From 876398da315bc51f213bdaf815362dabc50c4c8d Mon Sep 17 00:00:00 2001 From: Metasploit Date: Thu, 28 Mar 2024 15:47:57 -0500 Subject: [PATCH] automatic module_metadata_base.json update --- db/modules_metadata_base.json | 68 +++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json index 58a6432ee6da..f36ce81a6cc5 100644 --- a/db/modules_metadata_base.json +++ b/db/modules_metadata_base.json @@ -22561,6 +22561,74 @@ ] }, + "auxiliary_gather/jenkins_cli_ampersand_arbitrary_file_read": { + "name": "Jenkins cli Ampersand Replacement Arbitrary File Read", + "fullname": "auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read", + "aliases": [ + + ], + "rank": 300, + "disclosure_date": "2024-01-24", + "type": "auxiliary", + "author": [ + "h00die", + "Yaniv Nizry", + "binganao", + "h4x0r-dz", + "Vozec" + ], + "description": "This module utilizes the Jenkins cli protocol to run the `help` command.\n The cli is accessible with read-only permissions by default, which are\n all thats required.\n\n Jenkins cli utilizes `args4j's` `parseArgument`, which calls `expandAtFiles` to\n replace any `@` with the contents of a file. We are then able to retrieve\n the error message to read up to the first two lines of a file.\n\n Exploitation by hand can be done with the cli, see markdown documents for additional\n instructions.\n\n There are a few exploitation oddities:\n 1. The injection point for the `help` command requires 2 input arguments.\n When the `expandAtFiles` is called, each line of the `FILE_PATH` becomes an input argument.\n If a file only contains one line, it will throw an error: `ERROR: You must authenticate to access this Jenkins.`\n However, we can pad out the content by supplying a first argument.\n 2. There is a strange timing requirement where the `download` (or first) request must get\n to the server first, but the `upload` (or second) request must be very close behind it.\n From testing against the docker image, it was found values between `.01` and `1.9` were\n viable. Due to the round trip time of the first request and response happening before\n request 2 would be received, it is necessary to use threading to ensure the requests\n happen within rapid succession.\n\n Files of value:\n * /var/jenkins_home/secret.key\n * /var/jenkins_home/secrets/master.key\n * /var/jenkins_home/secrets/initialAdminPassword\n * /etc/passwd\n * /etc/shadow\n * Project secrets and credentials\n * Source code, build artifacts", + "references": [ + "URL-https://www.jenkins.io/security/advisory/2024-01-24/", + "URL-https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/", + "URL-https://github.com/binganao/CVE-2024-23897", + "URL-https://github.com/h4x0r-dz/CVE-2024-23897", + "URL-https://github.com/Vozec/CVE-2024-23897", + "CVE-2024-23897" + ], + "platform": "", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-03-28 15:54:58 +0000", + "path": "/modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.rb", + "is_install_path": true, + "ref_name": "gather/jenkins_cli_ampersand_arbitrary_file_read", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + + ], + "SideEffects": [ + + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + + ] + }, "auxiliary_gather/jenkins_cred_recovery": { "name": "Jenkins Domain Credential Recovery", "fullname": "auxiliary/gather/jenkins_cred_recovery",