Sense of Security – Security Advisory – SOS-13-003
|Vendor Notification Date.||27-Sep-2012|
|Product.||Juniper Junos J-Web|
|Affected versions.||All builds prior to 2013-02-28 are affected|
|Attack Vector.||From remote with read-only authentication|
|Solution Status.||Vendor patch (not verified by SOS)|
|Disable J-Web or limit access|
|CVE reference.||CVE- Not yet assigned|
The J-Web is a GUI based network management application used on Junos devices.
The web application is vulnerable to a remote code execution vulnerability which permits privilege escalation. The file /jsdm/ajax/port.php allows execution of arbitrary user supplied PHP code via the rs POST parameter. Code executes with UID=0 (root) privileges, however you are confined to a chroot. Privilege escalation can be achieved by waiting for an administrator to log in and reading the contents of /tmp to hijack their session.
Proof of Concept.
Code execution: Execute a command inside the Chroot:
Privilege escalation: Read /tmp and hijack a session
All Junos OS software releases built on or after 2013-02-28 have fixed this specific issue. This fix has not been validated by SOS. As a workaround disable J-Web, or limit access to only trusted hosts. This issue is being tracked as PR 826518 and is visible on the Juniper Customer Support website.
Sense of Security Labs.