Jenkins unauthorized code execution vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201785814
Type myhack58
Reporter 佚名
Modified 2017-05-04T00:00:00


A, summary CloudBees Jenkins 2.32.1 version exists in Java deserialization vulnerability, and ultimately can lead to remote code execution. Jenkins is a continuous integration continuous integration and continuous delivery system, can improve the software development process of the Central African human participation part of the automated processing efficiency. As a server-based system, Jenkins is running in a servlet container such as Apache Tomcat, support for version control tools including AccuRev, CVS, Subversion, Git, Mercurial, And Perforce, Clearcase and RTC, and can execute Apache Ant And Apache Maven and sbt of the project, and also supports shell scripts and Windows batch commands. Second, the vulnerability details In order to trigger the Jenkins Java deserialization vulnerability, we need to Jenkins to send two requests. The vulnerability exists in the use of the HTTP Protocol bi-directional communication channel of the specific implementation of the code, The Jenkins use this channel to receive commands. We can by the first request, establishing a two-way channel of a session from the server to download data. The HTTP packet header in the“Session”field is used as a channel identifier, the“Side”field indicates the transmission direction of the download or the upload, download/upload it. ! We can pass the second request to the bidirectional channel to send data. The server will block the first request until we send a second request so far. The HTTP packet header in the“Session”field is a UUID, the server by the UUID to match the specific services provided two-way channel. ! All sent to the Jenkins CLI commands are included in a format of a preamble, the preamble, the preamble format is usually as follows:

rO0ABXNyABpodWRzb24ucmVtb3Rpbmcuq2fwywjpbgl0eqaaaaaaaaabagabsgaebwfza3hwaaaaaaaaah4= The preamble contains a base64-encoded Serialized objects.“ Capability”the type of the serialized object's function is to tell the server the client have what specific features, such as HTTP chunked encoding functionality. The preamble and some of the other extra bytes after the transmission is completed, the Jenkins server you want to be able to receive a type of“Command”of the serialized object. Since Jenkins does not verify the serialized object, so we can send any serialized object. Deserialization handling code is located in the“Command”class“readFrom”method, as shown below: ! readFrom method in the“ClassicCommandTransport”class“read()”method is calling: ! Through the upload channel to send the data in ReaderThread thread class to read as follows: ! The thread by the“upload”method to trigger the Run, and the“upload”method in the“CliEndpointResponse”class is call: ! “upload”method to read the HTTP body data, then call the“notify”method of the notification thread for processing. ! Third, the PoC In order to exploit the vulnerability, an attacker would need to run“payload.jar”the script, create a to be included to execute the command sequence of load. Next, the attacker needs to modify the jenkins_poc1. py script: 1, modify the URL variable points to the target url; 2, in the“FILE_SER = open(“jenkins_poc1. ser”, “rb”). read()”that line will open the file to point to your own load file. Modification is completed, you can be in the jenkins log output see the following information: Jan 26, 2017 2:22:41 PM hudson. remoting. SynchronousCommandTransport$ReaderThread run SEVERE: I/O error in channel HTTP full-duplex channel a403c455-3b83-4890-b304-ec799bffe582 hudson. remoting. DiagnosedStreamCorruptionException Read back: 0xac 0xed 0x00 0x05 'sr' 0x00 '/org. apache. commons. collections. map. ReferenceMap' 0x15 0x94 0xca 0x03 0x98 'I' 0x08 0xd7 0x03 0x00 0x00 'xpw' 0x11 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x01 0x00 '?@' 0x00 0x00 0x00 0x00 0x00 0x10 'sr' 0x00 '(java. util. concurrent. CopyOnWriteArraySetK' 0xbd 0xd0 0x92 0x90 0x15 'i' 0xd7 0x02 0x00 0x01 'L' 0x00 0x02 'alt' 0x00 '+Ljava/util/concurrent/CopyOnWriteArrayList;xpsr' 0x00 ')to java. util. concurrent. CopyOnWriteArrayListx]' 0x9f 0xd5 'F' 0xab 0x90 0xc3 0x03 0x00 0x00 'xpw' 0x04 0x00 0x00 0x00 0x02 'sr' 0x00 'java. util. concurrent. ConcurrentSkipListSet' 0xdd 0x98 'Py' 0xbd 0xcf 0xf1 '[' 0x02 0x00 0x01 'L' 0x00 0x01 'mt' 0x00 '-Ljava/util/concurrent/ConcurrentNavigableMap;xpsr' 0x00 'java. util. concurrent. ConcurrentSkipListMap' 0x88 'Fu' 0xae 0x06 0x11 'F' 0xa7 0x03 0x00 0x01 'L' 0x00 0x0a 'comparatort' 0x00 0x16 'Ljava/util/Comparator;xppsr' 0x00 0x1a 'java. security. SignedObject' 0x09 0xff 0xbd 'h*

[1] [2] [3] [4] [5] next