JENKINS UNAUTHENTICATED REMOTE CODE EXECUTION
88 views
Skip to first unread message
Aurelien Ryo
Nov 17, 2016, 11:53:20 AM11/17/16
to Jenkins Users
Hello,
We are using Jenkins as service on windows server (I'm was not agree...).
I have followed process https://jenkins.io/blog/2015/11/06/mitigating-unauthenticated-remote-code-execution-0-day-in-jenkins-cli/
I executed the script into the script console on URL http://mywebsite/script with succes. Next step specified it's to add the script in $JENKINS_HOME/init.groovy.d/cli-shutdown.groovy , but I don't have folder "init.groovy.d" in my windows directory.
Do you know how can I process on windows server to force the script on jenkins restart ?
Thanks in advance
Aurélien
Daniel Beck
Nov 17, 2016, 3:39:59 PM11/17/16
to jenkins...@googlegroups.com
> On 17.11.2016, at 17:53, Aurelien Ryo <aurel...@gmail.com> wrote:
>
> I don't have folder "init.groovy.d" in my windows directory.
Aurelien Ryo
Nov 18, 2016, 3:36:58 AM11/18/16
to Jenkins Users, m...@beckweb.net
Hi Daniel,
I can create the folder, but are you sure it will be started automaticaly on windows service start ?
Thanks
Daniel Beck
Nov 18, 2016, 7:27:01 AM11/18/16
to jenkins...@googlegroups.com
> On 18.11.2016, at 09:36, Aurelien Ryo <aurel...@gmail.com> wrote:
>
> I can create the folder, but are you sure it will be started automaticaly on windows service start ?
jenkins.util.groovy.GroovyHookScript execute
The line below it will tell you that the Groovy script got executed.
Aurelien Ryo
Nov 18, 2016, 10:01:55 AM11/18/16
to Jenkins Users, m...@beckweb.net
Hi Daniel,
I have created the folder init.groovy.d and copied the file into, but after restart I can't find "jenkins.util.groovy.GroovyHookScript execute " in the jenkins log, even un full log. I also tried to upload the script in Scriptler.
Any idea ?
Thanks in advance
Aurélien
Daniel Beck
Nov 18, 2016, 10:44:40 AM11/18/16
to Jenkins Users
Which version of Jenkins is this? What is the full path to the groovy file, including its file name?
Aurelien Ryo
Nov 18, 2016, 11:04:47 AM11/18/16
to Jenkins Users, m...@beckweb.net
Daniel,
We have version 1.642.2, the full path of the script is E:\build_server\jenkins\scriptler\scripts\cli-shutdown.groovy.
Thanks in advance
Aurélien
Aurelien Ryo
Nov 21, 2016, 10:51:11 AM11/21/16
to Jenkins Users
Nobody have any idea ?
Daniel Beck
Nov 21, 2016, 11:30:22 AM11/21/16
to jenkins...@googlegroups.com
Repeating my previous response that I accidentally sent to you directly…
----
>
> On 18.11.2016, at 17:04, Aurelien Ryo <aurel...@gmail.com> wrote:
>
> the full path of the script is E:\build_server\jenkins\scriptler\scripts\cli-shutdown.groovy
That's not the path you should use.
https://github.com/jenkinsci-cert/SECURITY-218 explains how this works. Please read it again.
----
>
> On 18.11.2016, at 17:04, Aurelien Ryo <aurel...@gmail.com> wrote:
>
> the full path of the script is E:\build_server\jenkins\scriptler\scripts\cli-shutdown.groovy
https://github.com/jenkinsci-cert/SECURITY-218 explains how this works. Please read it again.
Aurelien Ryo
Nov 21, 2016, 11:43:59 AM11/21/16
to Jenkins Users, m...@beckweb.net
Hi Daniel,
I created $JENKINS_HOME/init.groovy.d/cli-shutdown.groovy but it not works.
Aurélien
Reply all
Reply to author
Forward
0 new messages