CVE-2024-23897-RCE

CVE-2024-23897 is an arbitrary file read vulnerability through the CLI can lead to unauthenticated RCE

Vulnerability

the jenkins CLI uses the args4j library which has the feature to access a file's content by using @ following the path of file. which allows and attacker to read any file in the system, ** Attackers with Overall/Read permission can read entire files. ** Attackers without Overall/Read permission can read the first few lines of files

CONTACT ME:

fr3nta1@proton.me

get it here

Exploit Steps:

Our goal is to achieve unauthenticated code execution using this vulnerability, which is very straight if we don't consider the limitations which we mentioned above.

WHY?

we don't need to read any file more than the first 2 lines to get what we want (RCE).

EXPLOIT:

after analysing the possible ways, I can confirm that there are 3 possible and effictive ways of unauthenticated RCE, which doesn't need any special configuration of the jenkins server or installing any plugins, which means everything we need is in default installation.

• "remember me " cookie
• REDACTED
• REDACTED Note:

For jenkins installation on windows machine, there is a flaw which I didnt see anyone mentioning it, which you can bypass the restrictions of read permission.

I packed all these inside a simple python script which can trigger the vuln point and pops a reverse shell.

for the bypass of read permission restriction, I wrote a short topic about and a GOLANG script which can bypass the restriction and read entire file (ONLY WINDOWS INSTALLATION OF JENKINS).

as per my own research there are > 70k vulnerable instances out there, (>250k found jenkins and still scanning the internet)

get it here