Full Report
JunOS is a service to automate network operations and many other things. For this, there is a client application that allows for securing connecting to it called SSLVPN. This is what the author looked at. The first vulnerability was a Phar Deserialization issues. Phar is a PHP Archive that contains data in a serialized format. Many of the PHP functions handle this format by default, such as file handling functions. Using the phar:// URI, it is trivial to gain code execution on servers. In this case, the file needs to be on the server, which can be done via an unauthenticated file upload page. The second issue is a reflected XSS payload via the error pages server name. Putting in alert(0) into the parameter gave them a simple XSS payload. If somebody clicked on this leak, it keep be used to steal session information. XPATH is a format for querying information from an XML document. Since this is a dynamic query language, it suffers from the same issues as SQL. Using an XPATH injection vulnerability, it is possible to manipulate JunOS admin sessions or manipulate future queries made by XPATH. This was an authenticated bug that could be exploited via CSRF though. On the upload functionality, the file is written to /var/tmp/$filename. There is code that attempts to prevent directory traversal by looking for / on Linux. However, this can be bypassed because Apache normalizes backslashes to be forward slashes. I don't know where this conversion happens but it must come after the verification done by the application. Once we can control the location of a file (and the type), we can upload a PHP file to /www/dir/ to execute it. Regardless, it's a pretty neat bypass! The final vulnerability is another RCE bug via local file inclusion. The user controls a parameter for loading a PHP file. However, this is ALSO, vulnerable to directory traversal and will be executed. As a result, any uploaded file can be executed once it is on the server. Overall, this is an amazing example of why PHP is much easier to find RCE bugs on. There are many gotchas that are all on full display in this post. From, phar deserialization, to file upload issues to local file inclusion... all of the big
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Juniper Junos OS J-Web
## CVE Details
- **CVE ID**:
- CVE-2022-22241 (Phar Deserialization)
- CVE-2022-22242 (Reflected XSS)
- CVE-2022-22243 (XPATH Injection)
- CVE-2022-22244 (XPATH Injection)
- CVE-2022-22245 (Path Traversal/File Upload)
- CVE-2022-22246 (Local File Inclusion)
- **CVSS Score**: Varies (Highest addressed is 8.1 - High)
- **CWE**: CWE-502 (Deserialization), CWE-79 (XSS), CWE-91 (XML Injection), CWE-22 (Path Traversal)
## Affected Systems
- **Products**: Juniper Networks Junos OS (specifically the J-Web interface)
- **Versions**: All versions prior to those listed in the remediation section.
- **Configurations**: Systems with the J-Web configuration interface enabled.
## Vulnerability Description
Multiple flaws exist in the J-Web component of Junos OS:
1. **Phar Deserialization (CVE-2022-22241):** A pre-authenticated flaw in `logging_browse.php` allows an attacker to trigger deserialization of a Phar archive via the `filepath` parameter. This can lead to Remote Code Execution (RCE) if a suitable "gadget" exists in the codebase.
2. **Reflected XSS (CVE-2022-22242):** The `error.php` page fails to sanitize the `SERVER_NAME` global variable (constructed from the URI), allowing for script execution in the context of the user's session.
3. **XPATH Injections (CVE-2022-22243/44):** Authenticated endpoints allow manipulation of XML queries, which can be leveraged to manipulate admin sessions.
4. **Path Traversal & LFI (CVE-2022-22245/46):** Flaws in file upload and processing scripts (like `jrest.php`) allow attackers to bypass directory traversal filters (using backslash normalization tricks) to upload or include arbitrary PHP files, leading to RCE.
## Exploitation
- **Status**: PoC available/detailed in research; vulnerabilities were disclosed by Octagon Networks.
- **Complexity**: Medium (RCE requires chaining or gadget identification).
- **Attack Vector**: Network
## Impact
- **Confidentiality**: High (Session theft and data access)
- **Integrity**: High (Ability to execute code and modify configurations)
- **Availability**: High (Full system compromise potential)
## Remediation
### Patches
Juniper has released updates to address these issues. Users should upgrade to:
- Junos OS: 19.1R3-S9, 19.2R3-S6, 19.3R3-S7, 19.4R3-S9, 20.1R3-S5, 20.2R3-S5, 20.3R3-S5, 20.4R3-S4, 21.1R3-S2, 21.2R3-S1, 21.3R2-S2, 21.3R3, 21.4R1-S2, 21.4R3, 22.1R1-S1, 22.1R2, 22.2R1, and later.
### Workarounds
- Disable the J-Web interface entirely.
- Restrict J-Web access to specific, trusted management IP addresses/hosts via firewall filters.
## Detection
- **Indicators of Compromise**: Monitor for unusual POST requests to `/jsdm/ajax/logging_browse.php` containing `phar://` URIs. Look for directory traversal sequences (`..\/` or `\..\`) in requests to `jrest.php`.
- **Detection methods**: Review web server logs for the `SERVER_NAME` parameter on `error.php` containing `<script>` tags or javascript handlers.
## References
- Vendor Advisory: [https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-Multiple-vulnerabilities-in-J-Web]
- Original Research: [https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/]