Several vulnerabilities have been identified in the J-Web web interface, which is used in Juniper network devices equipped with the JunOS operating system, the most dangerous of which (CVE-2022-22241) allows you to remotely execute your code in the system without authentication by sending a specially designed HTTP request. Users of Juniper equipment are advised to install a firmware update, and if this is not possible, ensure that access to the web interface is blocked from external networks and limited to trusted hosts only.
The essence of the vulnerability is that the file path passed by the user is processed in the /jsdm/ajax/logging_browse.php script without filtering the prefix with the content type at the stage before the authentication check. An attacker can transfer a malicious phar file under the guise of an image and achieve the execution of the PHP code placed in the phar archive using the “Phar deserialization” attack method (for example, by specifying “filepath=phar:/path/pharfile.jpg” in the request).
The problem is that when checking an uploaded file with PHP's is_dir() function, this function automatically deserializes the metadata from the Phar Archive (PHP Archive) when processing paths beginning with "phar://". A similar effect is observed when processing user-supplied file paths in the file_get_contents(), fopen(), file(), file_exists(), md5_file(), filemtime(), and filesize() functions.
The attack is complicated by the fact that in addition to initiating the execution of a phar archive, the attacker must find a way to download it to the device (by accessing /jsdm/ajax/logging_browse.php, you can only specify the path for executing an existing file). Of the possible scenarios for files getting onto the device, loading a phar file under the guise of an image through an image transfer service and substituting the file into the web content cache is mentioned.
Other vulnerabilities:
- CVE-2022-22242 - Substitution of unfiltered external parameters in the output of the error.php script, allowing cross-site scripting and execution of arbitrary JavaScript code in the user's browser when clicking on the link (for example, "https://JUNOS_IP/error.php?SERVER_NAME= alert(0) ". The vulnerability could be used to intercept administrator session parameters if an attacker succeeds in getting the administrator to open a specially crafted link.
- CVE-2022-22243, СVE-2022-22244 - XPATH expression substitution via jsdm/ajax/wizards/setup/setup.php and /modules/monitor/interfaces/interface.php scripts, allows an unprivileged authenticated user to manipulate administrator sessions.
- CVE-2022-22245 - Failure to properly clean up the ".." sequence in paths processed in the Upload.php script allows an authenticated user to upload their PHP file to a directory that allows PHP scripts to be executed (for example, by passing the path "fileName=\. .\..\..\..\www\dir\new\shell.php").
- CVE-2022-22246 - Ability to execute an arbitrary local PHP file through manipulation by an authenticated user of the jrest.php script, in which external parameters are used to form the name of the file loaded by the "require_once ()" function (for example, "/jrest.php? payload =alol/lol/any\..\..\..\..\any\file")
Source: opennet.ru