Skip to main content

Jenkins: Remote Execution Via Malicious Jobs

This article is a follow-up to Unauthenticated: Jenkins Edition where we discussed the dangers of unauthenticated access to the /script and /credentials pages of Jenkins systems.

This article will focus on what an attacker can accomplish with low-privileged access to a Jenkins system, where the attacker does not have access to the /script and /credential pages but can create projects or jobs (the two are synonymous).

What Are Jenkins Jobs?

Jenkins is an automation server – it automates various parts of the software development pipeline related to building, testing, and deploying software projects.

Jenkins defines a job or project as “a user-configured description of work which Jenkins should perform, such as building a piece of software, etc.” 

Jenkins jobs are how a user interacts with the Jenkins server to automate their software project.

Creating A Malicious Project

Attackers with the right access and privileges can create malicious jobs, or projects, to execute commands on the underlying operating system. 

The malicious operating system commands will execute under the context of the account that is the Jenkins server, typically this is a high-privileged account such as root on a Unix system or Local Administrator on a Windows system. This can lead to an attacker gaining remote access to the system, access to sensitive data, etc.

The first step to creating a malicious project is to select “New Item” and then “Create a job”:

Screenshot by White Oak Security shows that you should Select “New Item” and then “Create a Job” to start creating a malicious Jenkins project.

Next, enter a name for the project, select “Freestyle project”, and click OK:

This White Oak Security screen caption: Enter a project name and select “Freestyle project”

Click on “Build”, “Add build step”, select “Execute shell” for a Linux system or “Execute Windows batch command” for a Windows system:

White Oak Security, a penetration testing company, photo caption: Click on “Build”, “Add build step”, select “Execute shell” for a Linux system or “Execute Windows batch command” for a Windows system

Insert a malicious command and click Save. The screenshot below will execute a remote shell on a Unix based Jenkins server:

White Oak Security’s photo caption: Insert a malicious command and click Save. The screenshot shows an example that uses Python to create a remote shell on a Unix system.

The last step is to click “Build Now” – which will execute the malicious project:

In this screenshot by White Oak Security we show to Click “Build Now” to execute the malicious project

For this example, a Python reverse shell was executed to call back to a host I controlled, which provided remote access over the Jenkins system as root.

In this example, White Oak Security is showing that the Python reverse shell was successfully executed by the malicious Jenkins project.

Jenkins Authentication

Requiring authentication on all resources in your environment is a critical aspect of securing your environment.

If you have Jenkins servers deploying in your environment, ensure that authentication is required to access any portion of the application beyond the login screen. Additionally, disable new user registration functionality from the login screen and remove build privileges for accounts that do not require it. 

It may also be worthwhile to implement an audit program that regularly identifies Jenkins servers in your environment that do not have authentication properly configured. Tools like gowitness are great resources to help visually identify Jenkins servers by automating the process of taking screenshots of web pages in your environment based on open ports.

MORE FROM WHITE OAK SECURITY

White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion. 

Read more from White Oak Security’s pentesting team.