Shulou(Shulou.com)05/31 Report--

This article mainly introduces the example analysis of Jenkins arbitrary file reading vulnerabilities, which has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, let the editor take you to understand it.

First, the background of loopholes

Vulnerability number: CVE-2018-1999002

Vulnerability level: high risk

Jenkins's security announcement of July 18 fixes several vulnerabilities, among which SECURITY-914 is a vulnerability unearthed by Orange that Jenkins does not authorize arbitrary file reads.

Tencent security Yunding lab security researchers analyzed the vulnerability and found that using this vulnerability, attackers can read arbitrary files on the Windows server, and for Linux, they can also read files under certain conditions. Using the file reading vulnerability, an attacker can obtain the credential information of Jenkins, resulting in the disclosure of sensitive information. In addition, in many cases, some of the credentials of the Jenkins are the same as the accounts and passwords of the users in it, and after obtaining the credential information, you can also log in to Jenkins directly to execute the command.

Second, loophole analysis

Jenkins processes requests through Stapler, and Stapler is a Java Web framework. If you look at web.xml, you can see that Stapler intercepts all requests:

Step into hudson.util.PluginServletFilter, and finally follow the doDynamic method of jenkins\ core\ src\ main\ java\ hudson\ Plugin.java:

You can find that when Jenkins is in the URL of serve / plugin/SHORTNAME, it calls the serveLocalizedFile method of StaplerResponse to deal with the static file, so continue to follow this method:

Where request.getLocale () is within jetty-server-9.4.5.v20170502-sources.jar!\ org\ eclipse\ jetty\ server\ Request.java, and its implementation is:

Obviously, when Jetty gets the Locale, it takes the Accept-Language header directly from the HTTP Headers, splits it with-and returns a Locale object. That is, when I pass in Accept-Language:.. / aaaa-bbbbbb, I will get a Locale (".. / aaaa", "BBBBBB") object.

Finally, follow stapler-1.254-sources.jar!\ org\ kohsuke\ stapler\ Stapler.java:

We can see that Stapler first takes out the suffix name separately, then concatenates the Jenkins directory with the language and suffix name of the incoming locale, and then opens the path. Then the attacker only needs to construct the following HTTP request to cause the file to read:

Finally, the scene of URL splicing is:

Under Windows, directories that don't exist can be traversed through.. /, but not for Linux. Then this vulnerability can be read by arbitrary files under Windows, while under Linux, there needs to be a directory with the name _ in the Jenkins plugins directory.

Third, the mode of utilization

In general, file read vulnerabilities are difficult to translate into command execution, and the same is true for Jenkins. However, Jenkins has a Credentials module, which stores some credential information of Jenkins. In many cases, the account password of its voucher is the same as that of Jenkins. In any case, after successful exploitation of the file read vulnerability, the credential information is read and decrypted to collect more information.

If we want to obtain the credential information of Jenkins, we need the following files:

Credentials.xml

Secrets/hudson.util.Secret

Secrets/master.key

Fortunately, we can take advantage of file reading vulnerabilities to read these files. Try to obtain the account password of the Jenkins of foreign real world on Shodan:

Of course, you can't log in directly if you get the account password, but you can log in successfully by slightly changing the user name:

IV. Restoration plan

Although this vulnerability is harmful, don't worry too much, because anonymous users don't have readable rights when installing Jenkins by default. And this vulnerability is less likely to be exploited on Linux. The following are the recommended fixes:

➢ can detect and block this high-risk exploit by Tencent Cloud WAF WAF AI engine. If necessary, you can learn more about it on Tencent Cloud's official website.

➢ removes the readable rights of anonymous users in the global security configuration

Upgrade ➢ to the latest version of Jenkins (2.121.2)

➢ uses Linux

Thank you for reading this article carefully. I hope the article "sample Analysis of Jenkins arbitrary File Reading vulnerabilities" shared by the editor will be helpful to you. At the same time, I also hope that you will support and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.