automatic module_metadata_base.json update

db/modules_metadata_base.json

@@ -59365,6 +59365,70 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_freebsd/http/junos_phprc_auto_prepend_file": {
+    "name": "Junos OS PHPRC Environment Variable Manipulation RCE",
+    "fullname": "exploit/freebsd/http/junos_phprc_auto_prepend_file",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-08-17",
+    "type": "exploit",
+    "author": [
+      "Jacob Baines",
+      "Ron Bowes",
+      "jheysel-r7"
+    ],
+    "description": "This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls\n          and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin\n          by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being\n          'auto_prepend_file' which causes the provided file to be added using the 'require' function. The second PHP\n          function is 'allow_url_include' which allows the use of URL-aware fopen wrappers. By enabling\n          allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses\n          data:// to provide a file inline which includes the base64 encoded PHP payload.\n\n          By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a\n          datastore option 'JAIL_BREAK', that when set to true, will steal the necessary tokens from a user authenticated\n          to the J-Web application, in order to overwrite the the root password hash. If there is no user\n          authenticated to the J-Web application this method will not work. The module then authenticates\n          with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.",
+    "references": [
+      "URL-https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/",
+      "URL-https://vulncheck.com/blog/juniper-cve-2023-36845",
+      "URL-https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US",
+      "CVE-2023-36845"
+    ],
+    "platform": "PHP,Unix",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Interactive SSH with jail break"
+    ],
+    "mod_time": "2023-09-29 11:40:03 +0000",
+    "path": "/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb",
+    "is_install_path": true,
+    "ref_name": "freebsd/http/junos_phprc_auto_prepend_file",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "config-changes"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_freebsd/http/watchguard_cmd_exec": {
     "name": "Watchguard XCS Remote Command Execution",
     "fullname": "exploit/freebsd/http/watchguard_cmd_exec",