Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

JumpServer is a privileged access management (PAM) system that is open source. Typically, a jump server is a server that can be connected to from the outside world in order to talk to internal and sensitive things in an internal network. So, being able to compromise this software would be an awesome target for attackers.

When looking at something for the first time, the authentication system is great to look at. Any mistakes here lead to a compromise of the whole system! Password reset flows are an extremely common item to attack under this, since it's giving users access to their account without their original password. An implementation flaw in this is effectively an authentication bypass.

While scrutinizing the password reset flow (which was the standard generate random number, find number in email, click link, reset password), they noticed that it was using the random library from Python. Since this is known to NOT be cryptographically secure, this is a red flag. However, breaking this remotely is feasible in some scenarios but not all. So, now what?

Algorithmic random number generators need a starting value, otherwise known as a seed. So, if you know the seed then you can predict what numbers are going to be used going forward, regardless of the randomness of the algorithm. In a crazy turn of events, the author found a way to leak the seed of the randomness.

The software uses a captcha in order to prevent brute force attacks. After generating the image for the captcha, it sets a hex id for the image as the seed. Since the id is sent back to the user, we now know the current seed of the randomness. So, how do we actually exploit this? This feels super racey.

The author decided to spam these with a bunch of different threads. First, calls the endpoint with the hex captcha key as the parameter to reset the random seed. Now, with a particular seed being set, try triggering the reset code. Finally, submit several codes based upon where we think the randomness would be at. Since the server uses Gunicorn, which employs the pre-fork worker model, all of the processes needed to be poisoned for this to work. In practice, the seed plus 980 bytes needed to be used because of other randomness being used.

Overall, this is a crazy vulnerability. I've never seen a way to leak the seed by requesting other information. The post also contains a post-auth RCE but the password reset was my favorite part.