top of page

Juniper Fileless Remote Code Execution (CVE-2023-36845)



Appliances Details

Juniper SRX firewalls and EX switches.


Vulnerability

The Juniper firewalls use the Appweb web server. When Appweb invokes a CGI script, it passes a variety of environment variables and arguments so that the script can access the user's HTTP request. The body of the HTTP request is passed via stdin. The affected firewalls run FreeBSD, and every FreeBSD process can access their stdin by opening /dev/fd/0.


Identification

By sending an HTTP request, you can introduce a "file", /dev/fd/0, to the system. Using that trick, you can set the PHPRC environment variable to /dev/fd/0 and include the desired php.ini in our HTTP request. The following request demonstrates this attack to prepend /etc/passwd to every response.


POST /webauth_operation.php

PAYLOAD - 
allow_url_include=1
auto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="

Detection

By turning this into a traffic file and matching rule, we are able to detect attempts to modify PHP environment variables.


Coverage

Idappcom have created signature 8024221 along with a traffic file for this vulnerability.


References


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional

Commentaires


bottom of page