Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Exploring the File System via Jenkins Credentials Plugin Vulnerability – CVE-2019-10320

Related Vulnerabilities: CVE-2019-10320  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="38"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#39">By Date</a>
<a href="40"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="38"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#39">By Thread</a>
<a href="40"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Exploring the File System via Jenkins Credentials Plugin Vulnerability – CVE-2019-10320</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Nightwatch Cybersecurity Research &lt;research () nightwatchcybersecurity com&gt;


<em>Date</em>: Thu, 23 May 2019 23:34:30 -0400


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">[Original blog post here:
<a rel="nofollow" href="https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/">https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/</a>]

SUMMARY

The recently fixed vulnerability in the Jenkins Credentials plugin
(v2.1.19) allowed users with certain permissions to confirm existence
of a file on the server’s file system. While this doesn’t allow an
attacker to view the file content, the ability to obtain information
about the file system can be leveraged for other attacks. In this post
we will explain how to reproduce this vulnerability.

It is also possible to load credentials from a valid PKCS#12 files on
the Jenkins server, and obtain access to the contents of those
credentials via a job. That may be addressed in a future blog post.

PLEASE NOTE: This is only exploitable by users that have sufficient
access to the Jenkins server to add or update credentials. Usually
anonymous users do not have that level of access.

PREREQUISITES

You will need to download, install and initialize Jenkins following
these instructions ("<a rel="nofollow" href="https://jenkins.io/doc/book/installing/&quot;">https://jenkins.io/doc/book/installing/"</a>;). DO NOT
install any plugin during the installation process. When done, you
should be able to login to Jenkins via the following URL:
“<a rel="nofollow" href="http://localhost:8080/“">http://localhost:8080/“</a>.

INSTALLING THE VULNERABLE PLUGIN

1. Download the vulnerable plugin (v2.1.18) from the Jenkins update
site as an HPI file
("<a rel="nofollow" href="https://updates.jenkins.io/download/plugins/credentials/&quot;">https://updates.jenkins.io/download/plugins/credentials/"</a>;).

2. Go to the Jenkins plugin manager, and click the advanced tab
(“<a rel="nofollow" href="http://localhost:8080/pluginManager/advanced“">http://localhost:8080/pluginManager/advanced“</a>) to get to the manual
plugin installation page. Select the HPI file downloaded in the
previous step and install it. Restart the Jenkins server
(“<a rel="nofollow" href="http://localhost:8080/restart“">http://localhost:8080/restart“</a>) after the plugin has been installed.

3. Login to the Jenkins management page
(“<a rel="nofollow" href="http://localhost:8080/manage“">http://localhost:8080/manage“</a>) and plugin manager
(“<a rel="nofollow" href="http://localhost:8080/pluginManager/“">http://localhost:8080/pluginManager/“</a>) to confirm that the
vulnerable plugin has been installed.

GETTING TO THE VULNERABLE PAGE

1. Login to Jenkins, then go to “Credentials”, “System”, “Global
Credentials”. Click the new option “Add Credentials” that appears on
the left side. The user that you are using MUST have sufficient
permissions to add or update credentials. You can also reach this page
by going directly to
“<a rel="nofollow" href="http://localhost:8080/credentials/store/system/domain/_/newCredentials“">http://localhost:8080/credentials/store/system/domain/_/newCredentials“</a>.

2. In the “Kind” drop down box select “Certificate”, and from the two
radio buttons select “From a PKCS#12 file on Jenkins master”.

EXPLOITATION

Put in a valid path in the “file” box and click anywhere in the page
to refresh. You will get an error message “The file xxxx doesn’t
exists” if the file is not present, OR “Could not load keystore” if
the file does exists. This would allow an attacker to explore the file
system and confirm whether specific files exist or not. While file
content cannot be viewed (unless they are PKCS#12 files), the attacker
can use this technique to help advance other attacks.

REFERENCES

CVE-ID: CVE-2019-10320
Vendor advisory: <a rel="nofollow" href="https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322">https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322</a>

_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="38"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#39">By Date</a>
<a href="40"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="38"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#39">By Thread</a>
<a href="40"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>Exploring the File System via Jenkins Credentials Plugin Vulnerability – CVE-2019-10320</strong> <em>Nightwatch Cybersecurity Research (May 24)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started