Google Cloud Platform (GCP) RCE through Git Config Hooks Override and Path Traversal Abuse in Looker

Tenable Research has identified and responsibly disclosed a critical Remote Code Execution (RCE) vulnerability in Looker. This vulnerability allowed a malicious actor with developer-level access to the platform to execute arbitrary code on the underlying Looker instance.

This complex attack chained together multiple flaws to achieve RCE. The primary vulnerability stemmed from improper handling of remote dependencies in LookML project manifests (manifest.lkml).

Path Traversal: An attacker could inject a path traversal sequence (../) into the remote_dependency name, which was used to set the hooksPath in the Looker project's Git configuration file (.git/config). This allowed the attacker to point the Git hooks directory to an arbitrary location on the file system.

Arbitrary Directory Creation and Override: The remote_dependency configuration also allowed an attacker to create arbitrary directories. By manipulating the ref parameter, an attacker could create a custom git_hooks directory and override the project's .git/config file.

Race Condition: The attacker then exploited a race condition between a legitimate Git commit operation and the malicious file write. This allowed the attacker to trigger a Git hook from their controlled location before the system could overwrite the malicious configuration, leading to the execution of the malicious code.

By chaining these flaws, an attacker could force Looker to execute commands contained within a Git hook file. This granted them full control over the Looker instance, which could lead to data exfiltration, service disruption, and further compromise of the cloud environment