search

dxa4481 / gcploit

These are tools we released with our 2020 defcon/blackhat talk https://www.youtube.com/watch?v=Ml09R38jpok
https://www.youtube.com/watch?v=Ml09R38jpok
GNU General Public License v3.0
164 stars 26 forks source link

BFS Search 403 permission error #8

Closed josh-ho closed 4 years ago

josh-ho commented 4 years ago

When trying to run python bfs.py --org_id <orgId> --source <serviceAccountEmail> the service account that I am using has the cloudasset.assets.analyzeIamPolicy permission via the roles/cloudasset.viewer role. I receive an error: 

Traceback (most recent call last):
  File "bfs.py", line 102, in <module>
    visited, info = bfs_search(org_id, base_id)
  File "bfs.py", line 61, in bfs_search
    if "analysisResults" in results["mainAnalysis"]:
KeyError: 'mainAnalysis'

After debugging I noticed that the google call to analyze the IAM Policy is returning a 403 error: Request denied by Cloud IAM

Are there any other permissions that are needed on the service account to get it to work. Thanks

dxa4481 commented 4 years ago

Hi @josh-ho , the BFS tool is a defensive tool, so that role is actually the role you should have, not the role the starting service account should have. So grant yourself that role, and then point it at any service account you want as the --source (the source does not need the analyze permission) and it will use your permissions to pull the permissions of the source and see if it's possible to move from the source to other identities through the permissions the source has

dxa4481 commented 4 years ago

Also note that role you give yourself needs to be applied at the org level, not the project level

josh-ho commented 4 years ago

Oh I see, ok I'll try adding the role to myself first. Thanks

josh-ho commented 4 years ago

Just getting back, applying the role on my user account on the org resolved the issue. Thanks 👍 closing issue.