Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-36844 PoC — Junos OS: EX Series: A PHP vulnerability in J-Web allows an unauthenticated attacker to control important environment va

Source
https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844
Associated Vulnerability
Title:Junos OS: EX Series: A PHP vulnerability in J-Web allows an unauthenticated attacker to control important environment variables (CVE-2023-36844)
Description:A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environment variables. Using a crafted request an attacker is able to modify certain PHP environment variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series: * All versions prior to 20.4R3-S9; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S7; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S4; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R3-S1; * 22.4 versions prior to 22.4R2-S2, 22.4R3; * 23.2 versions prior to 23.2R1-S1, 23.2R2.
Readme
# CVE-2023-36844 , CVE-2023-36845 , CVE-2023-36846 , CVE-2023-36847

A Proof of Concept for chaining the CVEs [CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847] developed by @watchTowr to achieve Remote Code Execution in Juniper JunOS within SRX and EX Series products.

# Follow the [watchTowr](http://watchTowr.com) Labs Team for our Security Research

- https://labs.watchtowr.com/
- https://twitter.com/watchtowrcyber
- https://twitter.com/alizthehax0r

# Technical Analysis

watchTowr performed a deep dive into reproducing, chaining and exploiting these vulnerabilities which can be found at: https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/

# Summary

1. A pre-authentication upload vulnerability can be used to upload an arbitrary PHP file to a restricted directory with a randomised file name.
2. Using the same vulnerable function, we upload a PHP configuration file (.ini) which points to and loads the PHP file from step 1 using the `auto_prepend_file` directive.
3. As all environment variables can be set via HTTP requests, we overwrite the environment variable `PHPRC` to load the PHP configuration file from step 2 and trigger the execution of the PHP function declared in step 1.

# Usage

The PHP function can be specified using the flag `—payload`, however `php_uname()` is set by default.

`python watchtowr-vs-junos_juniper_2023-08-25.py --url http://localhost`

`python watchtowr-vs-junos_juniper_2023-08-25.py --url http://localhost --payload "get_current_user()"`

# Mitigations

Update to the latest version of JunOS, and/or apply the patches provided by Juniper. If these actions are not possible, please leverage the provided Juniper workaround.

https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US
File Snapshot

 [4.0K]  /data/pocs/871b39b64d1badd9fe469b63083bbd3f0d4f8fff
├── [1.9K]  README.md
└── [3.5K]  watchtowr-vs-junos_juniper_2023-08-25.py

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →