Jenkins 无限制 RCE 漏洞分析<\/h1>

漏洞概述<\/h2>
本文详细分析了 Jenkins 中一个无限制远程代码执行漏洞的利用链，该漏洞结合了 CVE-2018-1000861（动态路由越权调用）和 CVE-2019-1003000（Groovy 沙箱绕过）两个漏洞，最终实现了无需任何权限的远程代码执行。<\/p>

漏洞背景<\/h2>

Jenkins 在 2018-12-05 公布了一个动态路由越权调用漏洞（CVE-2018-1000861）<\/li>
2019-01-08 公布了 Pipeline 插件中 Groovy 沙箱绕过漏洞（CVE-2019-1003000）<\/li>

结合这两个漏洞可以实现无限制的 RCE<\/li> <\/ul>

技术分析<\/h2>

1. Stapler 动态路由机制<\/h3>

Jenkins 使用 Stapler 框架处理 HTTP 请求，其核心路由机制如下：<\/p>

根据 URL 路径逐级解析路由节点<\/li>
对每个节点，在继承家族树中查找匹配 11 种规则的函数<\/li>
匹配规则包括：getXxx、doXxx、jsXxx 等开头的函数<\/li>

通过反射调用匹配的函数，并将返回值作为下一个节点<\/li> <\/ol>

2. 路由访问限制绕过<\/h3>

Jenkins 实现了 StaplerProxy<\/code> 接口，会检查 READ<\/code> 权限：<\/p>

public<\/span> Object getTarget<\/span>()<\/span> {<\/span>
<\/span><\/span>    if<\/span> (!<\/span>hasPermission(<\/span>READ))<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> AccessDeniedException(<\/span>"需要整体\/读取权限"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> this<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>但存在白名单路径 \/securityRealm<\/code> 可以绕过权限检查：<\/p>
private<\/span> static<\/span> final<\/span> Set<<\/span>String><\/span> ALWAYS_READABLE_PATHS =<\/span> ImmutableSet.<\/span>of<\/span>(<\/span>
<\/span><\/span>    "\/login"<\/span>,<\/span> "\/logout"<\/span>,<\/span> "\/accessDenied"<\/span>,<\/span> "\/adjuncts\/"<\/span>,<\/span> "\/error"<\/span>,<\/span> "\/oops"<\/span>,<\/span>
<\/span><\/span>    "\/signup"<\/span>,<\/span> "\/tcpSlaveAgentListener"<\/span>,<\/span> "\/federatedLoginService\/"<\/span>,<\/span> 
<\/span><\/span>    "\/securityRealm"<\/span>,<\/span> "\/instance-identity"<\/span>
<\/span><\/span>);<\/span>
<\/span><\/span><\/code><\/pre>3. 利用链构建<\/h3>
完整的利用链如下：<\/p>

访问 \/securityRealm<\/code>（白名单路径）<\/li>
返回 HudsonPrivateSecurityRealm<\/code> 类<\/li>
调用 getUser<\/code> 方法，返回 User<\/code> 类<\/li>
User<\/code> 类实现 DescriptorByNameOwner<\/code> 接口<\/li>
调用 getDescriptorByName<\/code> 方法，返回 Jenkins<\/code> 类<\/li>
最终获取任意 Descriptor<\/code> 实例<\/li>
<\/ol>
4. 寻找 RCE 点<\/h3>
通过分析官方补丁，发现 CpsFlowDefinition$DescriptorImpl<\/code> 是关键点：<\/p>
public<\/span> class<\/span> CpsFlowDefinition<\/span> extends<\/span> FlowDefinition {<\/span>
<\/span><\/span>    public<\/span> static<\/span> class<\/span> DescriptorImpl<\/span> extends<\/span> FlowDefinitionDescriptor {<\/span>
<\/span><\/span>        public<\/span> FormValidation doCheckScript<\/span>(<\/span>@QueryParameter<\/span> String value)<\/span> {<\/span>
<\/span><\/span>            \/\/ 处理 Groovy 脚本
<\/span><\/span><\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5. Groovy 沙箱绕过<\/h3>
虽然 Pipeline 插件使用了 Groovy 沙箱，但存在多种绕过方式：<\/p>

使用 Grab 注解<\/strong>：<\/li>
<\/ol>
@Grab<\/span>(<\/span>'org.apache.commons:commons-collections4:4.0'<\/span>)<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections4.functors.*
<\/span><\/span><\/code><\/pre>
使用 ASTTest 注解<\/strong>：<\/li>
<\/ol>
def<\/span> x =<\/span> 1<\/span>
<\/span><\/span>@ASTTest<\/span>(<\/span>phase=<\/span>INSTRUCTION_SELECTION,<\/span> value={<\/span> 
<\/span><\/span>    assert<\/span> System.<\/span>exit<\/span>(<\/span>0<\/span>);<\/span> null<\/span> 
<\/span><\/span>})<\/span>
<\/span><\/span>def<\/span> y =<\/span> 2<\/span>
<\/span><\/span><\/code><\/pre>漏洞复现步骤<\/h2>

通过 \/securityRealm\/user\/[任意用户名]<\/code> 绕过权限检查<\/li>
调用 getDescriptorByName<\/code> 获取 CpsFlowDefinition$DescriptorImpl<\/code><\/li>
调用 doCheckScript<\/code> 方法并传入恶意 Groovy 脚本<\/li>
使用 Grab 或 ASTTest 注解绕过沙箱限制<\/li>
实现任意代码执行<\/li>
<\/ol>
防御措施<\/h2>

升级 Jenkins 到最新版本<\/li>
限制匿名用户权限<\/li>
禁用不必要的插件<\/li>
监控异常 Groovy 脚本执行<\/li>
<\/ol>
参考链接<\/h2>

Jenkins Security Advisory 2019-01-08<\/a><\/li>
Jenkins Security Advisory 2018-12-05<\/a><\/li>
Pipeline Plugin GitHub<\/a><\/li>
Hacking Jenkins Part1<\/a><\/li>
<\/ol>

Jenkins 无限制 RCE 漏洞分析<\/h1>

漏洞概述<\/h2> 本文详细分析了 Jenkins 中一个无限制远程代码执行漏洞的利用链，该漏洞结合了 CVE-2018-1000861（动态路由越权调用）和 CVE-2019-1003000（Groovy 沙箱绕过）两个漏洞，最终实现了无需任何权限的远程代码执行。<\/p>

技术分析<\/h2>

参考链接<\/h2> Jenkins Security Advisory 2019-01-08<\/a><\/li> Jenkins Security Advisory 2018-12-05<\/a><\/li> Pipeline Plugin GitHub<\/a><\/li> Hacking Jenkins Part1<\/a><\/li> <\/ol>

漏洞概述<\/h2>
本文详细分析了 Jenkins 中一个无限制远程代码执行漏洞的利用链，该漏洞结合了 CVE-2018-1000861（动态路由越权调用）和 CVE-2019-1003000（Groovy 沙箱绕过）两个漏洞，最终实现了无需任何权限的远程代码执行。<\/p>

参考链接<\/h2>

Jenkins Security Advisory 2019-01-08<\/a><\/li>
Jenkins Security Advisory 2018-12-05<\/a><\/li>
Pipeline Plugin GitHub<\/a><\/li>
Hacking Jenkins Part1<\/a><\/li> <\/ol>