北京三思网安科技有限公司

联系人:吴女士

座机:010-59433750

手机:18600364534

邮 箱:fangwu@secspace.com

地 址:北京市海淀区二里庄35号万和大厦206号

Jenkins 远程代码执行漏洞预警

11月11日,Jenkins 官方通告了一个可能导致远程代码执行的严重漏洞,并强烈建议在公网部署了 Jenkins 的管理员立即禁用 CLI 选项。 次日,Jenkins 再次确认漏洞的存在,影响版本包括LTS Release 2.19.3 之前的所有版本Weekly Release 2.32 之前的所有版本,并声明会在16日发布更新以修复该漏洞。11月17号,Jenkins 发布了新的安全更新:LTS Release 2.19.3Weekly Release 2.32并在 GitHub 上给出了漏洞 PoC

 

Description

Remote code execution vulnerability in remoting module

SECURITY-360 / CVE-2016-9299

An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.

Severity

  • SECURITY-360 is considered critical as it allows unprivileged attackers to execute arbitrary code.

Affected versions

  • All Jenkins main line releases up to and including 2.31

  • All Jenkins LTS releases up to and including 2.19.2

Fix

  • Jenkins main line users should update to 2.32

  • Jenkins LTS users should update to 2.19.3

These versions include fixes to all the vulnerabilities described above. All prior versions are affected by these vulnerabilities.

Notes

As part of this fix, a number of other so-called "gadgets" were reviewed and are now also being prohibited. We tracked this activity as SECURITY-317.

Other resources

 

中文描述

CVE ID:

  •  CVE-2016-9299

披露时间:

  •  2016-11-11

影响版本:

  • LTS Release 2.19.3 之前的所有版本

  • Weekly Release 2.32 之前的所有版本

漏洞影响:

Jenkins 官方在更新了漏洞修复补丁的同时,也在 GitHub 上添加了相关的测试代码,测试代码中包含针对此漏洞测试的 Payload,通过远程执行代码来测试该漏洞是否存在,这可能造成 Jenkins 应用被大面积攻击。

强烈建议 Jenkins 管理员立即升级最新版以修复该漏洞。

漏洞验证:

漏洞测试方法见 Jenkins 官方测试代码:

@PresetData(PresetData.DataSet.ANONYMOUS_READONLY)

@Test

@Issue("SECURITY-360")

public void ldap() throws Exception {

    // with a proper fix, this should fail with EXIT_CODE_REJECTED

    // otherwise this will fail with -1 exit code

    probe(Payload.Ldap, PayloadCaller.EXIT_CODE_REJECTED);

}

 

private void probe(Payload payload, int expectedResultCode) throws Exception {

    File file = File.createTempFile("security-218", payload + "-payload");

    File moved = new File(file.getAbsolutePath() + "-moved");

   

    // Bypassing _main because it does nothing interesting here.

    // Hardcoding CLI protocol version 1 (CliProtocol) because it is easier to sniff.

    int exitCode = new CLI(r.getURL()).execute("send-payload",

            payload.toString(), "mv " + file.getAbsolutePath() + " " + moved.getAbsolutePath());

    assertEquals("Unexpected result code.", expectedResultCode, exitCode);

    assertTrue("Payload should not invoke the move operation " + file, !moved.exists());

    file.delete();

}

   

...

 

public class Ldap extends PayloadRunner implements ObjectPayload<Object> {

   

    public Object getObject(final String command) throws Exception {

        // this is not a fully exploit, so we cannot honor the command,

        // but we want to check that we are blocking LdapAttribute

        Class<?> c = Class.forName("com.sun.jndi.ldap.LdapAttribute");

        Constructor<?> ctr = c.getDeclaredConstructor(String.class);

        ctr.setAccessible(true);

        return ctr.newInstance("foo");

    }

   

    public static void main(final String[] args) throws Exception {

        PayloadRunner.run(Ldap.class, args);

    }

}

解决方案:

Jenkins 已修复漏洞并发布了新版 Release,可以升级到以下版本:

  • Weekly Release 2.32

  • LTS Release 2.19.3 

参考: 

  • Jenkins (https://jenkins.io/)

  • 邮件组   (https://groups.google.com/forum/#!msg/jenkinsci-advisories/-fc-w9tNEJE/GRvEzWoJBgAJ)

  • 官方 PoC  (https://github.com/jenkinsci/jenkins/blob/master/test/src/test/java/jenkins/security/Security218CliTest.java)

三思后行,才能安全无忧。

三思网安一个有用的公众号

微信扫描二维码,加关注吧

 

发布者:管理员   点击数:1786   发布时间:2016-11-18 10:13:15   更新时间:2020-12-11 18:13:08