This article is a follow-up to Unauthenticated: Jenkins Edition where we discussed the dangers of unauthenticated access to the /script and /credentials pages of Jenkins systems.
This article will focus on what an attacker can accomplish with low-privileged access to a Jenkins system, where the attacker does not have access to the /script and /credential pages but can create projects or jobs (the two are synonymous).
What Are Jenkins Jobs?
Jenkins is an automation server – it automates various parts of the software development pipeline related to building, testing, and deploying software projects.
Jenkins defines a job or project as “a user-configured description of work which Jenkins should perform, such as building a piece of software, etc.”
Jenkins jobs are how a user interacts with the Jenkins server to automate their software project.
Creating A Malicious Project
Attackers with the right access and privileges can create malicious jobs, or projects, to execute commands on the underlying operating system.
The malicious operating system commands will execute under the context of the account that is the Jenkins server, typically this is a high-privileged account such as root on a Unix system or Local Administrator on a Windows system. This can lead to an attacker gaining remote access to the system, access to sensitive data, etc.
The first step to creating a malicious project is to select “New Item” and then “Create a job”:
Next, enter a name for the project, select “Freestyle project”, and click OK:
Click on “Build”, “Add build step”, select “Execute shell” for a Linux system or “Execute Windows batch command” for a Windows system:
Insert a malicious command and click Save. The screenshot below will execute a remote shell on a Unix based Jenkins server:
The last step is to click “Build Now” – which will execute the malicious project:
For this example, a Python reverse shell was executed to call back to a host I controlled, which provided remote access over the Jenkins system as root.
Jenkins Authentication
Requiring authentication on all resources in your environment is a critical aspect of securing your environment.
If you have Jenkins servers deploying in your environment, ensure that authentication is required to access any portion of the application beyond the login screen. Additionally, disable new user registration functionality from the login screen and remove build privileges for accounts that do not require it.
It may also be worthwhile to implement an audit program that regularly identifies Jenkins servers in your environment that do not have authentication properly configured. Tools like gowitness are great resources to help visually identify Jenkins servers by automating the process of taking screenshots of web pages in your environment based on open ports.