Source: https://blogs.securiteam.com/index.php/archives/3171VulnerabilityDetailsJenkins is vulnerable toaJava deserialization vulnerability. In order totrigger the vulnerability two requests need tobesent.
The vulnerability can be found in the implementation of a bidirectional communication channel (over HTTP) which accepts commands.
The first request starts a session for the bi-directional channel and is used for “downloading” data from the server. TheHTTP header “Session” is the identifier for the channel. TheHTTP header “Side” specifies the “downloading/uploading” direction.
The second request is the sending component of the bidirectional channel. The first requests is blocked until the second request is sent. The request for a bidirectional channel is matched by the “Session” HTTP header which is just a UUID.
Proof of ConceptIn order toexploit the vulnerability, an attacker needs tocreate a serialized payload withthe command toexecute by running the payload.jar script.
The second step is tochange python script jenkins_poc1.py:-Adjust target url in URL variable
-Change file toopenin line “FILE_SER=open(“jenkins_poc1.ser”, “rb”).read()” toyour payload file.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41965.zip
