This vulnerability scanner can be used to scan Juniper firewalls to determine if they are vulnerable to CVE-2023-36845. Because this is built on top of go-exploit, this scanner has two phases:
- Target verification to ensure the target is a potentially impacted Juniper firewall.
- Target exploitation in which the scanner sends an
LD_PRELOADmessage to generate a (harmless) error message from vulnerable systems.
For more details on exploiting CVE-2023-36845 see our blog, Fileless Remote Code Execution on Juniper Firewalls.
You can use the makefile to build a docker container:
make docker
Or, if you have a Go build environment ready to go, just use make:
albinolobster@mournland:~/cve-2023-36845-scanner$ make
gofmt -d -w scan.go
golangci-lint run --fix scan.go
GOOS=linux GOARCH=arm64 go build -o build/scan_linux-arm64 scan.goThe tool is built on top of go-exploit, so there are multipe ways to provide targets to scan. A full description can be found in the project's scanning documentation. However, the following shows some examples:
$ ./build/scan_linux-arm64 -a -v -e -rhost 10.12.72.1 -log-json=true | jq 'select(.msg == "Vulnerable")'
{
"time": "2023-09-16T06:18:01.964471183-04:00",
"level": "SUCCESS",
"msg": "Vulnerable",
"vulnerable": true,
"rhost": "10.12.72.1",
"rport": 80
}$ ./build/scan_linux-arm64 -a -v -e -rhosts 10.12.72.1,10.12.72.2
time=2023-09-16T06:19:26.592-04:00 level=STATUS msg="Starting target" index=0 host=10.12.72.1 port=80 ssl=false "ssl auto"=true
time=2023-09-16T06:19:36.607-04:00 level=STATUS msg="Validating JunOS Web Interface target" host=10.12.72.1 port=80
time=2023-09-16T06:19:37.528-04:00 level=SUCCESS msg="Target validation succeeded!" host=10.12.72.1 port=80
time=2023-09-16T06:19:37.574-04:00 level=SUCCESS msg=Vulnerable vulnerable=true rhost=10.12.72.1 rport=80
time=2023-09-16T06:19:37.575-04:00 level=STATUS msg="Exploit successfully completed"
time=2023-09-16T06:19:37.575-04:00 level=STATUS msg="Starting target" index=1 host=10.12.72.2 port=80 ssl=false "ssl auto"=true
time=2023-09-16T06:19:37.575-04:00 level=STATUS msg="Validating JunOS Web Interface target" host=10.12.72.2 port=80
time=2023-09-16T06:19:37.576-04:00 level=ERROR msg="The target isn't recognized as JunOS Web Interface, quitting" host=10.12.72.2 port=80go-exploit provides the ability to scan via a provided target csv, where the csv is: host, port, anything if ssl is enabled (although the SSL field is ignored if -a is used). Please see the scanning documentation for full details. It also provides the ability to scan through a proxy. The command works like so:
$ ./build/scan_linux-arm64 -v -e -rhosts-file ~/junos/junos.targets.csv -proxy socks5://127.0.0.1:9050 -log-file vulnscan.json
^C
$ tail vulnscan.json
time=2023-09-17T05:11:19.256-04:00 level=STATUS msg="Starting target" index=0 host=x port=443 ssl=true "ssl auto"=false
time=2023-09-17T05:11:19.256-04:00 level=STATUS msg="Validating JunOS Web Interface target" host=x port=443
time=2023-09-17T05:11:29.257-04:00 level=ERROR msg="HTTP request error: Get \"https://x:443/\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"
time=2023-09-17T05:11:29.257-04:00 level=ERROR msg="The target isn't recognized as JunOS Web Interface, quitting" host=x port=443
time=2023-09-17T05:11:29.257-04:00 level=STATUS msg="Starting target" index=1 host=x port=80 ssl=false "ssl auto"=false
time=2023-09-17T05:11:29.257-04:00 level=STATUS msg="Validating JunOS Web Interface target" host=xport=80