 68 .proto files);
- we analyzed the above stuff and learned a lot about the GAE environment for Java sandbox (among others).
Gowdiak says “There are more issues pending verification - we estimate them to be in the range of 30+ in total.”
Gowdiaks' efforts to learn more are stalled for now because Google has shut down his account. There's no sign Google did so maliciously or to crimp the firm's efforts: Gowdiak says his research probably looked like an attack to Google.
"Taking into account an educational nature of the security issues found in Google Apps Engine Java security sandbox and what seems to be an appreciation Google has for arbitrary security research [and] all sorts of sandbox escapes, we hope the company makes it possible for us to complete our work," he says. ®