Table of Contents
0x01 Introduction
0x02 Vulnerability Overview
0x03 affected version
0x04 Environment setup
0x05 Vulnerability recurrence
0x06 Repair method
0x01 Introduction
JumpServer open source bastion host is an operation and maintenance security audit system product that provides identity authentication, authorization control, account management, security audit and other functional support to help enterprises quickly build operation and maintenance security audit capabilities. JumpServer open source bastion machine delivers open source value-added operation and maintenance security audit solutions to enterprise-level users through the enterprise version or all-in-one software and hardware machine.
0x02 Vulnerability Overview
Vulnerability number: CVE-2023-42820
The core of the vulnerability is caused by the leakage of random number seeds. Unauthorized attackers can use this vulnerability to deduce the “reset password token” of an account that does not have multi-factor authentication (MFA) enabled, and then modify the password of the account.
0x03 affected version
Affected versions: v2.24 – v3.6.4
0x04 Environment Setup
Build using docker in vulhub
cd vulhub/jumpserver/CVE-2023-42820 docker-compose up -d
0x05 vulnerability recurrence
First, open the forgotten password page in the first tab of the browser:
http://your-ip:8080/core/auth/password/forget/previewing/
There will be a verification code on the page at this point
-
If the verification code contains the number 10, please refresh the verification code because the script we are using cannot handle the number 10 at the moment
-
If the verification code does not contain the number 10, the verification code will be opened under a new tab in the right-click menu.
The URL of the verification code in the new Tab is similar to http://your-ip:8080/core/auth/captcha/image/f6653774c319e128842bc9072180922e5ee21819/
, which contains the key of the verification code (a string of sha1 hash values ), which is the seed used for pseudo-random numbers later, record this value as seed
Return to the first Tab and refresh the page. The purpose of refreshing the page is not to use the verification code containing the “seed”, because this seed will be used in subsequent steps.
After refreshing the page, fill in the user name and verification code correctly and submit, and jump to the verification code verification page.
At this time, the URL of this page is similar to http://localhost:8080/core/auth/password/forgot/?token=mf3L8YDLBK21Av9fq4mUpASU6q9ernjgcuWQ
, which contains a random token value. Record this value as < strong>token.
Using scripts from vulhub
https://github.com/vulhub/vulhub/blob/master/jumpserver/CVE-2023-42820/poc.py
The default administrator email account is [email protected]
python3 poc.py -t http://127.0.0.1:8080/ --email [email protected] --seed f6653774c319e128842bc9072180922e5ee21819 --token mf3L8YDLBK21Av9fq4mUpASU6q9ernjgcuWQ
Enter verification code 452361, reset password successfully
Successfully logged in
0x06 repair method
Upgrade to a secure version:
v2 version: >= v2.28.19
v3 version: >= v3.6.5
Original link: https://mp.weixin.qq.com/s/N2jfGxlDDX9lVF9fD-unYA
Like + support while watching~Thank you for watching~
Your likes are my motivation to update
Receive a safety learning information package for free!
Penetration tools
Technical documents, books
Interview questions
Help you stand out in interviews
video
Basic to advanced
Environment construction, HTML, PHP, MySQL basic learning, information collection, SQL injection, XSS, CSRF, brute force cracking, etc.
Emergency Response Notes
learning route