In this Section

Security Advisory – Juniper Junos J-Web Privilege Escalation Vulnerability


Sense of Security – Security Advisory – SOS-13-003

Release Date. 10-Sep-2013
Last Update.
Vendor Notification Date. 27-Sep-2012
Product. Juniper Junos J-Web
Platform. Junos
Affected versions. All builds prior to 2013-02-28 are affected
Severity Rating. Medium
Impact. Privilege escalation
Attack Vector. From remote with read-only authentication
Solution Status. Vendor patch (not verified by SOS)
  Disable J-Web or limit access
CVE reference. CVE- Not yet assigned



The J-Web is a GUI based network management application used on Junos devices.

The web application is vulnerable to a remote code execution vulnerability which permits privilege escalation. The file /jsdm/ajax/port.php allows execution of arbitrary user supplied PHP code via the rs POST parameter. Code executes with UID=0 (root) privileges, however you are confined to a chroot. Privilege escalation can be achieved by waiting for an administrator to log in and reading the contents of /tmp to hijack their session.


Proof of Concept.

Code execution: Execute a command inside the Chroot:
POST /jsdm/ajax/port.php
rs=exec&rsargs[]=echo “hello”

Privilege escalation: Read /tmp and hijack a session
POST /jsdm/ajax/port.php



All Junos OS software releases built on or after 2013-02-28 have fixed this specific issue. This fix has not been validated by SOS. As a workaround disable J-Web, or limit access to only trusted hosts. This issue is being tracked as PR 826518 and is visible on the Juniper Customer Support website.


Discovered by.

Sense of Security Labs.