RCE Unsecure Jenkins Instance | Bug Bounty POC
Hi Guys,
Honestly i was just getting bored and the blog wasn’t updated ina while so i decided to write this (Will share some more recent issues in a few days 🙂 )
So i want this Write Up to be concise.. to Let’s Just say I was checking subdomains of a site and found a subdomain jenkins-thor.
so By Name i got that it Must be a Jenkins Instance so i opened that subdomain and got redirected to Github Login Page
But the jenkins instant lac any kind of security for user as i visited it i simply Asks me to login to jenkins Instant using my Github account, As soon as loged inn to your jenkins instant i had complete admin access to your jenkins instant, and i was on the Users Page Like
Now As Many of you guys already know that Jenkins Instance have a Script page where a user can go and Execute Groovy Script and You can also install a Plugin called Terminal for it
So running a simple script as
def command = “uname -a”
def proc = commadn.execute()
proc.waitfor()println “Process exit code: ${proc.exitValue()}”
prinln “Std Err: ${proc.err.text}”
println “std Out: ${proc.in.text}”
or
String fileContents = new File(‘/etc/passwd’).getText(‘UTF-8’)
So this Groovy Script will execute the command
So At this point you can be sure that you have an RCE in the service and you can execute any script command you want So i did that just to be sure
So I wrote a Report related to it and Send it to the CTO of the website 🙂 and the issue was migrated Urgently
TakeOut:
- Make Your You set the permissions for your Jenkins Instance Properly
- Make sure only allow Trusted users to install plugins or using Groovy Script
Do read the Detailed Post by nahamsec https://nahamsec.com/secure-your-jenkins-instance-or-hackers-will-force-you-to/
Note: The Issue was Reported and is been Migrated the Blog was written after getting Permission from the CTO Matt ( https://twitter.com/mshmsh5000 ) 🙂 and also the site DoSomething Don;t have a Bug Bounty Program Anymore so Kindly avoid any kind of testing.
Thanks for Reading ^_^
Discover more from Security Breached Blog
Subscribe to get the latest posts sent to your email.
[…] [ Popular Software ] Jenkins 错误配置导致的 RCE 漏洞实例: https://blog.securitybreached.org/2018/09/07/rce-jenkins-instance-dosomething-org-bug-bounty-poc/ […]