CVE-2024-43044 PoC — Jenkins 安全漏洞

Source

Associated Vulnerability

Description

Exploit for the vulnerability CVE-2024-43044 in Jenkins

Readme

## Intro
This is an exploit for CVE-2024-43044, an arbitrary file read that allows an agent to fetch files from the controller.

The exploit will use the vulnerability to read files to forge a remember-me cookie for an admin account and gain access to
Jenkins scripting engine.

Check out the full writeup at https://blog.convisoappsec.com/en/analysis-of-cve-2024-43044/

## Building the exploit
```
mvn package
```

## Running the exploit

```
Exploit Usages:
    java -jar exploit.jar mode_secret <jenkinsUrl> <nodeName> <nodeSecretKey>
    java -jar exploit.jar mode_attach <jenkinsUrl> <cmd>
    java -jar exploit.jar mode_attach <cmd>
```


## Testing 

You can test it in vulnerable version using docker:

```
docker run -p 8080:8080 -p 50000:50000 --restart=on-failure jenkins/jenkins:2.441-jdk17
```

Once you have a jenkins runnning, setup an agent.

The controller/agent connection can be either default (using url, nodename, secret) or via SSH.

## Demonstration

![RCE](./assets/rce_mode_secret.gif).


## References

https://www.jenkins.io/security/advisory/2024-08-07/

File Snapshot

 [4.0K]  /data/pocs/7d1f07faf66e00a513c66546506329f0e5328123
├── [4.0K]  assets
│   └── [2.9M]  rce_mode_secret.gif
├── [3.2K]  pom.xml
├── [1.1K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [4.0K]  poc
                ├── [6.6K]  CookieForger.java
                ├── [4.1K]  FakeCookieForger.java
                ├── [5.6K]  Main.java
                ├── [8.9K]  PocListener.java
                ├── [1.2K]  RemoteFileReader.java
                ├── [6.3K]  ScriptConsole.java
                ├── [5.2K]  SystemUtils.java
                ├── [ 516]  UserInfo.java
                └── [4.3K]  UserParser.java

5 directories, 12 files

Remarks