A Path Traversal vulnerability (CVE-2022-22245) has been identified in the J-Web component of Juniper Networks Junos OS. When exploited by an authenticated attacker, this vulnerability allows for the uploading of arbitrary files to the device, bypassing validation checks. However, it is worth noting that the attacker should not be able to execute the file due to the validation checks built into Junos OS. If successfully exploited, this vulnerability could seriously impact the filesystem integrity of affected devices.

Exploit Details

The vulnerability exists due to insufficient validation of user-supplied paths in the J-Web component's file upload functionality. By exploiting the Path Traversal vulnerability, an authenticated attacker can bypass built-in validation checks, allowing them to upload arbitrary files to the device.

Below is a sample code snippet that demonstrates a possible exploit scenario

POST /jweb/upload-file HTTP/1.1
Host: target_device_ip
Content-Length: length_of_file_and_filename
Content-Type: multipart/form-data; boundary=my_boundary

--my_boundary
Content-Disposition: form-data; name="target_file"; filename="../upload_path/evil_file.ext"
Content-Type: application/octet-stream

file_contents_here
--my_boundary--

In this example, the attacker sends a crafted HTTP POST request that uses a relative path ../upload_path/evil_file.ext to bypass the validation checks and upload the arbitrary file to the device.

Juniper Networks has published the following security advisory regarding this vulnerability

- Juniper Networks Security Advisory: JSA11355

Recommendation

Users running affected versions of Juniper Networks Junos OS should immediately apply the appropriate software updates provided by Juniper Networks. The updated versions can be found in the security advisory and are listed above in the "Affected Versions" section.

Furthermore, users should consider implementing additional security best practices, such as limiting access to J-Web only to trusted networks and devices, as well as using strong authentication methods.

*Please note that the information in this post is for educational purposes only. Always ensure you have permission before attempting to exploit any vulnerabilities on any systems.*

Timeline

Published on: 10/18/2022 03:15:00 UTC