EDB-ID: 41965 | Author: SecuriTeam | Published: 2017-05-05 | CVE: CVE-2017-1000353 | Type: Dos | Platform: Java | Aliases: N/A | Advisory/Source: Link | Tags: Denial of Service (DoS) | Vulnerable App: N/A |
Vulnerability Details
Jenkins is vulnerable to a Java deserialization vulnerability. In order to trigger the vulnerability two requests need to be sent.
The vulnerability can be found in the implementation of a bidirectional communication channel (over HTTP) which accepts commands.
The first request starts a session for the bi-directional channel and is used for “downloading” data from the server. The HTTP header “Session” is the identifier for the channel. The HTTP header “Side” specifies the “downloading/uploading” direction.
The second request is the sending component of the bidirectional channel. The first requests is blocked until the second request is sent. The request for a bidirectional channel is matched by the “Session” HTTP header which is just a UUID.
Proof of Concept
In order to exploit the vulnerability, an attacker needs to create a serialized payload with the command to execute by running the payload.jar script.
The second step is to change python script jenkins_poc1.py:
- Adjust target url in URL variable
- Change file to open in line “FILE_SER = open(“jenkins_poc1.ser”, “rb”).read()” to your payload file.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41965.zip
