Share
## https://sploitus.com/exploit?id=155A8420-C1CD-588A-8538-CF54326472D5
# CVE-2023-36844 , CVE-2023-36845 , CVE-2023-36846 , CVE-2023-36847

A Proof of Concept for chaining the CVEs [CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847] developed by @watchTowr to achieve Remote Code Execution in Juniper JunOS within SRX and EX Series products.

# Follow the [watchTowr](http://watchTowr.com) Labs Team for our Security Research

- https://labs.watchtowr.com/
- https://twitter.com/watchtowrcyber
- https://twitter.com/alizthehax0r

# Technical Analysis

watchTowr performed a deep dive into reproducing, chaining and exploiting these vulnerabilities which can be found at: https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/

# Summary

1. A pre-authentication upload vulnerability can be used to upload an arbitrary PHP file to a restricted directory with a randomised file name.
2. Using the same vulnerable function, we upload a PHP configuration file (.ini) which points to and loads the PHP file from step 1 using the `auto_prepend_file` directive.
3. As all environment variables can be set via HTTP requests, we overwrite the environment variable `PHPRC` to load the PHP configuration file from step 2 and trigger the execution of the PHP function declared in step 1.

# Usage

The PHP function can be specified using the flag `—payload`, however `php_uname()` is set by default.

`python watchtowr-vs-junos_juniper_2023-08-25.py --url http://localhost`

`python watchtowr-vs-junos_juniper_2023-08-25.py --url http://localhost --payload "get_current_user()"`

# Mitigations

Update to the latest version of JunOS, and/or apply the patches provided by Juniper. If these actions are not possible, please leverage the provided Juniper workaround.

https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US