
Impact Any user with a Juju account on a controller can upload a charm to the /charms endpoint. No specific permissions are required – it's just sufficient for the user to exist in the controller user database. A charm which exploits the zip slip vulnerability may be used to allow such a user to get access to a machine running a unit using the affected charm. Details A controller exposes three charm-related HTTP API endpoints, as follows: – PUT/GET https://:17070/model-/charms/- – POST/GET https://:17070/model-/charms – GET https://:17070/charms These endpoints require Basic HTTP authentication credentials and will accept any valid user within the context of the controller. A user that has no specific permission or access granted can call all of these APIs. To reproduce: juju bootstrap juju add-user testuser juju change-user-password testuser Download the ZIP file of an arbitrary charm eg https://github.com/juju/hello-juju-charm Download and install the following tool: https://github.com/usdAG/slipit Run the following command to generate a new SSH key pair: ssh-keygen Copy the contents of the newly created public key into a file called authorized_keys Run the following command to inject the malicious path into the ZIP file: slipit hello.zip authorized_keys –separator ../../../../../../home/ ubuntu/.ssh/ Send the PUT request below to a model on the target controller. Note the following: – the model UUID and controller IP address in the request must be updated – the…Read More
Juju zip slip vulnerability via authenticated endpoint

