Jenkins Remote Code Execution on Microsoft Instance

Hola Chicos! Yeah i know my posts are delayed as i was flooded with other stuff. This is one of my effortless and cool hunting after Rockstar Games Angular Js Sandbox Bypass. 

After few duplicates from big tech giant Microsoft i decided to hunt deep on their perimeter limits as most of internal servers are always left open with enormous bugs and patching stages are always delayed in internal applications.

Also before beginning my hunt i was surprised to see production level RCE’s at HackerOne platform (@preben_ve and @nahamsec). So i was decided to find a RCE issue on Microsoft servers.

Recon:

Started with my favorite search engine Censys. What i’ve learned from my bug hunting experience is how better we utilize the existing technology. I’ve analysed censys search engine requests and results. Based on common results i’ve formed a nice dork in censys to fetch out all vulnerable jenkins instances only from Microsoft Corporation which are running on port 8080.

((jenkins) AND autonomous_system.description.raw: "MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation, US") AND protocols.raw: "8080/http"

Result was beautiful

Yes there are around 3.7k Microsoft instances which are running on Jenkins Automation Server. But yeah hold on every instance is highlighting “Microsoft Corporation” which means These all instances are under Microsoft Network fine. But how many of these are Microsoft’s own domains because so many other vendors/clients using same network to host their own stuff right. How to identify..???

Identify:

To identify that i’ve only one option other than simply wasting time i.e., Make a sample report with any of vulnerable jenkins instance and wait for their reply.

Finally one day they replied.

This is the same what i’ve expected earlier. But i did it with some intention to identify real Microsoft Servers. If you read the email you can observe one thing “The list of Azure IP addresses can be found here”. It gave me an idea that maybe the list of IP’s are belongs to customer so what if i found any instance which is not listed in this range.

Yes it’s a huge list so identifying the vulnerable instance other than this big range is difficult task. But i did it. I’ve identified an instance which was not listed in this range.

After navigating to this instance it’s like an open door which is waiting for me.

Here i can put any groovy script to execute remote commands.

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'cat /etc/passwd'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"

So after execution i can see content of /etc/passwd file

This is enough PoC to make a report to Microsoft. So i made a quick report and they responded like.

Finally they have provided Hall of Fame.

Hall of Fame link

Timeline:

Reported  — 25-10-2017
Triaged    — 15-11-2017
Fixed   — 27-Feb-2018

MrR3boot

An Active Bug Hunter and Exploit Researcher. Reported several bugs to top tech giants like Microsoft, Google, Intel, Us.Dept of Defense etc. PHP Lover. Blogger. Other than hacking he loves Travelling, Exploring the world. Git-Ref: https://github.com/MrR3boot/

More Posts - Website

Follow Me:
TwitterFacebookLinkedIn

Leave A Comment

Your email address will not be published. Required fields are marked *