About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Juniper SSLVPN / JunOS RCE and Multiple Vulnerabilities- 992

OctagonPosted 3 Years Ago
  • JunOS is a service to automate network operations and many other things. For this, there is a client application that allows for securing connecting to it called SSLVPN. This is what the author looked at.
  • The first vulnerability was a Phar Deserialization issues. Phar is a PHP Archive that contains data in a serialized format. Many of the PHP functions handle this format by default, such as file handling functions. Using the phar:// URI, it is trivial to gain code execution on servers. In this case, the file needs to be on the server, which can be done via an unauthenticated file upload page.
  • The second issue is a reflected XSS payload via the error pages server name. Putting in <script>alert(0)</script> into the parameter gave them a simple XSS payload. If somebody clicked on this leak, it keep be used to steal session information.
  • XPATH is a format for querying information from an XML document. Since this is a dynamic query language, it suffers from the same issues as SQL. Using an XPATH injection vulnerability, it is possible to manipulate JunOS admin sessions or manipulate future queries made by XPATH. This was an authenticated bug that could be exploited via CSRF though.
  • On the upload functionality, the file is written to /var/tmp/$filename. There is code that attempts to prevent directory traversal by looking for / on Linux. However, this can be bypassed because Apache normalizes backslashes to be forward slashes.
  • I don't know where this conversion happens but it must come after the verification done by the application. Once we can control the location of a file (and the type), we can upload a PHP file to /www/dir/ to execute it. Regardless, it's a pretty neat bypass!
  • The final vulnerability is another RCE bug via local file inclusion. The user controls a parameter for loading a PHP file. However, this is ALSO, vulnerable to directory traversal and will be executed. As a result, any uploaded file can be executed once it is on the server.
  • Overall, this is an amazing example of why PHP is much easier to find RCE bugs on. There are many gotchas that are all on full display in this post. From, phar deserialization, to file upload issues to local file inclusion... all of the big

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed