CVE-2023-42820: JumpServer password reset vulnerability

Table of Contents

0x01 Introduction

0x02 Vulnerability Overview

0x03 affected version

0x04 Environment setup

0x05 Vulnerability recurrence

0x06 Repair method

0x01 Introduction

JumpServer open source bastion host is an operation and maintenance security audit system product that provides identity authentication, authorization control, account management, security audit and other functional support to help enterprises quickly build operation and maintenance security audit capabilities. JumpServer open source bastion machine delivers open source value-added operation and maintenance security audit solutions to enterprise-level users through the enterprise version or all-in-one software and hardware machine.

0x02 Vulnerability Overview

Vulnerability number: CVE-2023-42820

The core of the vulnerability is caused by the leakage of random number seeds. Unauthorized attackers can use this vulnerability to deduce the “reset password token” of an account that does not have multi-factor authentication (MFA) enabled, and then modify the password of the account.

0x03 affected version

Affected versions: v2.24 – v3.6.4

0x04 Environment Setup

Build using docker in vulhub

cd vulhub/jumpserver/CVE-2023-42820
docker-compose up -d

0x05 vulnerability recurrence

First, open the forgotten password page in the first tab of the browser:

http://your-ip:8080/core/auth/password/forget/previewing/

Picture

There will be a verification code on the page at this point

Picture

  • If the verification code contains the number 10, please refresh the verification code because the script we are using cannot handle the number 10 at the moment

  • If the verification code does not contain the number 10, the verification code will be opened under a new tab in the right-click menu.

The URL of the verification code in the new Tab is similar to http://your-ip:8080/core/auth/captcha/image/f6653774c319e128842bc9072180922e5ee21819/, which contains the key of the verification code (a string of sha1 hash values ), which is the seed used for pseudo-random numbers later, record this value as seed

Picture

Return to the first Tab and refresh the page. The purpose of refreshing the page is not to use the verification code containing the “seed”, because this seed will be used in subsequent steps.

After refreshing the page, fill in the user name and verification code correctly and submit, and jump to the verification code verification page.

Picture

At this time, the URL of this page is similar to http://localhost:8080/core/auth/password/forgot/?token=mf3L8YDLBK21Av9fq4mUpASU6q9ernjgcuWQ, which contains a random token value. Record this value as < strong>token.

Picture

Using scripts from vulhub

https://github.com/vulhub/vulhub/blob/master/jumpserver/CVE-2023-42820/poc.py

The default administrator email account is [email protected]

python3 poc.py -t http://127.0.0.1:8080/ --email [email protected] --seed f6653774c319e128842bc9072180922e5ee21819 --token mf3L8YDLBK21Av9fq4mUpASU6q9ernjgcuWQ

Picture

Enter verification code 452361, reset password successfully

Picture

Successfully logged in

Picture

0x06 repair method

Upgrade to a secure version:

v2 version: >= v2.28.19

v3 version: >= v3.6.5

Original link: https://mp.weixin.qq.com/s/N2jfGxlDDX9lVF9fD-unYA

Picture

Like + support while watching~Thank you for watching~

Your likes are my motivation to update

Receive a safety learning information package for free!

Penetration tools

Technical documents, books

Interview questions

Help you stand out in interviews

video

Basic to advanced

Environment construction, HTML, PHP, MySQL basic learning, information collection, SQL injection, XSS, CSRF, brute force cracking, etc.

Emergency Response Notes

learning route