Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD

An unauthenticated file read in GoCD’s Business Continuity Addon (installed and enabled by default) due to change in configuration that that exposed the add-on to unauthenticated users.

Prior to a 2018 patch the /add-on/*/admin/** and /add-on/*/api/** endpoints required authentication though any other endpoints required the add-ons to perform their own authentication. After this patch all /add-on/** would all unauthorized access. This ultimately exposed some endpoints that might have otherwise been privileged off, there are three of note:

1. /plugin as handled by PrimaryStatusProviderController.java had a trivial directory traversal vulnerability. While the folderName parameter was checked against a whitelist, the pluginName which was appended, was not validated at all allowing for arbitrary files to be read.
2. /cipher.aes would expose the private key used to encrypt secrets such as tokens.
3. /cruise_config exposed the primary application configuration, this includes secrets for agent registration, webhooks, and token generation

Together these could be used by an unauthenticated attacker to gain access to further authenticated endpoints within the application.