Jenkins as a well-known CI/CD server, is the most popular and widely used CI/CD application in the world! For Red Teamers, Jenkins is also the battlefield that everyone would like to control! It contains large numbers of source codes, credentials and nodes which could be the backdoor for further exploitations!
Due to its importance, we dive into Jenkins, and found several INTERESTING vulnerabilities(7 of them got CVEs!). In this talk, we will introduce the Jenkins’ internal, mechanism and exploitation guideline, including the dynamic routing misusing, Meta-programming abusing and escaping from the Groovy sandbox . We will also give a full pre-auth remote code execution exploit-chain!
By understanding this talk, the audience will learn how to build their own gadget and hack jenkins from an unusual way!
Orange Tsai (DEVCORE)
Cheng-Da Tsai, also as known as Orange Tsai, is the principal security research of DEVCORE and the member of CHROOT security group from Taiwan. He has spoken at conferences such as Black Hat USA/ASIA, DEF CON, HITCON, HITB, Hack.lu and CODEBLUE. He participates in numerous Capture-the-Flags (CTF), and also the team captain of HITCON, which won 2nd place in DEF CON 22/25.
Currently, he is focusing on application security and 0day research. Orange enjoys finding vulnerabilities and participating in Bug Bounty Programs. He is enthusiastic about Remote Code Execution (RCE), and uncovered RCEs in several vendors, such as Facebook, Uber, Apple, GitHub, Amazon, Yahoo, Netflix and Imgur.