Back to System

CVE-2024-21591 - Juniper Remote Root Exploit

2024-02-11 ~4 min Lesezeit
juniper 0day remote-root critical funny days

Intro

Working as a network spelunker, i would say i find an awesome vulnerability once in two years. I’am not talking about those bugs in random applications or devices. No, a bug that is high profile, which would have some impact if used by an malicous actor. This is one of those very few bugs, i can account on my public list.

This post, had been published at curesec GmbH from Germany in the past. There will be a neat follow up this year - yeah i talk about 2026 ;-)


CVE-2024-21591 - Memory Corruption Juniper SRX / EX Line

  • Juniper Ident: JSA75729
  • Arch: MIPS
  • OS: JunOS (FreeBSD fork())
  • Author: dash


Overview

The Juniper SRX / EX line of firewalls and switches are vulnerable to a stack-based vanilla overflow in the session mechanism of the running web server. The vulnerability allows memory corruption and results in remote root code execution, without authentication.


Details

During session negotiation a buffer concatenated with insecure strcat function, can be overflown and will create a scenario for abuse. A proper created request will crash/exploit the corresponding daemon in the function: “httpd_gk_session_update()”

0x2939ee58 in strcat () from /usr/lib/libc.so.6
(gdb) bt

0x2939ee58 in strcat () from /usr/lib/libc.so.6
0x00435724 in httpd_gk_session_update ()
0x3442cc84 in ?? ()

Crashing it with a simple pattern, have a look at pc: 0x616161e.

ADDRESS_ERR: pid 7116 (httpd-gk), uid 0: pc 0x6161616e got a read fault at 0x6161616e
Trapframe Register Dump:
zero: 0000000000000000  at: 0000000000000001  v0: 0000000000000000  v1: 0000000000000009
  a0: 0000000000000000  a1: 000000003fffb380  a2: 000000000000000b  a3: 0000000000000008
  t0: 000000003fffb388  t1: 000000003fffb38b  t2: 0000000000000002  t3: 0000000000000000
 ta0: 000000003ffff008 ta1: 000000003ffff008 ta2: 000000003ffff058 ta3: 000000003ffff038
  t8: 000000003ffff048  t9: 00000000293a36e0  s0: 000000006161616d  s1: 000000000000000d
  s2: 000000000000000d  s3: 00000000004f6000  s4: 0000000000539000  s5: 00000000288b33c0
  s6: 00000000004d3354  s7: 00000000004d3350  k0: 0000000000000000  k1: 0000000000000000
  gp: 00000000004e51b0  sp: 000000003fffbf28  s8: 000000002942cf28  ra: 000000006161616e
  sr: 0000000050808cf3 mullo: 000000000ccccccc    mulhi: 0000000000000007
  pc: 000000006161616e cause: 0000000000000010 badvaddr: 000000006161616e
pc address 0x6161616e is inaccessible, pte = 0x0
pid 7116 (httpd-gk), uid 0: exited on signal 10 (core dumped)
setsockopt(RTS_ASYNC_NEED_RESYNC) ignored (httpd-gk): client already active
exec_elf32_imgact: Running BTLB binary without the BTLB_FLAG env set

Exploit

# ./phyllophaga.py -h
usage: ./phyllophaga.py [-h] [-l HOST] [-p PORT] [-S] [-m SC_TYPE] [-L LISTEN_IP] [-P LISTEN_PORT] [-t TGT_NAME]
                        [-T TGT_OFFSET]

3> phyllophaga, a summer spree in exploiting juniper devices <3

options:
  -h, --help            show this help message and exit
  -l HOST, --host HOST  host to attack
  -p PORT, --port PORT  port to attack (Default: 80)
  -S, --ssl             use SSL (Default: False)
  -m SC_TYPE, --shellcode SC_TYPE
                        shellcode to use (use -m? for more info, Default: reverse)
  -L LISTEN_IP, --listen-ip LISTEN_IP
                        Reverse SC: IP of the listener (Default: 127.0.0.1)
  -P LISTEN_PORT, --port-listen LISTEN_PORT
                        Reverse Port/Bind Port: Port to listen or connect to (Default: 42424)
  -t TGT_NAME, --target TGT_NAME
                        Juniper Target (use -t? for target list)
  -T TGT_OFFSET, --target-offset TGT_OFFSET
                        Juniper Target Offset, if you know better ...(use -T? for target list)
# ./phyllophaga.py -t?

[+] Targets:
------------------------------------------
 Id             Version    Offset  Device
  0       12.3X48-D50.6  3f******  srx550                      
  1      15.1X49-D160.2  3f******  srx320                      
  2       15.1X49-D70.3  3f******  srx320                      
  3         17.4R1-S4.2  5b******  srx320                      
  4         18.4R1-S1.3  5b******  srx320   
  5            19.1R1.6  5b******  srx320

Example trigger for tested versions: CVE-2024-21591 Exploitation of the issue is trivial, as it is a vanilla stack based overflow. The tested versions did not have any exploit mitigation techniques. To protect the innocent, the exploit is not provided for now.


Exploit Getestete Versionen

Version Branch
12.3X48-D50.6 12.3X48
15.1X49-D160.2 15.1X49
15.1X49-D70.3 15.1X49
17.4R1-S4.2 17.4
18.4R1-S1.3 18.4
19.1R1.6 19.1


SIRT@Juniper Bestätigte Verwundbare Versionen

Branch Verwundbare Versionen
< 20.4 Alle Versionen vor 20.4R3-S9
21.2 Alle Versionen vor 21.2R3-S7
21.3 Alle Versionen vor 21.3R3-S5
21.4 Alle Versionen vor 21.4R3-S5
22.1 Alle Versionen vor 22.1R3-S4
22.2 Alle Versionen vor 22.2R3-S3
22.3 Alle Versionen vor 22.3R3-S2
22.4 Alle Versionen vor 22.4R2-S2 / 22.4R3


Timeline

  • 07.07.2023 Vulnerability send to Juniper
  • 26.01.2024 Juniper releases advisory


Mentions

  • https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Security-Vulnerability-in-J-web-allows-a-preAuth-Remote-Code-Execution-CVE-2024-21591?language=en_US
  • https://nvd.nist.gov/vuln/detail/CVE-2024-21591
  • https://censys.com/blog/cve-2024-21591-juniper-j-web-oob-write-vulnerability
  • https://cert.europa.eu/publications/security-advisories/2024-008/markdown