| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAyEnSOJMdPPUtU=FVx4VPdpQn9JrmBbnmwRG=QmhSTtvTQ+ww@mail.gmail.com>
Date: Thu, 23 May 2019 23:34:30 -0400
From: Nightwatch Cybersecurity Research <research@...htwatchcybersecurity.com>
To: fulldisclosure@...lists.org
Subject: [FD] Exploring the File System via Jenkins Credentials Plugin Vulnerability – CVE-2019-10320
[Original blog post here:
https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/]
SUMMARY
The recently fixed vulnerability in the Jenkins Credentials plugin
(v2.1.19) allowed users with certain permissions to confirm existence
of a file on the server’s file system. While this doesn’t allow an
attacker to view the file content, the ability to obtain information
about the file system can be leveraged for other attacks. In this post
we will explain how to reproduce this vulnerability.
It is also possible to load credentials from a valid PKCS#12 files on
the Jenkins server, and obtain access to the contents of those
credentials via a job. That may be addressed in a future blog post.
PLEASE NOTE: This is only exploitable by users that have sufficient
access to the Jenkins server to add or update credentials. Usually
anonymous users do not have that level of access.
PREREQUISITES
You will need to download, install and initialize Jenkins following
these instructions ("https://jenkins.io/doc/book/installing/"). DO NOT
install any plugin during the installation process. When done, you
should be able to login to Jenkins via the following URL:
“http://localhost:8080/“.
INSTALLING THE VULNERABLE PLUGIN
1. Download the vulnerable plugin (v2.1.18) from the Jenkins update
site as an HPI file
("https://updates.jenkins.io/download/plugins/credentials/").
2. Go to the Jenkins plugin manager, and click the advanced tab
(“http://localhost:8080/pluginManager/advanced“) to get to the manual
plugin installation page. Select the HPI file downloaded in the
previous step and install it. Restart the Jenkins server
(“http://localhost:8080/restart“) after the plugin has been installed.
3. Login to the Jenkins management page
(“http://localhost:8080/manage“) and plugin manager
(“http://localhost:8080/pluginManager/“) to confirm that the
vulnerable plugin has been installed.
GETTING TO THE VULNERABLE PAGE
1. Login to Jenkins, then go to “Credentials”, “System”, “Global
Credentials”. Click the new option “Add Credentials” that appears on
the left side. The user that you are using MUST have sufficient
permissions to add or update credentials. You can also reach this page
by going directly to
“http://localhost:8080/credentials/store/system/domain/_/newCredentials“.
2. In the “Kind” drop down box select “Certificate”, and from the two
radio buttons select “From a PKCS#12 file on Jenkins master”.
EXPLOITATION
Put in a valid path in the “file” box and click anywhere in the page
to refresh. You will get an error message “The file xxxx doesn’t
exists” if the file is not present, OR “Could not load keystore” if
the file does exists. This would allow an attacker to explore the file
system and confirm whether specific files exist or not. While file
content cannot be viewed (unless they are PKCS#12 files), the attacker
can use this technique to help advance other attacks.
REFERENCES
CVE-ID: CVE-2019-10320
Vendor advisory: https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists