If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Few days ago information was released on various vulnerabilities identified in the "J-Web" web interface, which is used on Juniper network devices equipped with the operating system June.
The most dangerous is vulnerability CVE-2022-22241, of which this in particular allows to remotely execute code on the system without authentication by sending a specially crafted HTTP request.
The essence of the vulnerability is that the file path passed by the user is processed in the /jsdm/ajax/logging_browse.php script without filtering the prefix with the content type at the stage before the authentication check.
An attacker can transfer a malicious phar file under the guise of an image and execute the PHP code placed in the phar file using the "Phar Deserialization" attack method.
The problem is that when checking an uploaded file with the is_dir() function In PHP, this function automatically deserializes the metadata of the Phar File (PHP File) when processing paths starting with "phar://". A similar effect is seen when processing user-supplied file paths in the file_get_contents(), fopen(), file(), file_exists(), md5_file(), filemtime(), and filesize() functions.
The attack is complicated by the fact that, in addition to starting the execution of the phar file, the attacker must find a way to download it to the device (when accessing /jsdm/ajax/logging_browse.php, he can only specify the path to execute an existing file).
Of the possible scenarios for files to reach the device, mention is made of uploading a phar file in the guise of an image through an image transfer service and replacing the file in the web content cache.
Another vulnerability detected is CVE-2022-22242, this vulnerability can be exploited by an unauthenticated remote attacker to steal sessions management of JunOS or used in combination with other vulnerabilities that require authentication. For example, this vulnerability can be used in conjunction with the post-authentication file write error that is part of the report.
CVE-2022-22242 allows substitution of external parameters unfiltered on the output of the error.php script, which allows cross-site scripting and executes arbitrary JavaScript code in the user's browser when the link is clicked. The vulnerability could be used to intercept administrator session parameters if attackers can get the administrator to open a specially crafted link.
On the other hand, vulnerabilities are also mentioned CVE-2022-22243 which can be exploited by an authenticated remote attacker to manipulate sessions JunOS admin or tamper with the XPATH stream that the server uses to talk to its XML parsers and also СVE-2022-22244 which can likewise be exploited by an authenticated remote attacker to tamper with JunOS admin sessions. In both the substitution of the XPATH expression through the scripts jsdm/ajax/wizards/setup/setup.php and /modules/monitor/interfaces/interface.php allows an authenticated user without privileges to manipulate the administrator sessions.
Other vulnerabilities disclosed are:
- CVE-2022-22245: If the ".." sequence in processed paths in the Upload.php script is not properly cleaned, an authenticated user can upload their PHP file to a directory that allows PHP script execution (e.g. by passing the path "fileName=\..\..\..\..\www\dir\new\shell.php").
- CVE-2022-22246: Ability to execute an arbitrary local PHP file by manipulation by an authenticated user with the jrest.php script, where external parameters are used to form the name of the file loaded by the "require_once(" function. )" (for example, "/jrest.php?payload =alol/lol/any\..\..\..\..\any\file"). This allows an attacker to include any PHP file stored in the server. If this vulnerability is exploited together with the file upload vulnerability, it can lead to remote code execution.
Finally Juniper computer users are recommended to install a firmware update and, if this is not possible, ensure that access to the web interface is blocked from external networks and limited to trusted hosts only.
If you are interested in learning more about it, you can consult the details at the following link.