Talk

Diving into JumpServer: The public key unlocking your whole network

April 25, 17:00 (CAMPUS)

JumpServer is an open-source jump host popular among Chinese companies. It acts as a central access point to internal services in a company network, making access control management and monitoring easier. Users can use a convenient Web UI or an SSH gateway to access servers via SSH, database connections, remote desktop protocols, and more. The credentials for these connections stay with JumpServer, preventing leaks to end users.

This makes JumpServer a valuable target for attackers. Compromising it would give attackers the necessary credentials and network access to also compromise internal services. This motivated us to search for issues in JumpServer. We discovered critical vulnerabilities that allow outside attackers to fully take over JumpServer.

After giving an overview of JumpServer’s microservice architecture, this talk shows the technical details and demos of the discovered vulnerabilities. We describe how the architecture lead to multiple API issues that allow authentication bypasses using only an SSH public key. Then we venture into the SSH authentication protocol and how a custom SSH server in JumpServer was vulnerable. At the end, we combine the authentication bypass with the web terminal feature of JumpServer to gain code execution on the host system.

Speaker

Oskar Zeino-Mahmalat

Oskar Zeino-Mahmalat is part of the vulnerability research team at Sonar where he hunts for bugs in web applications. As a cybersecurity student, he is currently working on his Master's thesis about Flutter security. Oskar is also an active CTF player on his university team.

Organized by

Technology partners

Partner events

Scroll to Top