Multiple Security Misconfiguration in Juniper Online Service’s Lead to Expose Sensitive data

Pierluigi Paganini May 12, 2014

Security researcher Mohammed Saeed has Identified Multiple Security Misconfiguration in Juniper Online Service’s Lead to Expose Sensitive data and much more.

Security researcher Mohammed Osman Saeed has Identified Multiple Security Misconfiguration in Juniper Online Service’s Lead to Expose Sensitive data & Lead to Control four Juniper Load-Balancer been accessed From Remote. He also disclosed Multiple XSS in two Juniper Sub-Domain.

Security Misconfiguration
Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. Such flaws frequently give attackers unauthorized access to some system data or functionality. Occasionally, such flaws result in a complete system compromise.
In this case the researcher has identified Server-status & Server-info, in server-info includes all Apache configurations have been exposed & lead to identify Load-Balancer Manager path with no restriction or authentication for all 4 one’s .
The Misconfiguration been identified in more than one sub-domain. The vulnerabilities identified by manual penetration combined with burp suite for awesome POC’s.

Juniper 1

Juniper 2

Juniper 3

Juniper 4

Cross Site Scripting (XSS) 
XSS exploits have become one of the most common web application vulnerabilities and are achieved through three standard attack vectors: reflected, stored, and advanced.
The results of XSS attacks are the same regardless of the vector; these results can consist of the installation or execution of malicious code, account compromise, the session cookie hijacking, revelation or modification of local files, and site redirection (which could be a vulnerable server or malicious website).
Juniper 5
XSS attacks use obfuscation by encoding tags or malicious portions of the script using the Unicode method so that the link or HTML content is disguised to the end user browsing in the site. The origins of XSS attacks are difficult to identify using traceback methods because the vulnerable server is used to inject the malicious code to the users’ browsers, thus concealing the identity of the malicious user.
In this case I identified the XSS in two Juniper sub-domain, one of them handle the registration & password reset for all user’s.
Juniper 6
Countermeasurement’s
For Security Misconfiguration:
The primary recommendations are to establish all of the following:
  1. A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically. This process should be automated to minimize the effort required to setup a new secure environment.
  2. A process for keeping abreast of and deploying all new software updates and patches in a timely manner to each deployed environment. This needs to include all code libraries as well, which are frequently overlooked.
  3. A strong application architecture that provides good separation and security between components. Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches.
For XSS Mitigation:
To reduce the risk that users will be victims of XSS attacks, it is advisable to educate them about safe browsing. Countermeasures should also be implemented at the application level (browser) through scripting controls made available in the browser. Scripting controls would allow the ability to define policies to restrict code execution. Attackers also use web-based e-mail as an XSS vector, either through embedded scripting or links that can result in the execution of malicious code in the browser.
All vulnerabilities have been reported to Juniper SIRT & all vans been patched, they opened a case to mitigate threats, then they appreciated for been reported.
Juniper 7
Juniper 8
At end No one is totally Secure!
Mohammed Osman Saeed
I am Mohammed Osman Saeed , Independent Security Researcher – Full time Web Application Security Engineer with more than 10 times mentioned in Hall of Fame’s & InfoSec Mags.
Twitter : @krmalab


you might also like

leave a comment