Author: Marco Lux Email: ping@curesec.com https://curesec.com Juniper Ident: JSA75729 Arch: MIPS OS: JunOS (FreeBSD fork()) Updated: 11.02.2024
The Juniper SRX / EX line of firewalls and switches are vulnerable to a stack-based vanilla overflow in the session mechanism of the running web server. The vulnerability allows memory corruption and results in remote root code execution, without authentication.
During session negotiation a buffer concatenated with insecure strcat function, can be overflown and will create a scenario for abuse.
A proper created request will crash/exploit the corresponding daemon in the function: "httpd_gk_session_update()"
0x2939ee58 in strcat () from /usr/lib/libc.so.6 (gdb) bt
0x2939ee58 in strcat () from /usr/lib/libc.so.6
0x00435724 in httpd_gk_session_update ()
0x3442cc84 in ?? ()
Crashing it with a simple pattern, have a look at pc: 0x616161e.
ADDRESS_ERR: pid 7116 (httpd-gk), uid 0: pc 0x6161616e got a read fault at 0x6161616e Trapframe Register Dump: zero: 0000000000000000 at: 0000000000000001 v0: 0000000000000000 v1: 0000000000000009 a0: 0000000000000000 a1: 000000003fffb380 a2: 000000000000000b a3: 0000000000000008 t0: 000000003fffb388 t1: 000000003fffb38b t2: 0000000000000002 t3: 0000000000000000 ta0: 000000003ffff008 ta1: 000000003ffff008 ta2: 000000003ffff058 ta3: 000000003ffff038 t8: 000000003ffff048 t9: 00000000293a36e0 s0: 000000006161616d s1: 000000000000000d s2: 000000000000000d s3: 00000000004f6000 s4: 0000000000539000 s5: 00000000288b33c0 s6: 00000000004d3354 s7: 00000000004d3350 k0: 0000000000000000 k1: 0000000000000000 gp: 00000000004e51b0 sp: 000000003fffbf28 s8: 000000002942cf28 ra: 000000006161616e sr: 0000000050808cf3 mullo: 000000000ccccccc mulhi: 0000000000000007 pc: 000000006161616e cause: 0000000000000010 badvaddr: 000000006161616e pc address 0x6161616e is inaccessible, pte = 0x0 pid 7116 (httpd-gk), uid 0: exited on signal 10 (core dumped) setsockopt(RTS_ASYNC_NEED_RESYNC) ignored (httpd-gk): client already active exec_elf32_imgact: Running BTLB binary without the BTLB_FLAG env set
# ./phyllophaga.py -h
usage: ./phyllophaga.py [-h] [-l HOST] [-p PORT] [-S] [-m SC_TYPE] [-L LISTEN_IP] [-P LISTEN_PORT] [-t TGT_NAME]
[-T TGT_OFFSET]
3> phyllophaga, a summer spree in exploiting juniper devices <3
options:
-h, --help show this help message and exit
-l HOST, --host HOST host to attack
-p PORT, --port PORT port to attack (Default: 80)
-S, --ssl use SSL (Default: False)
-m SC_TYPE, --shellcode SC_TYPE
shellcode to use (use -m? for more info, Default: reverse)
-L LISTEN_IP, --listen-ip LISTEN_IP
Reverse SC: IP of the listener (Default: 127.0.0.1)
-P LISTEN_PORT, --port-listen LISTEN_PORT
Reverse Port/Bind Port: Port to listen or connect to (Default: 42424)
-t TGT_NAME, --target TGT_NAME
Juniper Target (use -t? for target list)
-T TGT_OFFSET, --target-offset TGT_OFFSET
Juniper Target Offset, if you know better ...(use -T? for target list)
# ./phyllophaga.py -t?
[+] Targets:
------------------------------------------
Id Version Offset Device
0 12.3X48-D50.6 3f****** srx550
1 15.1X49-D160.2 3f****** srx320
2 15.1X49-D70.3 3f****** srx320
3 17.4R1-S4.2 5b****** srx320
4 18.4R1-S1.3 5b****** srx320
5 19.1R1.6 5b****** srx320
Example trigger for tested versions:
CVE-2024-21591
Exploitation of the issue is trivial, as it is a vanilla stack based overflow. The tested versions did not have any exploit
mitigation techniques.
To protect the innocent, the exploit is not provided for now.
Curesec tested versions: * Junos OS 12.3X48-D50.6 * Junos OS 15.1X49-D160.2 * Junos OS 15.1X49-D70.3 * Junos OS 17.4R1-S4.2 * Junos OS 18.4R1-S1.3 * Junos OS 19.1R1.6
Versions attested vulnerable by SIRT@Juniper: * Junos OS versions earlier than 20.4R3-S9; * Junos OS 21.2 versions earlier than 21.2R3-S7; * Junos OS 21.3 versions earlier than 21.3R3-S5; * Junos OS 21.4 versions earlier than 21.4R3-S5; * Junos OS 22.1 versions earlier than 22.1R3-S4; * Junos OS 22.2 versions earlier than 22.2R3-S3; * Junos OS 22.3 versions earlier than 22.3R3-S2; * Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3.