Shodan + Jenkins to get RCEs on Servers

This is just a small article after small research done.

Throughout my time as freelance security researcher, I have noticed quite some report where researchers/hackers have found public Jenkins instances of companies that should not be public. Through this article, I wanted to share what could someone find if they had access to your “confidential” Jenkins Instance.

What is Jenkins?

The main page of Jenkins is here: https://jenkins.io/. Jenkins is an application that can be used to automate deployment of your projects/applications. This way every actions taken to update your project is synchronized and you can also see how the deployment went. It also helps you to scale large projects and make it easier for them to be managed.

What is the risk of having Jenkins instance public?

Before we go into assumption that having Jenkins instance public is bad, we need to understand that some of them can be intentional. Sometime companies keep them open for others to see different open sourced projects. So if you find a open Jenkins instance, it does not mean you have access to companies source code. In some cases you might have access, while in other cases it might just be an application use to show deployment of open source projects.

Now to the risk. There are multiple ways a unintentionally public made Jenkins can have severe risk to companies. Most of the unintentional Jenkins that I found during the research had source code of their application on it. This gave access to confidential information which included private keys to the APIs they used along with username and passwords for some of their services.

Having access to source code is most of the times a game over situation. Once an attacker has access to source code, he basically has advantage over your company. They now know your private keys which can give them access to other services of your own, check this HackerOne report for example: https://hackerone.com/reports/167859 This vulnerability in Zomato gave our researcher access to the source code of Zomato which eventually also had login information for SQL database.

What the hell is the RCE you mentioned?

This RCE technique is what have been known for quite a while. I want to use this blog as a way to highlight how this can be exploited. RCE = Remote code execution. This allows attacker to run command in the server and upload arbitrary files. As the title mentions, through Shodan you can find most-all open Jenkins instances that are public. While some might be intentional but other might not be. Some even have ability to run some sweet(for researchers & bitter for managers) commands.

Following is the small data gathered through Shodan:

There are about 49,488 and counting Jenkins instance and out of them about 7,301+ are publicly accessible.

Link to the reports: https://www.shodan.io/report/uLf5fCyi & https://www.shodan.io/report/6rzfAdW7

Now to the exploitation:

Exploitation of RCE under certain condition is an easier part. Similar to other CMS/apps if you have right to manage an app then you can understand that you have some type of privilege already. In such cases, conducting attacks just gets easier.

On Jenkins application, if you have a facility to Manage Application then you need to smile and relax because you might have just got a sweet RCE. After clicking Manage Jenkins go to Manage Plugins

Manage Plugins

Once you click that, click on the Available tab. This allows you to install available plugins to the application. Look for Terminal Plugin and install it.

Once you install that, as expected, it installs Terminal to the Jenkins App. This allows you to execute commands directly and depending on the user privilege, server and the kernel version of application, you can escalate the access.

Root access to website

Now we can easily just print /etc/passwd and execute more commands. Attached picture shows access as Root user which means you can basically do anything into the server. Creating files, updating external files and many more.