Open source utility automates and simplifies testing for known Jenkins exploits

Jenkins Attack Framework discovers vulnerabilities in popular CI/CD server software

Accenture has released Jenkins Attack Framework (JAF), a new tool aimed at pen testers and red teamers that can reveal ways in which the popular automation server can be abused.

Jenkins is an open source CI/CD pipeline that allows developers to rapidly build, test, and deploy their code. The DevOps tool often stores powerful credentials, proprietary code, and more.

“Historically, Jenkins is not securely configured by default,” JAF developer Shelby Spencer, formerly of Accenture, tells The Daily Swig. “It is often set up and maintained by developers and not security or IT personnel, so it is often a soft target.”

Read more about the latest open source hacking tools

“If you ask any red team or pen tester what their 10 most common targets are in an environment, most of them would list Jenkins in that list – and yet there are no all-in-one tools for attacking Jenkins that I could find.”

The tool automates and simplifies many common Jenkins attacks and introduces some that may not be well known, Spencer said.

Just the job

The most unique feature of the Jenkins Attack Framework, says Spencer, is the ability to dump credentials using only the ‘Create Job’ feature.

“By default, Jenkins shares stored credentials with all users,” the developer said.

“Many attackers are familiar with dumping credentials via the Groovy Console as an admin, but it is also possible to do this as a normal user in a normal job – you just have to list all the credentials out one-by-one in your job (which was laborious), then obfuscate them, or Jenkins will redact them in the log.

“My tool automates this attack, and it works no matter the operating system of the Jenkins slave.”

Going further

The tool can also launch what Spencer terms ‘ghost jobs’ – jobs that run on a Jenkins slave that don’t show up in the Jenkins console, and can execute indefinitely in the background.

This means that an operator with the relatively limited privileges of ‘create job’ and ‘run job’ can potentially set up long-running socks, proxies, or shells on a Jenkins slave that aren’t visible within Jenkins.

YOU MAY ALSO LIKE VSCode integration with ATT&CK framework allows security researchers to maintain focus

“I expect and hope that the tool will see wide use and adoption by the red team/pen testing community,” says Spencer.

“I have been using it extensively for over a year on engagements as have all my buddies at my prior employer, Accenture.”

“I think the tool also has some valuable features for normal Jenkins users as well, such as the feature that allows the dumping of all Jenkin build logs. I hope that the community provides feedback and feature requests.”

READ MORE Latest web hacking tools – Q1 2021