Why So Script-kiddie
Security Researches
Code Review SeriesctfsTesting with Bug Bounty WriteupsSecurity Researches
Security Researches
Code Review SeriesctfsTesting with Bug Bounty WriteupsSecurity Researches
  • CVE Explained: CVE-2023–38646
  • CVE Explained: CVE-2023-23752
  • CVE Explained: CVE-2023-46604
  • CVE Explained: CVE-2019-9978
  • CVE Explained CVE-2023-34362
  • CVE Explained CVE-2024-23897
Powered by GitBook
On this page
  • The Vulnerability
  • How to exploit:

CVE Explained CVE-2024-23897

Explaining the jenkins arbitrary file read vulnerability

PreviousCVE Explained CVE-2023-34362

Last updated 10 months ago

references

  • Jenkins-Security-Advisory

  • CYFIRMA

  • TRENDMICRO

Exploits:

  • My python exploit Here

Vulnerability Type: Unauthenticated Remote Code Execution (RCE) CVE ID: CVE-2024-23897 CVSS Severity Score: 9.8 (Critical) Application: Jenkins Impact: Allows unauthenticated attackers to execute arbitrary code and read arbitrary files by exploiting a critical remote code execution vulnerability. Severity: Critical Affected Versions: Multiple versions of Jenkins are impacted. Check here Patch Available: Yes Mitigation: Organizations are strongly advised to apply the latest security updates and patches promptly. Affected Versions: Jenkins 2.441 and earlier, LTS 2.426.2 and earlier.

The Vulnerability

The exploitation is possible from HTTP ,CLI, websockets.

The flow

The attacker endpoint makes two different POST request.

Post Request 1

The first POST request makes an upload request containing the commands and it's arguments.

Post Request 2

The second post request is for the commands to executed and contains the result by the first post request and download the contents of the result.

Why is it happening

Now the whole process involves these methods which start a domino effect that eventually leads to catastrophe , these methods are:

  1. CliCrumbExecution : To Validate endpoint via process function

public class CliCrumbExclusion extends CrumbExclusion {
    @Override
    public boolean process(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
        String pathInfo = request.getPathInfo();
        if ("/cli".equals(pathInfo)) {
            chain.doFilter(request, response);
            return true;
        }
        return false;
    }
}

  1. FullDuplexHttpService : This handles the request and response via 3 methods:

    1. generateResponse:

      1. This method calls the other two methods on the basis of header called side and seeing the uuid string {which we generated random in exploit}

    2. Download

    3. Upload

  2. PlainCLIProtocol: This is the method that continuously reads frames from the input stream and handles frame on it's length

  3. CLICommand: This method actually contains the vulnerable code which is the CmdLineParser which is the part of the args4j library responsible for the vulnerability.

Now when we look at the code for this args4j -> we find this parseArgument function which eventually calls the expandAtFiles method which is the actual vulnerable code:

now look at this function :

what it does:

  1. For each element, if it starts with the character '@', it is treated as a file reference. It then:

    • Removes the '@' character from the beginning to obtain the file path.

    • Checks if the file exists. If not, it throws a CmdLineException with an appropriate error message.

    • Reads all lines from the file and adds them to the result list.

How to exploit:

Using the HACK-THE-BOX's machine called Builder for such.

CLI Version

Jenkins says that we can access the jenkins via the jenkins-cli and download when we setup jenkins , now since we have the jenkins already setup , we can download it from here: See that's why I said earlier websocket and HTTP: 

wget http://10.10.11.10:8080/jnlpJars/jenkins-cli.jar

we send the request:

Looking at the wireshark for what it did in bg:

Reading Sensitive files

Now what I can do here is read the files which contains the hash of the user :

java -jar jenkins-cli.jar -s 'http://10.10.11.10:8080' reload-job '@/var/jenkins_home/users/jennifer_12108429903186576833/config.xml'

I can leverage this information and get the password by cracking it , considering the possibility , it's weak.

I also wrote the python exploit for the same , can be accessed here

The flow of request
Look at the Session header and Side header {You'll understand the exploit written}
Calling the args4j's method CmdLineParser
Calling the actual vulnerable function
They also tell us how to
We also get the response in form of error
The packets we sent
The response we get