Appliances Details
Juniper SRX firewalls and EX switches.
Vulnerability
The Juniper firewalls use the Appweb web server. When Appweb invokes a CGI script, it passes a variety of environment variables and arguments so that the script can access the user's HTTP request. The body of the HTTP request is passed via stdin. The affected firewalls run FreeBSD, and every FreeBSD process can access their stdin by opening /dev/fd/0.
Identification
By sending an HTTP request, you can introduce a "file", /dev/fd/0, to the system. Using that trick, you can set the PHPRC environment variable to /dev/fd/0 and include the desired php.ini in our HTTP request. The following request demonstrates this attack to prepend /etc/passwd to every response.
POST /webauth_operation.php
PAYLOAD -
allow_url_include=1
auto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="Detection
By turning this into a traffic file and matching rule, we are able to detect attempts to modify PHP environment variables.
Coverage
Idappcom have created signature 8024221 along with a traffic file for this vulnerability.
References
Traffic IQ
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional