Welcome to our

Cyber Security News Aggregator

.

Cyber Tzar

provide a

cyber security risk management

platform; including automated penetration tests and risk assesments culminating in a "cyber risk score" out of 1,000, just like a credit score.

Jenkins - CVE-2018-1000600 PoC

published on 2019-03-05 19:01:00 UTC by Unknown
Content:


second exploit from the blog post

 https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html

 Chained with CVE-2018-1000600 to a Pre-auth Fully-responded SSRF
https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915

 This affects the GitHub plugin that is installed by default. However, I learned that when you spin up a new jenkins instance it pulls all the updated plugins (also by default) I'm honestly not sure how often people set update to latest plugin on by default but it does seem to knock down some of this stuff.

 exploit works against: GitHub Plugin up to and including 1.29.1

 When i installed Jenkins today (25 Feb 19) it installed 1.29.4 by default thus the below does NOT work.

 From the blog post:
CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials 
It can extract any stored credentials with known credentials ID in Jenkins. But the credentials ID is a random UUID if there is no user-supplied value provided. So it seems impossible to exploit this?(Or if someone know how to obtain credentials ID, please tell me!)
Although it can’t extract any credentials without known credentials ID, there is still another attack primitive - a fully-response SSRF! We all know how hard it is to exploit a Blind SSRF, so that’s why a fully-responded SSRF is so valuable!
PoC:
http://jenkins.local/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword
?apiUrl=http://169.254.169.254/%23
&login=orange
&password=tsai

To get old versions of the plugin and info you can go to  
 https://wiki.jenkins.io/display/JENKINS/GitHub+Branch+Source+Plugin

 download old versions
https://updates.jenkins.io/download/plugins/github-branch-source/
https://updates.jenkins.io/download/plugins/github/
Article: Jenkins - CVE-2018-1000600 PoC - published over 5 years ago.

https://blog.carnal0wnage.com/2019/03/jenkins-cve-2018-1000600-poc.html   
Published: 2019 03 05 19:01:00
Received: 2023 03 31 08:24:32
Feed: Carnal0wnage and Attack Research Blog
Source: Carnal0wnage and Attack Research Blog
Category: News
Topic: Hacking
Views: 2

Custom HTML Block

Click to Open Code Editor