Juju Controller Charm Upload Vulnerability Allowing Zip Slip Exploitation

A vulnerability exists in Juju controllers in versions prior to 2.9.52 and 3.6.8, where the /charms endpoint lacks proper authorization checks. This flaw enables any user with a Juju account to upload charms. An uploaded charm could exploit a Zip Slip vulnerability, potentially granting access to a machine running a unit through the compromised charm.

Impact

Exploitation of this vulnerability could lead to unauthorized access on a machine via a unit using the affected charm, by overwriting SSH authorized_keys with a malicious public key.

Reproduction

To reproduce this vulnerability, first bootstrap a Juju controller and add a user. After changing the user's password, download a charm ZIP file and install a tool called 'slipit' to exploit the Zip Slip vulnerability. Generate an SSH key pair, inject a malicious path into the charm ZIP file using 'slipit', and upload the modified charm to the Juju controller's /charms endpoint using a PUT request. Finally, attempt to SSH into the controller using the injected private key, which should grant access.

Remediation

Users can update to Juju versions 2.9.52 or 3.6.8, where this vulnerability has been patched.