MS-9517 Jenkins Login Scanner

adeherdt-r7 · adeherdt-r7 · commit a3a24418a8d1 · 2024-08-13T11:16:01.000+02:00
Jenkins does not implement Authentication challenges.

By default, Jenkins responds with a HTTP 403 FORBIDDEN response, and does not include the `WWW-Authenticate` header.
This causes problems with the underlying http client, as this one expects the challenge to come forward and resend
the request with the auth header.

By changing the code to look for the HTTP 403 response, and setting the default URL to the correct login validation endpoint
Pro will have an easier time to investigate whether Jenkins can be bruteforced or not.

The original code checks for a 401 response only.
Overwriting the behavior for Jenkins allows us to handle this use-case properly and report the correct behavior.
diff --git a/lib/metasploit/framework/login_scanner/http.rb b/lib/metasploit/framework/login_scanner/http.rb
@@ -1,4 +1,3 @@
-
 require 'metasploit/framework/login_scanner/base'
 require 'metasploit/framework/login_scanner/rex_socket'
 
@@ -12,14 +11,16 @@ class HTTP
         include Metasploit::Framework::LoginScanner::Base
         include Metasploit::Framework::LoginScanner::RexSocket
 
-        DEFAULT_REALM        = nil
-        DEFAULT_PORT         = 80
-        DEFAULT_SSL_PORT     = 443
-        DEFAULT_HTTP_SUCCESS_CODES = [ 200, 201 ].append(*(300..309))
-        LIKELY_PORTS         = [ 80, 443, 8000, 8080 ]
-        LIKELY_SERVICE_NAMES = [ 'http', 'https' ]
-        PRIVATE_TYPES        = [ :password ]
-        REALM_KEY            = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
+        AUTHORIZATION_HEADER = 'WWW-Authenticate'.freeze
+        DEFAULT_REALM = nil
+        DEFAULT_PORT = 80
+        DEFAULT_SSL_PORT = 443
+        DEFAULT_HTTP_SUCCESS_CODES = [200, 201].append(*(300..309))
+        DEFAULT_HTTP_NOT_AUTHED_CODES = [401]
+        LIKELY_PORTS = [80, 443, 8000, 8080]
+        LIKELY_SERVICE_NAMES = %w[http https]
+        PRIVATE_TYPES = [:password]
+        REALM_KEY = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
 
         # @!attribute uri
         #   @return [String] The path and query string on the server to
@@ -213,16 +214,14 @@ def check_setup
             # authentication
             response = http_client._send_recv(request)
           rescue ::EOFError, Errno::ETIMEDOUT, OpenSSL::SSL::SSLError, Rex::ConnectionError, ::Timeout::Error
-            return "Unable to connect to target"
+            return 'Unable to connect to target'
           end
 
-          if !(response && response.code == 401 && response.headers['WWW-Authenticate'])
-            error_message = "No authentication required"
-          else
-            error_message = false
+          if authentication_required?(response)
+            return false
           end
 
-          error_message
+          'No authentication required'
         end
 
         # Sends a HTTP request with Rex
@@ -252,7 +251,7 @@ def send_request(opts)
                   else
                     cli._send_recv(req)
                   end
-          rescue ::EOFError, Errno::ETIMEDOUT ,Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
+          rescue ::EOFError, Errno::ETIMEDOUT, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
             raise Rex::ConnectionError, e.message
           ensure
             # If we didn't create the client, don't close it
@@ -315,18 +314,31 @@ def attempt_login(credential)
           Result.new(result_opts)
         end
 
+        protected
+
+        # Returns a boolean value indicating whether the request requires authentication or not.
+        #
+        # @param [Rex::Proto::Http::Response] response The response received from the HTTP endpoint
+        # @return [Boolean] True if the request required authentication; otherwise false.
+        def authentication_required?(response)
+          return false unless response
+
+          self.class::DEFAULT_HTTP_NOT_AUTHED_CODES.include?(response.code) &&
+            response.headers[self.class::AUTHORIZATION_HEADER]
+        end
+
         private
 
         def create_client(opts)
-          rhost           = opts['host'] || host
-          rport           = opts['rport'] || port
-          cli_ssl         = opts['ssl'] || ssl
+          rhost = opts['host'] || host
+          rport = opts['rport'] || port
+          cli_ssl = opts['ssl'] || ssl
           cli_ssl_version = opts['ssl_version'] || ssl_version
-          cli_proxies     = opts['proxies'] || proxies
-          username        = opts['credential'] ? opts['credential'].public : http_username
-          password        = opts['credential'] ? opts['credential'].private : http_password
-          realm           = opts['credential'] ? opts['credential'].realm : nil
-          context         = opts['context'] || { 'Msf' => framework, 'MsfExploit' => framework_module}
+          cli_proxies = opts['proxies'] || proxies
+          username = opts['credential'] ? opts['credential'].public : http_username
+          password = opts['credential'] ? opts['credential'].private : http_password
+          realm = opts['credential'] ? opts['credential'].realm : nil
+          context = opts['context'] || { 'Msf' => framework, 'MsfExploit' => framework_module}
 
           kerberos_authenticator = nil
           if kerberos_authenticator_factory
@@ -441,10 +453,22 @@ def set_sane_defaults
 
         # Combine the base URI with the target URI in a sane fashion
         #
-        # @param [String] target_uri the target URL
+        # @param [Array<String>] target_uri the target URL
         # @return [String] the final URL mapped against the base
-        def normalize_uri(target_uri)
-          (self.uri.to_s + "/" + target_uri.to_s).gsub(/\/+/, '/')
+        def normalize_uri(*target_uri)
+          if target_uri.count == 1
+            (uri.to_s + '/' + target_uri.first.to_s).gsub(%r{/+}, '/')
+          else
+            new_str = target_uri * '/'
+            new_str = new_str.gsub!('//', '/') while new_str.index('//')
+
+            # Makes sure there's a starting slash
+            unless new_str[0,1] == '/'
+              new_str = '/' + new_str
+            end
+
+            new_str
+          end
         end
 
         private
diff --git a/lib/metasploit/framework/login_scanner/jenkins.rb b/lib/metasploit/framework/login_scanner/jenkins.rb
@@ -5,51 +5,127 @@ module Framework
     module LoginScanner
       # Jenkins login scanner
       class Jenkins < HTTP
-
-        include Msf::Exploit::Remote::HTTP::Jenkins
-
         # Inherit LIKELY_PORTS,LIKELY_SERVICE_NAMES, and REALM_KEY from HTTP
         CAN_GET_SESSION = true
-        DEFAULT_PORT    = 8080
-        PRIVATE_TYPES   = [ :password ]
+        DEFAULT_HTTP_NOT_AUTHED_CODES = [403]
+        DEFAULT_PORT = 8080
+        PRIVATE_TYPES = [:password].freeze
+        LOGIN_PATH_REGEX = /action="(j_([a-z0-9_]+))"/
+
+        # Checks the setup for the Jenkins Login scanner.
+        #
+        # @return [String, false] Always returns false.
+        def check_setup
+          login_uri = jenkins_login_url
+
+          return 'Unable to locate the Jenkins login path' if login_uri.nil?
+
+          self.uri = normalize_uri(login_uri)
+
+          false
+        end
 
         # (see Base#set_sane_defaults)
         def set_sane_defaults
-          self.uri = "/j_acegi_security_check" if self.uri.nil?
-          self.method = "POST" if self.method.nil?
+          self.uri ||= '/'
 
-          if self.uri[0] != '/'
-            self.uri = "/#{self.uri}"
+          unless uri.to_s.start_with?('/')
+            self.uri = "/#{uri}"
           end
 
           super
         end
 
         def attempt_login(credential)
           result_opts = {
-              credential: credential,
-              host: host,
-              port: port,
-              protocol: 'tcp'
+            credential: credential,
+            host: host,
+            port: port,
+            protocol: 'tcp'
           }
+
           if ssl
             result_opts[:service_name] = 'https'
           else
             result_opts[:service_name] = 'http'
           end
 
-          status, proof = jenkins_login(credential.public, credential.private) do |request|
-            send_request({
-              'method' => method,
-              'uri' => uri,
-              'vars_post' => request['vars_post']
-            })
-          end
+          status, proof = jenkins_login(credential.public, credential.private)
 
           result_opts.merge!(status: status, proof: proof)
 
           Result.new(result_opts)
         end
+
+        protected
+
+        # Returns a boolean value indicating whether the request requires authentication or not.
+        #
+        # @param [Rex::Proto::Http::Response] response The response received from the HTTP endpoint
+        # @return [Boolean] True if the request required authentication; otherwise false.
+        def authentication_required?(response)
+          return false unless response
+
+          self.class::DEFAULT_HTTP_NOT_AUTHED_CODES.include?(response.code)
+        end
+
+        private
+
+        # This method takes a username and password and a target URI
+        # then attempts to login to Jenkins and will either fail with appropriate errors
+        #
+        # @param [String] username The username for login credentials
+        # @param [String] password The password for login credentials
+        # @return [Array] [status, proof] The result of the login attempt
+        def jenkins_login(username, password)
+          begin
+            res = send_request(
+              'method' => 'POST',
+              'uri' => self.uri,
+              'vars_post' => {
+                'j_username' => username,
+                'j_password' => password,
+                'Submit' => 'log in'
+              }
+            )
+
+            if res && res.headers['Location'] && !res.headers['Location'].include?('loginError')
+              status = Metasploit::Model::Login::Status::SUCCESSFUL
+              proof = res.headers
+            else
+              status = Metasploit::Model::Login::Status::INCORRECT
+              proof = res
+            end
+          rescue ::EOFError, Errno::ETIMEDOUT, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
+            status = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+            proof = e
+          end
+
+          [status, proof]
+        end
+
+        # This method uses the provided URI to determine whether login is possible for Jenkins.
+        # Based on the contents of the provided URI, the method looks for the login form and
+        # extracts the endpoint used to authenticate against.
+        #
+        # @return [String, nil] URI for successful login
+        def jenkins_login_url
+          response = send_request({ 'uri' => normalize_uri('login') })
+
+          if response&.code == 200 && response&.body =~ LOGIN_PATH_REGEX
+            return Regexp.last_match(1)
+          end
+
+          nil
+        end
+
+        # Determines whether the provided response is considered valid or not.
+        #
+        # @param [Rex::Proto::Http::Response, nil] response The response received from the HTTP request.
+        # @return [Boolean] True if the response if valid; otherwise false.
+        def valid_response?(response)
+          http_success_codes.include?(response&.code)
+        end
       end
     end
   end
diff --git a/lib/msf/core/exploit/remote/http/jenkins.rb b/lib/msf/core/exploit/remote/http/jenkins.rb
@@ -15,7 +15,7 @@ def jenkins_version
             res = send_request_cgi({ 'uri' => uri })
 
             unless res
-              return nil 
+              return nil
             end
 
             # shortcut for new versions such as 2.426.2 and 2.440
diff --git a/modules/auxiliary/scanner/http/jenkins_login.rb b/modules/auxiliary/scanner/http/jenkins_login.rb
@@ -11,7 +11,6 @@ class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::HttpClient
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::AuthBrute
-  include Msf::Exploit::Remote::HTTP::Jenkins
 
   def initialize
     super(
@@ -32,16 +31,16 @@ def initialize
   end
 
   def run_host(ip)
-    print_warning("#{self.fullname} is still calling the deprecated LOGIN_URL option! This is no longer supported.") unless datastore['LOGIN_URL'].nil?
+    print_warning("#{fullname} is still calling the deprecated LOGIN_URL option! This is no longer supported.") unless datastore['LOGIN_URL'].nil?
     cred_collection = build_credential_collection(
       username: datastore['USERNAME'],
       password: datastore['PASSWORD']
     )
 
-    login_uri = jenkins_uri_check(target_uri)
     scanner = Metasploit::Framework::LoginScanner::Jenkins.new(
       configure_http_login_scanner(
-        uri: normalize_uri(login_uri),
+        uri: datastore['TARGETURI'],
+        ssl: datastore['SSL'],
         method: datastore['HTTP_METHOD'],
         cred_details: cred_collection,
         stop_on_success: datastore['STOP_ON_SUCCESS'],
@@ -52,12 +51,17 @@ def run_host(ip)
       )
     )
 
+    message = scanner.check_setup
+
+    if message
+      print_brute level: :error, ip: ip, msg: message
+      return
+    end
+
     scanner.scan! do |result|
       credential_data = result.to_h
-      credential_data.merge!(
-          module_fullname: fullname,
-          workspace_id: myworkspace_id
-      )
+      credential_data.merge!(module_fullname: fullname, workspace_id: myworkspace_id)
+
       if result.success?
         credential_core = create_credential(credential_data)
         credential_data[:core] = credential_core
