CVE-2024-21591 - Memory Corruption Juniper SRX / EX Line

Author: Marco Lux
Juniper Ident: JSA75729
Arch: MIPS
OS: JunOS (FreeBSD fork())
Updated: 11.02.2024


The Juniper SRX / EX line of firewalls and switches are vulnerable to a stack-based vanilla overflow in the session mechanism of the running web server. The vulnerability allows memory corruption and results in remote root code execution, without authentication.


During session negotiation a buffer concatenated with insecure strcat function, can be overflown and will create a scenario for abuse. A proper created request will crash/exploit the corresponding daemon in the function: "httpd_gk_session_update()"

0x2939ee58 in strcat () from /usr/lib/
(gdb) bt

0x2939ee58 in strcat () from /usr/lib/
0x00435724 in httpd_gk_session_update ()
0x3442cc84 in ?? ()

Crashing it with a simple pattern, have a look at pc: 0x616161e.

ADDRESS_ERR: pid 7116 (httpd-gk), uid 0: pc 0x6161616e got a read fault at 0x6161616e
Trapframe Register Dump:
zero: 0000000000000000  at: 0000000000000001  v0: 0000000000000000  v1: 0000000000000009
  a0: 0000000000000000  a1: 000000003fffb380  a2: 000000000000000b  a3: 0000000000000008
  t0: 000000003fffb388  t1: 000000003fffb38b  t2: 0000000000000002  t3: 0000000000000000
 ta0: 000000003ffff008 ta1: 000000003ffff008 ta2: 000000003ffff058 ta3: 000000003ffff038
  t8: 000000003ffff048  t9: 00000000293a36e0  s0: 000000006161616d  s1: 000000000000000d
  s2: 000000000000000d  s3: 00000000004f6000  s4: 0000000000539000  s5: 00000000288b33c0
  s6: 00000000004d3354  s7: 00000000004d3350  k0: 0000000000000000  k1: 0000000000000000
  gp: 00000000004e51b0  sp: 000000003fffbf28  s8: 000000002942cf28  ra: 000000006161616e
  sr: 0000000050808cf3 mullo: 000000000ccccccc    mulhi: 0000000000000007
  pc: 000000006161616e cause: 0000000000000010 badvaddr: 000000006161616e
pc address 0x6161616e is inaccessible, pte = 0x0
pid 7116 (httpd-gk), uid 0: exited on signal 10 (core dumped)
setsockopt(RTS_ASYNC_NEED_RESYNC) ignored (httpd-gk): client already active
exec_elf32_imgact: Running BTLB binary without the BTLB_FLAG env set


# ./ -h
usage: ./ [-h] [-l HOST] [-p PORT] [-S] [-m SC_TYPE] [-L LISTEN_IP] [-P LISTEN_PORT] [-t TGT_NAME]
                        [-T TGT_OFFSET]

3> phyllophaga, a summer spree in exploiting juniper devices <3

  -h, --help            show this help message and exit
  -l HOST, --host HOST  host to attack
  -p PORT, --port PORT  port to attack (Default: 80)
  -S, --ssl             use SSL (Default: False)
  -m SC_TYPE, --shellcode SC_TYPE
                        shellcode to use (use -m? for more info, Default: reverse)
  -L LISTEN_IP, --listen-ip LISTEN_IP
                        Reverse SC: IP of the listener (Default:
  -P LISTEN_PORT, --port-listen LISTEN_PORT
                        Reverse Port/Bind Port: Port to listen or connect to (Default: 42424)
  -t TGT_NAME, --target TGT_NAME
                        Juniper Target (use -t? for target list)
  -T TGT_OFFSET, --target-offset TGT_OFFSET
                        Juniper Target Offset, if you know better ...(use -T? for target list)
# ./ -t?
[+] Targets:
 Id             Version    Offset  Device
  0       12.3X48-D50.6  3f******  srx550                      
  1      15.1X49-D160.2  3f******  srx320                      
  2       15.1X49-D70.3  3f******  srx320                      
  3         17.4R1-S4.2  5b******  srx320                      
  4         18.4R1-S1.3  5b******  srx320   
  5            19.1R1.6  5b******  srx320   

Example trigger for tested versions: CVE-2024-21591
Exploitation of the issue is trivial, as it is a vanilla stack based overflow. The tested versions did not have any exploit mitigation techniques.
To protect the innocent, the exploit is not provided for now.

Vulnerable Versions

Curesec tested versions: 
* Junos OS 12.3X48-D50.6
* Junos OS 15.1X49-D160.2
* Junos OS 15.1X49-D70.3
* Junos OS 17.4R1-S4.2
* Junos OS 18.4R1-S1.3
* Junos OS 19.1R1.6
Versions attested vulnerable by SIRT@Juniper:
* Junos OS versions earlier than 20.4R3-S9; 
* Junos OS 21.2 versions earlier than 21.2R3-S7; 
* Junos OS 21.3 versions earlier than 21.3R3-S5; 
* Junos OS 21.4 versions earlier than 21.4R3-S5; 
* Junos OS 22.1 versions earlier than 22.1R3-S4; 
* Junos OS 22.2 versions earlier than 22.2R3-S3; 
* Junos OS 22.3 versions earlier than 22.3R3-S2; 
* Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3.