In the J-Web Web interface, which is used in Juniper network devices equipped with the Junos, revealed a few vulnerabilities, the most dangerous of which (CVE-2022-22241) allows you to remotely do your code in the system through the sending of a specially designed HTTP request. Juniper equipment users are recommended to install Firmware update , and if this is impossible, make sure that access to the Web interface is blocked from external networks and is limited only by the trusting hosts.
The essence of the vulnerability is that the file path transmitted by the user is processed in the script /jsdm/ajax/loging_browse.php without filtering the prefix with the type of content at the stage before authentication verification. The attacker can convey the malicious PHAR file under the guise of images and achieve the execution of the PHP code placed by the PHAR archive using the Phar deserialization attack method (for example, indicating in the request “Filepath = Phar:/Put/pharfile.jpg).
The problem is that when checking a uploaded file using the IS_DIR () PHP function, this function automatically performs the deserization of metadata from the PHAR archive (PHP Archive) when processing paths starting with “PHAR: //”. A similar effect is observed when processing the file tracks transferred by the user in the functions File_get_contents (), fopen (), file (), file_exists (), md5_file (), filemtime () and filesize ().
..
The attack is complicated by the fact that in addition to initiating the implementation of the PHAR archive, the attacker must find a way to load it (through the appeal of K /jsdm/ajax/loging_browse.php can only indicate the path to perform an existing file). Of the possible scenarios of files on the device, the PHAR file is mentioned under the guise of the picture through the image transmission service and the substitution of the file to the Web Content cache.
Other vulnerabilities:
- cve-2022-22242-substitution of non-finished external parameters to the output of the Error.php script, which allows to achieve intersyight scripting and perform an arbitrary JavaScript code in the user’s browser when crossing the link (for example, “https:” https_ip/eror.php ? Server_name = “. Vulnerability can be used to intercept the parameters of the administrator’s session, if the attackers manage to achieve the opening by the administrator of a specially executed link.
- CVE-2022-22243, CVE-2022-22244-substitution of XPATH expressions through JSDM/Ajax/Wizards/Setup/Setup.php and /modules/Monitor/InterFace.php, allows you to manipulate the authenticated user. .