LookOut Discovering RCE and Internal Access on Looker (Googl...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: http://www.tenable.com/blog/google-looker-vulnerabilities-rce-internal-access-lookout
• Blog Title: LookOut: Discovering RCE and Internal Access on Looker (Google Cloud & On-Prem)
• Suggested Section: Network Services Pentesting -> Pentesting Web -> Git (and/or Web Vulnerabilities -> Race Condition; plus SQL Injection -> Error-based SQLi / MySQL injection notes). Optionally a new subsection under Git for 'Git hooksPath/core.hooksPath injection to RCE in CI/CD or Git-integrated apps'.

🎯 Content Summary

Post: “LookOut: Discovering RCE and Internal Access on Looker (Google Cloud & On-Prem)” (Tenable Research, Feb 4, 2026).

Tenable describes two vulnerabilities in Google Looker (managed SaaS on Google Cloud and customer-hosted/on-prem). Together they can lead to complete Looker instance compromise: (1) an RCE chain using Git hook redirection in LookML “remote dependencies”, and (2) an authorization bypass enabling attachment to Looker’s internal MySQL connection and full inter...

🔧 Technical Details

Git hook RCE via hooksPath override + traversal: If an application writes Git’s core.hooksPath (or equivalent hooksPath config) using user-controlled input (e.g., project/dependency names) and doesn’t block ../ sequences, an attacker can redirect hook lookup to an attacker-controlled directory. If a native Git operation (e.g., git commit) is reachable, placing an executable hook file such as pre-commit in that directory yields code execution when the event triggers. To ensure executability survives clone/checkout, set the executable bit in the Git index with git update-index --chmod=+x <file> so the repo stores mode 100755 and clients check it out as executable.

Abusing clone behavior for directory creation: If a service clones “remote dependencies” and incorporates attacker-influenced path components (e.g., a ref or other input mistakenly treated as part of a destination path), an attacker may force creation of arbitrary directories as a side effect (useful ...

🤖 Agent Actions

Updated MySQL injection page with a new section on abusing client-side connection identifiers to attach projects to hidden/internal databases via request tampering, enabling privileged data access. Clarified that once bound, error-based payloads (e.g., updatexml() tricks) can exfiltrate internal config/secrets even when UIs suppress normal query results. References retained. No tests were run.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: http://www.tenable.com/blog/google-looker-vulnerabilities-rce-internal-access-lookout

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> Pentesting Web -> Git (and/or Web Vulnerabilities -> Race Condition; plus SQL Injection -> Error-based SQLi / MySQL injection notes). Optionally a new subsection under Git for 'Git hooksPath/core.hooksPath injection to RCE in CI/CD or Git-integrated apps'.".

Repository Maintenance:

• MD Files Formatting: 948 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0