References:


https://www.exploit-db.com/exploits/46453
http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html


This post covers the Orange Tsai Jenkins pre-auth exploit


Vuln versions: Jenkins < 2.137 (preauth)


Pipeline: Declarative Plugin up to and including 1.3.4
Pipeline: Groovy Plugin up to and including 2.61
Script Security Plugin up to and including 1.49  (in CG’s testing 1.50 is also vuln)


The exploitdb link above lists a nice self contained exploit that will compile the jar for you and serve it up for retrieval by the vulnerable Jenkins server.







nc -l 8888 -vv


whoami
bash: no job control in this shell
 bash-3.2$ jenkins


After Jenkins 2.138 the preauth is gone but if you have  an overall read token and the plugins are still vulnerable you can still exploit that server.  You can just add your cookie to the script and it will hit the url with your authenticated cookie and you can still exploit the server.


ASK INTELWAR AI

Got questions? Prove me wrong...