# CVE-2023-36844 , CVE-2023-36845 , CVE-2023-36846 , CVE-2023-36847

A Proof of Concept for chaining the CVEs [CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847] developed by @watchTowr to achieve Remote Code Execution in Juniper JunOS within SRX and EX Series products.

# Follow the [watchTowr]( Labs Team for our Security Research


# Technical Analysis

watchTowr performed a deep dive into reproducing, chaining and exploiting these vulnerabilities which can be found at:

# Summary

1. A pre-authentication upload vulnerability can be used to upload an arbitrary PHP file to a restricted directory with a randomised file name.
2. Using the same vulnerable function, we upload a PHP configuration file (.ini) which points to and loads the PHP file from step 1 using the `auto_prepend_file` directive.
3. As all environment variables can be set via HTTP requests, we overwrite the environment variable `PHPRC` to load the PHP configuration file from step 2 and trigger the execution of the PHP function declared in step 1.

# Usage

The PHP function can be specified using the flag `—payload`, however `php_uname()` is set by default.

`python --url http://localhost`

`python --url http://localhost --payload "get_current_user()"`

# Mitigations

Update to the latest version of JunOS, and/or apply the patches provided by Juniper. If these actions are not possible, please leverage the provided Juniper workaround.