A collection of posts on attacking Jenkins
http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html
Manipulating build steps to get RCE
https://medium.com/@uranium238/shodan-jenkins-to-get-rces-on-servers-6b6ec7c960e2
Using the terminal plugin to get RCE
https://sharadchhetri.com/2018/12/02/managing-jenkins-plugins/
Getting started with Jenkins Plugins
https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html
Vulns in
- Pipeline: Declarative Plugin up to and including 1.3.4
- Pipeline: Groovy Plugin up to and including 2.61
- Script Security Plugin up to and including 1.49
Blog post says: This issue has been fixed in Jenkins version 2.121.1 LTS (2.132 weekly).
http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html
CVE-2019-1003000 (https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266)
https://github.com/Coalfire-Research/java-deserialization-exploits/tree/master/Jenkins
https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream
CVE-2015-8103 & CVE-2016-0792
https://github.com/nixawk/labs/tree/master/CVE-2017-1000353
https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2017-1000353
https://www.twistlock.com/2017/06/18/jenkins-java-deserialization/
CVE-2017-1000353 PoC
https://cloud.tencent.com/developer/article/1165414
https://github.com/anntsmart/CVE
CVE-2018-1999002 (windows) Arbitrary file read
A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework. Under Windows, directories that don’t exist can be traversed by ../, but not for Linux. Then this vulnerability can be read by any file under Windows. Under Linux, you need to have a directory with _ in the Jenkins plugins directory.
https://www.crowdstrike.com/blog/your-jenkins-belongs-to-us-now-abusing-continuous-integration-systems/
https://www.n00py.io/2017/01/compromising-jenkins-and-extracting-credentials/
Decrypting credentials.xml
https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter—toying-with-powersploit/
Jenkins, windows, powershell
https://securitynews.sonicwall.com/xmlpost/jenkins-ci-server-at-risk-high-risk-vulnerbaility/
https://www.zdnet.com/article/thousands-of-jenkins-servers-will-let-anonymous-users-become-admins/
https://www.cyberark.com/threat-research-blog/tripping-the-jenkins-main-security-circuit-breaker-an-inside-look-at-two-jenkins-security-vulnerabilities/
CVE-2018-1999001 malformed request moves the config.xml file, after restart anyone can log in – couple it with a DoS (CVE-2018-1999043) to force restart
- Jenkins weekly up to and including 2.132
- Jenkins LTS up to and including 2.121.1
CG Posts:
https://carnal0wnage.attackresearch.com/2019/02/jenkins-messing-with-new-exploits-pt1.html
Username enumeration Jenkins 2.137 and below
https://carnal0wnage.attackresearch.com/2019/02/jenkins-security-200-cve-2015-5323-poc.html
Jenkins – SECURITY-200 / CVE-2015-5323 PoC (API tokens of other users available to admins)
https://carnal0wnage.attackresearch.com/2019/02/jenkins-security-180cve-2015-1814-poc.html
Jenkins – SECURITY-180/CVE-2015-1814 PoC (Forced Token Change)
https://carnal0wnage.attackresearch.com/2019/02/jenkins-decrypting-credentialsxml.html
Decrypting Jenkins credentials.xml
https://carnal0wnage.attackresearch.com/2019/03/jenkins-cve-2018-1000600-poc.html
Jenkins – CVE-2018-1000600 SSRF in GitHub plugin
https://carnal0wnage.attackresearch.com/2019/02/jenkins-messing-with-exploits-pt2-cve.html
Jenkins – CVE-2019-1003000 Pt 1
https://carnal0wnage.attackresearch.com/2019/03/jenkins-messing-with-exploits-pt3-cve.html
Jenkins – CVE-2019-1003000 Pt 2 – Orange Tsai exploit
https://carnal0wnage.attackresearch.com/2019/03/jenkins-identify-ip-addresses-of-nodes.html
Jenkins – Identify IP Addresses of nodes