Jenkins RCE Proof-of-Concept: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative)
Home Page: https://jenkins.io/security/advisory/2019-01-08/
License: MIT License
[+] connecting to jenkins...
[+] crafting payload...
Traceback (most recent call last):
File "exploit.py", line 70, in
run_command(args.url, args.cmd, args.job, args.username, args.password)
File "exploit.py", line 28, in run_command
ori_job_config = server.get_job_config(job_name)
File "/usr/local/lib/python2.7/dist-packages/jenkins/init.py", line 1210, in get_job_config
return self.jenkins_open(request)
File "/usr/local/lib/python2.7/dist-packages/jenkins/init.py", line 564, in jenkins_open
return self.jenkins_request(req, add_crumb, resolve_auth).text
File "/usr/local/lib/python2.7/dist-packages/jenkins/init.py", line 580, in jenkins_request
self.maybe_add_crumb(req)
File "/usr/local/lib/python2.7/dist-packages/jenkins/init.py", line 370, in maybe_add_crumb
'GET', self._build_url(CRUMB_URL)), add_crumb=False)
File "/usr/local/lib/python2.7/dist-packages/jenkins/init.py", line 564, in jenkins_open
return self.jenkins_request(req, add_crumb, resolve_auth).text
File "/usr/local/lib/python2.7/dist-packages/jenkins/init.py", line 594, in jenkins_request
raise JenkinsException(msg)
jenkins.JenkinsException: <exception str() failed>
I get this failure below. @adamyordan , can you please let me know what I'm doing wrong?
python exploit.py --url http://aws-jenkins:8080 --job my-pipeline --username user1 --password user1 --cmd "cat /etc/passwd"
[+] connecting to jenkins...
[+] get_jobs ...
[{u'url': u'http://localhost:8080/job/my-pipeline/', u'color': u'blue', u'fullname': u'my-pipeline', u'_class': u'org.jenkinsci.plugins.workflow.job.WorkflowJob', u'name': u'my-pipeline'}]
[+] crafting payload...
[+] modifying job with payload...
[+] putting job build to queue...
[+] waiting for job to build...
[+] restoring job...
[+] fetching output...
[+] OUTPUT:
Started by user User 1
Running in Durability level: MAX_SURVIVABILITY
org.codehaus.groovy.control.MultipleCompilationErrorsException: startup failed:
WorkflowScript: 7: unexpected token: @ line 7, column 1.
1 error
at org.codehaus.groovy.control.ErrorCollector.failIfErrors(ErrorCollector.java:310)
at org.codehaus.groovy.control.ErrorCollector.addFatalError(ErrorCollector.java:150)
at org.codehaus.groovy.control.ErrorCollector.addError(ErrorCollector.java:120)
at org.codehaus.groovy.control.ErrorCollector.addError(ErrorCollector.java:132)
at org.codehaus.groovy.control.SourceUnit.addError(SourceUnit.java:350)
at org.codehaus.groovy.antlr.AntlrParserPlugin.transformCSTIntoAST(AntlrParserPlugin.java:144)
at org.codehaus.groovy.antlr.AntlrParserPlugin.parseCST(AntlrParserPlugin.java:110)
at org.codehaus.groovy.control.SourceUnit.parse(SourceUnit.java:234)
at org.codehaus.groovy.control.CompilationUnit$1.call(CompilationUnit.java:168)
at org.codehaus.groovy.control.CompilationUnit.applyToSourceUnits(CompilationUnit.java:943)
at org.codehaus.groovy.control.CompilationUnit.doPhaseOperation(CompilationUnit.java:605)
at org.codehaus.groovy.control.CompilationUnit.processPhaseOperations(CompilationUnit.java:581)
at org.codehaus.groovy.control.CompilationUnit.compile(CompilationUnit.java:558)
at groovy.lang.GroovyClassLoader.doParseClass(GroovyClassLoader.java:298)
at groovy.lang.GroovyClassLoader.parseClass(GroovyClassLoader.java:268)
at groovy.lang.GroovyShell.parseClass(GroovyShell.java:688)
at groovy.lang.GroovyShell.parse(GroovyShell.java:700)
at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.doParse(CpsGroovyShell.java:131)
at org.jenkinsci.plugins.workflow.cps.CpsGroovyShell.reparse(CpsGroovyShell.java:125)
at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.parseScript(CpsFlowExecution.java:560)
at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.start(CpsFlowExecution.java:521)
at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:320)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:429)
Finished: FAILURE
All you did was use Jenkins as intended! If you don't have rights to change the job, this fails. (I checked ).
I would have expected a bypass of creds...
Other than that all you have is a useful script to change a job programmatically. I like it and have modded it to inject a new static analysis tool into all my pipelines!!
Hi, hello, I build the environment according to your file, but this error is reported every time the vulnerability is exploited. Attribute Error:'NoneType'object has no attribute'text'
I tried to debug your script and found that the definition / script value in the ET value was not found in the environment I built, so I would like to consult you about how to deal with it.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.