Jenkins, also referred to as the DevOps Butler, is an open source automation server used to accelerate the software delivery process. It is now widely considered the de-facto standard in open source continuous integration tools. For many organizations, Jenkins effectively acts as the DevOps engine, addressing everything from source code management to delivering code to production. Jenkins is an indispensable part of technology stacks around the world. Facebook, Netflix, Lyft, ebay and LinkedIn are examples of very large organizations that utilize Jenkins in their software DevOps stacks.
During our research of the Jenkins software we discovered several interesting vulnerabilities, 6 of them got CVEs. In this talk we mainly speak of two of them. The two combine together to create a security hole, allowing anonymous (completely unauthenticated) attackers to take over, and gain full privileges on Jenkins to become admins by sending specially crafted HTTP packets to the Jenkins master.
This allows anyone to login to Jenkins as admins and gain complete control of the entire Jenkins infrastructure, including access to credentials and code, and although these issues were fixed, thousands of Jenkins servers are still vulnerable.
In this talk we will describe in detail the code reverse-engineering process that led us to discover these vulnerabilities and how we managed to exploit them to trip the Jenkins security switch OFF and gain control over the entire Jenkins infrastructure.