CVE-2016-9299 - Remote Code Execution via Unsafe Deserialization

[princechaddha]

Is there an existing template for this?

• I have searched the existing templates.

Template requests

Description:
The remoting module in Jenkins prior to version 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code by sending a crafted serialized Java object. This vulnerability triggers an LDAP query to a third-party server, enabling remote code execution.

Severity: Critical

POC:

• https://github.com/r00t4dm/Jenkins-CVE-2016-9299

References:

• OpenWall Discussion 1
• OpenWall Discussion 2
• SecurityFocus BID 94281
• Code White Presentation
• Jenkins Security Advisory 2016-11-16
• CloudBees Advisory

Shodan Query: http.favicon.hash:81586312

CPE:
cpe:2.3:a:jenkins:jenkins:::::lts:::*
cpe:2.3:a:jenkins:jenkins:::::-:::*
cpe:2.3:o:fedoraproject:fedora:25:::::::*

Anything else?

No response

[princechaddha]

/bounty $200

[hnd3884]

@princechaddha !Hi, is it required for template that can exploit? or you can accept the template that check vulnerable version?

[princechaddha]

@hnd3884, We only add templates with full POC in this repo. You can read more about the acceptance criteria here.

[hnd3884]

@princechaddha Is this template still valid for bounty? I went https://console.algora.io/org/projectdiscovery/bounties?status=open and still see this issue. In addition, i already have template for this, but i could not manage to use with interactsh-url because when i use {{interactsh-url}} to construct a variable like ldapurl: "ldap://{{interactsh-url}}:1389" it would not resolve variable and keeps braces as string

[princechaddha]

@hnd3884, We have added this CVE here. Let me close it on algora.