{
  "Name": "Jenkins unauthenticated RCE (CVE-2017-1000353)",
  "Description": "An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism.",
  "Product": "Jenkins",
  "Homepage": "https://jenkins.io/",
  "DisclosureDate": "2017-04-26",
  "Author": "LubyRuffy",
  "FofaQuery": "app=\"Jenkins\"",
  "GobyQuery": "app=\"Jenkins\"",
  "Level": "3",
  "Impact": "This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master.",
  "GifAddress": " https://raw.githubusercontent.com/gobysec/GobyVuls/master/Jenkins/CVE-2017-1000353/jenkins_CVE-2018-1000353.gif",
  "Recommandation": "",
  "References": [
    "http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html",
    "https://github.com/orangetw/awesome-jenkins-rce-2019",
    "https://nvd.nist.gov/vuln/detail/CVE-2019-1003000",
    "https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266",
    "http://packetstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-Remote-Code-Execution.html",
    "http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming",
    "https://access.redhat.com/errata/RHBA-2019:0326",
    "https://access.redhat.com/errata/RHBA-2019:0327",
    "https://www.exploit-db.com/exploits/46453/",
    "https://www.exploit-db.com/exploits/46572/",
    "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003000",
    "http://www.securityfocus.com/bid/98056",
    "https://jenkins.io/security/advisory/2017-04-26/",
    "https://www.exploit-db.com/exploits/41965/",
    "https://nvd.nist.gov/vuln/detail/CVE-2017-1000353",
    "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000353"
  ],
  "HasExp": true,
  "ExpParams": [
    {
		  "name": "AttackType",
		  "type": "select",
		  "value": "cmd,goby_shell_linux"
	},
    {
      "Name": "cmd",
      "Type": "input",
      "Value": "whoami"
    }
  ],
  "ExpTips": {
    "Type": "",
    "Content": ""
  },
  "ScanSteps": [
    "AND",
    {
      "Request": {
        "data": "",
        "data_type": "text",
        "follow_redirect": false,
        "header": {
          "Accept": "*/*",
          "Connection": "close",
          "Content-Length": "1",
          "Content-type": "application/x-www-form-urlencoded",
          "Session": "629fc0be-cd1c-4feb-8f11-4a15341153ce",
          "Side": "download"
        },
        "method": "POST",
        "uri": "/cli"
      },
      "ResponseTest": {
        "checks": [
          {
            "bz": "",
            "operation": "==",
            "type": "item",
            "value": "200",
            "variable": "$code"
          },
          {
            "bz": "",
            "operation": "not contains",
            "type": "item",
            "value": "winstone",
            "variable": "$head"
          },
          {
            "bz": "",
            "operation": "contains",
            "type": "item",
            "value": "Starting HTTP duplex channel",
            "variable": "$body"
          }
        ],
        "operation": "AND",
        "type": "group"
      },
      "SetVariable": []
    }
  ],
  "ExploitSteps": null,
  "Tags": [
    "rce"
  ],
  "CVEIDs": [
    "CVE-2019-1003000",
    "CVE-2017-1000353"
  ],
  "CVSSScore": "9.8",
  "AttackSurfaces": {
    "Application": null,
    "Support": null,
    "Service": null,
    "System": null,
    "Hardware": null
  }
}