Associated Vulnerability
Title:Junos OS: EX and SRX Series: A PHP vulnerability in J-Web allows an unauthenticated to control an important environment variable (CVE-2023-36845)Description:A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to remotely execute code. Using a crafted request which sets the variable PHPRC an attacker is able to modify the PHP execution environment allowing the injection und execution of code. This issue affects Juniper Networks Junos OS on EX Series and SRX Series: * All versions prior to 20.4R3-S9; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S7; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S4; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; * 22.4 versions prior to 22.4R2-S1, 22.4R3; * 23.2 versions prior to 23.2R1-S1, 23.2R2.
Description
A tool to discover Juniper firewalls vulnerable to CVE-2023-36845
Readme
# Vulnerability Scanner for Juniper CVE-2023-36845
This vulnerability scanner can be used to scan Juniper firewalls to determine if they are vulnerable to [CVE-2023-36845](https://nvd.nist.gov/vuln/detail/CVE-2023-36845). Because this is built on top of [go-exploit](https://github.com/vulncheck-oss/go-exploit), this scanner has two phases:
* Target verification to ensure the target is a potentially impacted Juniper firewall.
* Target exploitation in which the scanner sends an `LD_PRELOAD` message to generate a (harmless) error message from vulnerable systems.
For more details on exploiting CVE-2023-36845 see our blog, [Fileless Remote Code Execution on Juniper Firewalls](https://vulncheck.com/blog/juniper-cve-2023-36845/).
## Compiling
You can use the makefile to build a docker container:
```
make docker
```
Or, if you have a Go build environment ready to go, just use `make`:
```sh
albinolobster@mournland:~/cve-2023-36845-scanner$ make
gofmt -d -w scan.go
golangci-lint run --fix scan.go
GOOS=linux GOARCH=arm64 go build -o build/scan_linux-arm64 scan.go
```
## Usage
The tool is built on top of [go-exploit](https://github.com/vulncheck-oss/go-exploit), so there are multipe ways to provide targets to scan. A full description can be found in the project's [scanning documentation](https://github.com/vulncheck-oss/go-exploit/blob/main/docs/scanning.md). However, the following shows some examples:
### Scanning One Host
```sh
$ ./build/scan_linux-arm64 -a -v -e -rhost 10.12.72.1 -log-json=true | jq 'select(.msg == "Vulnerable")'
{
"time": "2023-09-16T06:18:01.964471183-04:00",
"level": "SUCCESS",
"msg": "Vulnerable",
"vulnerable": true,
"rhost": "10.12.72.1",
"rport": 80
}
```
### Scanning Multiple Hosts
```sh
$ ./build/scan_linux-arm64 -a -v -e -rhosts 10.12.72.1,10.12.72.2
time=2023-09-16T06:19:26.592-04:00 level=STATUS msg="Starting target" index=0 host=10.12.72.1 port=80 ssl=false "ssl auto"=true
time=2023-09-16T06:19:36.607-04:00 level=STATUS msg="Validating JunOS Web Interface target" host=10.12.72.1 port=80
time=2023-09-16T06:19:37.528-04:00 level=SUCCESS msg="Target validation succeeded!" host=10.12.72.1 port=80
time=2023-09-16T06:19:37.574-04:00 level=SUCCESS msg=Vulnerable vulnerable=true rhost=10.12.72.1 rport=80
time=2023-09-16T06:19:37.575-04:00 level=STATUS msg="Exploit successfully completed"
time=2023-09-16T06:19:37.575-04:00 level=STATUS msg="Starting target" index=1 host=10.12.72.2 port=80 ssl=false "ssl auto"=true
time=2023-09-16T06:19:37.575-04:00 level=STATUS msg="Validating JunOS Web Interface target" host=10.12.72.2 port=80
time=2023-09-16T06:19:37.576-04:00 level=ERROR msg="The target isn't recognized as JunOS Web Interface, quitting" host=10.12.72.2 port=80
```
### Scanning a File of Hosts Using a Proxy (and logging to file)
go-exploit provides the ability to scan via a provided target csv, where the csv is: `host, port, anything if ssl is enabled` (although the SSL field is ignored if -a is used). Please see the scanning documentation for full details. It also provides the ability to scan through a proxy. The command works like so:
```sh
$ ./build/scan_linux-arm64 -v -e -rhosts-file ~/junos/junos.targets.csv -proxy socks5://127.0.0.1:9050 -log-file vulnscan.json
^C
$ tail vulnscan.json
time=2023-09-17T05:11:19.256-04:00 level=STATUS msg="Starting target" index=0 host=x port=443 ssl=true "ssl auto"=false
time=2023-09-17T05:11:19.256-04:00 level=STATUS msg="Validating JunOS Web Interface target" host=x port=443
time=2023-09-17T05:11:29.257-04:00 level=ERROR msg="HTTP request error: Get \"https://x:443/\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"
time=2023-09-17T05:11:29.257-04:00 level=ERROR msg="The target isn't recognized as JunOS Web Interface, quitting" host=x port=443
time=2023-09-17T05:11:29.257-04:00 level=STATUS msg="Starting target" index=1 host=x port=80 ssl=false "ssl auto"=false
time=2023-09-17T05:11:29.257-04:00 level=STATUS msg="Validating JunOS Web Interface target" host=xport=80
```
File Snapshot
[4.0K] /data/pocs/fcad82a89a9ed246404ba23da477a37e4faf0f87
├── [ 466] Dockerfile
├── [ 877] go.mod
├── [4.7K] go.sum
├── [ 11K] LICENSE
├── [2.1K] Makefile
├── [4.0K] README.md
└── [3.4K] scan.go
0 directories, 7 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →