Remote Code Execution | A Story of Simple RCE on Jenkins Instance.

Vulnerability Category: A1- Code Injection

Hi Folks,

Today we will discuss about the remote code injection vulnerability on a publicly accessible Jenkins instance.

What is Jenkins?? Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software.

Let start on how to find such open instances and how to exploit it.

Here I have used censys.io tool to identify the vulnerability. In below POC you can seen in search query I have searched Jenkins dashboard. In result you will receive an IP’s and technologies platform used.

Now you have to open the IP in the browser tab to check the Jenkins Dashboard access. As you can see we have the dashboard access without any authentication and authorization.

Now you have to check if you have any other privilege's to exploit this vulnerability. How to check???

1. IP/asynchPeople
2. IP/configure
3. IP/configureSecurity
4. IP/script

Description: found a Jenkins instance publicly accessible. An attacker can execute an arbitrary code .

I opened it and it was publicly accessible and the worst part was it didn’t have any authentication set over it. Jenkins likes to view all the people having access to Jenkins Instance /asynchPeople provides that,

/configureSecurity- for global configuration setting.

/configure- configuration mode

/Script- To execute the script/commands.

As you can see we have access to script console to execute commands.

You can execute the followings commands and many more if you want.

1. “ls /”.execute().text
2. string contentRead = new File(‘/etc/passwd’).getText(‘UTF-8’)

You can also open terminal, This allows you to execute commands directly and depending on the user privilege.

Impact

An attacker can execute and arbitrary code, can do any malicious activities.

Thank You for taking your time and reading this blog.

Happy Hunting!!!