Shulou(Shulou.com)05/31 Report--

This article mainly introduces the Jenkins arbitrary file read CVE-2018-1999002 vulnerability example analysis, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

First, the background of loopholes

Jenkins officially issued the latest security notice, revealing multiple security vulnerabilities. Among them, SECURITY-914 is a vulnerability found by Orange that Jenkins does not authorize arbitrary file reading, which is at high risk.

Using this vulnerability, an attacker can read arbitrary files in the Windows system server and, under certain conditions, also read files in the Linux system server. By exploiting this file reading vulnerability, an attacker can obtain the credential information of the Jenkins system, resulting in the disclosure of sensitive information of the user. At the same time, some of the credentials of Jenkins may be the same as the accounts and passwords of its users, and the attacker can even log in to the Jenkins system directly to execute commands after obtaining the credential information.

Second, vulnerability summary who should read the impact of this vulnerability on developers and users using Jenkins there are arbitrary file reading vulnerabilities in Jenkins's Stapler Web framework. By sending a specially crafted HTTP request, a malicious attacker can obtain, without authorization, the contents of arbitrary files in the Jenkins file system that the Jenkin main process can access. It is recommended that you upgrade your Jenkins weekly to version 2.133. Upgrade your Jenkins LTS to version 2.121.2. Affected software Jenkins weekly 2.132 and all previous versions Jenkins LTS 2.121.1 and all previous versions CVE identifier CVE-2018-1999002

Third, build the environment

Jenkins version within the scope of the installation vulnerability: Jenkins weekly 2.132 and all previous versions of Jenkins LTS 2.121.1 and all previous versions, Jenkins LTS 2.121.1 is used here.

First of all, download the war package of jenkins and put it in the tomcat webapps directory. After startup, automatically extract the war package or install the msi version, or use git to download the war package from GitHub.

Start tomcat and access http://localhost:8080. If the 8080 default port is occupied, you can access it after modifying the port in the Jenkins.xml file under the Jenkins installation path. You need to unlock jenkins after opening the page. Find the initialAdminPassword file in the installation directory and enter the copy password into the password input box, and click continue to proceed to the next step.

After installing the plug-in, use the administrator to log in, and the environment is built.

IV. Trigger conditions

1. Configure global security, enable anonymity and have readable permissions.

V. loophole analysis

DoDynamic is used here to handle the included paths in the request, such as / plugin/xxxx.

Follow request.getLocale () and jump to Request.java

GetLocale () deals with Accept-Language in Http, which is divided into language and country,language according to-zh,country is cn, and then return Locale (language,country). If there is no -, language can use.. / traversal, and the returned result is Locale (language, "").

Let's take a look at the open method of the LocaleDrivenResourceSelector class in Stapler.java. From the annotation point of view, this code itself returns different files according to Accept-Language. For example, the request / plugin/credentials/.ini,payload is _.. / windows/win, which needs to exist under plugin under linux-the name directory is available, but it can be bypassed directly through path traversal under win. To achieve the effect of reading arbitrary files.

VI. Suggestions for restoration

1. Upgrade your Jenkins weekly to version 2.133 and your Jenkins LTS to version 2.121.2.

two。 If you do not want to resolve this vulnerability by upgrading the Jenkins version for the time being, it is recommended that you use the precise access control feature of Web application firewall to protect your business.

Through the precise access control function, set blocking rules for the HTTP request header Accept-Language to filter requests containing.. / in the request header to prevent attackers from taking advantage of this vulnerability to read arbitrary files through directory traversal.

Thank you for reading this article carefully. I hope the article "sample Analysis of CVE-2018-1999002 vulnerabilities in Jenkins arbitrary File Reading" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.