CVE-2020-1631| Juniper HTTP/HTTPS·þÎñ°²È«·ì϶¹«¸æ

°ä²¼¹¦·ò 2020-04-30

0x00 ·ì϶¸ÅÊö


±¦ÔËÀ³¡¤(ÖйúÇø)×îйٷ½ÍøÕ¾


0x01 ·ì϶ÏêÇé


±¦ÔËÀ³¡¤(ÖйúÇø)×îйٷ½ÍøÕ¾



2020Äê4ÔÂ28ÈÕ £¬Juniper¹Ù·½°ä²¼ÁËJunos OSÉ豸»ùÓÚHTTP/HTTPSºÍJ-Web·þÎñ´æÔÚ±¾µØÎļþÔ̺¬¡¢ºÅÁî×¢ÈëµÈ°²È«·ì϶µÄ²¼¸æ ¡£

Juniper Networks Junos OSÊÇÃÀ¹úÕ°²©ÍøÂ磨Juniper Networks£©¹«Ë¾µÄÒ»Ì×רÓÃÓڸù«Ë¾µÄÓ²¼þÉ豸µÄÍøÂç²Ù×÷ϵͳ ¡£¸Ã²Ù×÷ϵͳÌṩÁË°²È«±à³Ì½Ó¿ÚºÍJunos SDK ¡£

Junos OSÉ豸µÄJ-Web¡¢WebÉí·ÝÑé֤ģ¿é¡¢¶¯Ì¬VPN£¨DVPN£© £¬ºÍ´øÓÐWeb³Á¶¨ÏòµÄ·À»ðǽÉí·ÝÑéÖ¤¡¢Áã½Ó´¥ÅäÖã¨ZTP£©ËùʹÓõÄHTTP/HTTPS·þÎñÖдæÔÚ°²È«·ì϶ £¬Î´¾­Éí·ÝÑéÖ¤µÄ¹¥»÷ÕßÄܹ»Ö´Ðб¾µØÎļþÔ̺¬£¨LFI£©»òõ辶±éÀú ¡£

¹¥»÷Õß¿ÉÄÜͨ¹ý½«ºÅÁî×¢Èëµ½httpd.logÈÕÖ¾ÖÐ £¬ÒÔ¾ßÓÓ×°world¡±¿É¶ÁÎļþµÄȨÏÞ¶ÁÈ¡Îļþ £¬»òÕß»ñÈ¡J-Web»á»°ÁîÅÆ ¡£

ÔÚºÅÁî×¢ÈëµÄÇé¿öÏ £¬ÓÉÓÚHTTP·þÎñÒÔ¡°nobody¡±Óû§Éí·ÝÔËÐÐ £¬ËùÒÔÓ°ÏìÊÇÓÐÏÞµÄ £¬CVSSÆÀ·Ö5.3 ¡£

ÔÚJunos OS 19.3R1¼°¸ü¸ß°æ±¾ÖÐ £¬Î´¾­Éí·ÝÑéÖ¤µÄ¹¥»÷Õß½«¿ÉÄÜͨ¹ý¾ßÓÓ×°world¡±¿É¶ÁȨÏÞ¶ÁÈ¡ÅäÖÃÎļþ £¬CVSSÆÀ·Ö5.9 ¡£

ÈôÊÇÆôÓÃJ-Web £¬¹¥»÷ÕßÄܹ»»ñµÃÓëµÇ¼J-WebµÄÈκÎÈËÒ»ÑùµÄ½Ó¼û¼¶±ð ¡£ÈôÊÇÖÎÀíÔ±µÇ¼ £¬Ôò¹¥»÷ÕßÄܹ»»ñµÃÖÎÀíÔ±¶ÔJ-WebµÄ½Ó¼ûȨÏÞ £¬CVSSÆÀ·Ö8.8 ¡£


0x02 ´ëÖý¨Òé


ʵʱÏÂÔز¢×°Öøüз¨Ê½ºÍ²¹¶¡ £¬ÏÂÔØÁ´½Ó£ºhttps://www.juniper.net/support/downloads/ ¡£

һʱ´ëÊ©£º

¸Ã·ì϶ÖØÒªÓ°ÏìÆôÓÃÁËHTTP/HTTPS·þÎñµÄJuniper Networks Junos OSÉ豸 £¬½ûÓÃHTTP/HTTPS·þÎñµÄJunos OSÉ豸²»ÊÜÓ°Ïì ¡£

Äܹ»Í¨¹ýÒÔϺÅÁîÈ·ÈÏhttpdÊÇ·ñÆô¶¯£º

user@device> show system processes | match http

5260 - S 0:00.13 /usr/sbin/httpd-gk -N

5797 - I 0:00.10 /usr/sbin/httpd--config /jail/var/etc/httpd.conf

ÈôÊÇ¿´µ½¹ý³Ì´æÔÚ £¬Ôò°µÊ¾·þÎñÆô¶¯ ¡£

ͬʱÄܹ»ÅŲéÈÕÖ¾ÖÐÊÇ·ñÒѾ­´æÔÚÀûÓÃÕâÒ»·ì϶µÄ¹¥»÷³¢ÊÔ £¬ºÅÁîʾÀý£º

user@device> show log httpd.log | match "=*;*&|=*%3b*&"

user@device> show log httpd.log.0.gz | match "=*;*&|=*%3b*&"

user@device> show log httpd.log.1.gz | match "=*;*&|=*%3b*&"

ÈôÊÇ·¢ÏÖÓÐ"=*;*&"»ò"*%3b*&"Ìصã £¬¿ÉÄÜ°µÊ¾Óг¢ÊÔ¹¥»÷ÐÐΪÒѾ­²úÉú £¬½¨Ò龡¿ìÉý¼¶É豸²¢×öÈ«ÃæÍþв·ÖÎö £¬Í¬Ê±¹¥»÷ÕßÒ²¿ÉÄÜ»áËãÕÊÈÕÖ¾½â³ý¹¥»÷ºÛ¼£ ¡£

»ùÓÚHTTP/HTTPS·þÎñÓйØÅäÖýÚʾÀý²Î¿¼£º

[system services web-management http]

[system services web-management https]

[security dynamic-vpn]


0x03 ÓйØÐÂÎÅ


https://www.securezoo.com/2020/04/juniper-releases-out-of-band-security-update-to-fix-vulnerability-in-j-web-and-web-based-services/


0x04 ²Î¿¼Á´½Ó


https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021


0x05 ¹¦·òÏß


2020-04-28 Juniper¹Ù·½°ä²¼·ì϶²¼¸æ

2020-04-29  VSRC°ä²¼·ì϶¹«¸æ


±¦ÔËÀ³¡¤(ÖйúÇø)×îйٷ½ÍøÕ¾