Exploring the File System via Jenkins Credentials Plugin Vulnerability – CVE-2019-10320

Summary

The recently fixed vulnerability in the Jenkins Credentials plugin (fixed in v2.1.19) allowed users with certain permissions to confirm existence of a file on the server’s file system. While this doesn’t allow an attacker to view the file content, the ability to obtain information about the file system can be leveraged for other attacks. In this post we will explain how to reproduce this vulnerability.

It is also possible to load credentials from a valid PKCS#12 files on the Jenkins server, and obtain access to the contents of those credentials via a job. That may be addressed in a future blog post.

PLEASE NOTE: This is only exploitable by users that have sufficient access to the Jenkins server to add or update credentials. Usually anonymous users do not have that level of access.

Prerequisites

You will need to download, install and initialize Jenkins following these instructions. DO NOT install any plugin during the installation process. When done, you should be able to login to Jenkins via the following URL: “http://localhost:8080/“.

Installing the Vulnerable Plugin

1. Download the vulnerable plugin (v2.1.18) from the Jenkins update site as an HPI file:

updatesite

2. Go to the Jenkins plugin manager, and click the advanced tab (“http://localhost:8080/pluginManager/advanced“) to get to the manual plugin installation page. Select the HPI file downloaded in the previous step and install it. Restart the Jenkins server (“http://localhost:8080/restart“) after the plugin has been installed.

plugin

3. Login to the Jenkins management page (“http://localhost:8080/manage“) and plugin manager (“http://localhost:8080/pluginManager/“) to confirm that the vulnerable plugin has been installed.

manage

plugin

Getting to the Vulnerable Page

1. Login to Jenkins, then go to “Credentials”, “System”, “Global Credentials”. Click the new option “Add Credentials” that appears on the left side. The user that you are using MUST have sufficient permissions to add or update credentials. You can also reach this page by going directly to “http://localhost:8080/credentials/store/system/domain/_/newCredentials“.

Screen Shot 2019-05-23 at 11.11.51 PM

Screen Shot 2019-05-23 at 11.12.28 PM.png

2. In the “Kind” drop down box select “Certificate”, and from the two radio buttons select “From a PKCS#12 file on Jenkins master”.

Screen Shot 2019-05-23 at 11.12.52 PM.png

Exploitation

Put in a valid path in the “file” box and click anywhere in the page to refresh. You will get an error message “The file xxxx doesn’t exists” if the file is not present, OR “Could not load keystore” if the file does exists. This would allow an attacker to explore the file system and confirm whether specific files exist or not. While file content cannot be viewed (unless they are PKCS#12 files), the attacker can use this technique to help advance other attacks.

Screen Shot 2019-05-23 at 10.37.48 PM.pngScreen Shot 2019-05-23 at 10.37.40 PM.png

References

CVE-ID: CVE-2019-10320
Vendor advisory: see here

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.