Jenkins – messing with exploits pt2 – CVE-2019-1003000
February 27, 2019
Jenkins – SECURITY-200 / CVE-2015-5323 PoC
February 27, 2019

Jenkins Master Post

A collection of posts on attacking Jenkins

http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html
Manipulating build steps to get RCE

https://medium.com/@uranium238/shodan-jenkins-to-get-rces-on-servers-6b6ec7c960e2

Using the terminal plugin to get RCE

https://sharadchhetri.com/2018/12/02/managing-jenkins-plugins/

Getting started with Jenkins Plugins

https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html

Vulns in

  • Pipeline: Declarative Plugin up to and including 1.3.4
  • Pipeline: Groovy Plugin up to and including 2.61
  • Script Security Plugin up to and including 1.49

Blog post says: This issue has been fixed in Jenkins version 2.121.1 LTS (2.132 weekly).

http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html

CVE-2019-1003000 (https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266)

https://github.com/Coalfire-Research/java-deserialization-exploits/tree/master/Jenkins

https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream
CVE-2015-8103 & CVE-2016-0792

https://github.com/nixawk/labs/tree/master/CVE-2017-1000353

https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2017-1000353
https://www.twistlock.com/2017/06/18/jenkins-java-deserialization/
CVE-2017-1000353 PoC

https://cloud.tencent.com/developer/article/1165414

https://github.com/anntsmart/CVE
CVE-2018-1999002 (windows) Arbitrary file read

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework. Under Windows, directories that don’t exist can be traversed by ../, but not for Linux. Then this vulnerability can be read by any file under Windows. Under Linux, you need to have a directory with _ in the Jenkins plugins directory.


https://www.crowdstrike.com/blog/your-jenkins-belongs-to-us-now-abusing-continuous-integration-systems/

https://www.n00py.io/2017/01/compromising-jenkins-and-extracting-credentials/
Decrypting credentials.xml 

https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter—toying-with-powersploit/

Jenkins, windows, powershell

https://securitynews.sonicwall.com/xmlpost/jenkins-ci-server-at-risk-high-risk-vulnerbaility/

https://www.zdnet.com/article/thousands-of-jenkins-servers-will-let-anonymous-users-become-admins/
https://www.cyberark.com/threat-research-blog/tripping-the-jenkins-main-security-circuit-breaker-an-inside-look-at-two-jenkins-security-vulnerabilities/
CVE-2018-1999001 malformed request moves the config.xml file, after restart anyone can log in – couple it with a DoS (CVE-2018-1999043) to force restart 

  • Jenkins weekly up to and including 2.132
  • Jenkins LTS up to and including 2.121.1

CG Posts:

https://carnal0wnage.attackresearch.com/2019/02/jenkins-messing-with-new-exploits-pt1.html
Username enumeration Jenkins 2.137 and below

https://carnal0wnage.attackresearch.com/2019/02/jenkins-security-200-cve-2015-5323-poc.html

Jenkins – SECURITY-200 / CVE-2015-5323 PoC (API tokens of other users available to admins)

https://carnal0wnage.attackresearch.com/2019/02/jenkins-security-180cve-2015-1814-poc.html

Jenkins – SECURITY-180/CVE-2015-1814 PoC (Forced Token Change)

https://carnal0wnage.attackresearch.com/2019/02/jenkins-decrypting-credentialsxml.html
Decrypting Jenkins credentials.xml 

https://carnal0wnage.attackresearch.com/2019/03/jenkins-cve-2018-1000600-poc.html
Jenkins – CVE-2018-1000600 SSRF in GitHub plugin

https://carnal0wnage.attackresearch.com/2019/02/jenkins-messing-with-exploits-pt2-cve.html

Jenkins – CVE-2019-1003000 Pt 1

https://carnal0wnage.attackresearch.com/2019/03/jenkins-messing-with-exploits-pt3-cve.html
Jenkins – CVE-2019-1003000 Pt 2 – Orange Tsai exploit

https://carnal0wnage.attackresearch.com/2019/03/jenkins-identify-ip-addresses-of-nodes.html
Jenkins – Identify IP Addresses of nodes

News Reporter
News Reporter
Head of Operations (Banking), Director IT Governance, Teamlead Microsoft, Service Delivery Manager. Interested in Office 365, LAMP, IT Security and much more!