How to Overwrite JUNOS Proprietary Code

by Anonymous

Basic Description

Beyond the configuration and monitoring interfaces on Juniper devices that run JUNOS, there is the underlying code that allows the devices to operate.

This code is locked away, using many methods, in an attempt to keep the owner of the device from accessing it.  This tutorial will teach you how to break into that code in order to insert your own algorithms.

Basic Strategy

The basic strategy of this tactic is to copy files from an area of the hard drive which you can't edit into an area that you can edit, edit them, and then null mount them over their original location.

In order to accomplish this, you must have either root access on, or physical access to, the device.

Assuming you have root access, you probably also have a very good understanding of BSD/UNIX file systems and Web UI systems.

Although this strategy applies to more than just the Web UI, we'll be using it as the example here.

Step-by-Step Commands

The first step is to log in to the device as the root user, using either Telnet, SSH, or a local console.

The root user logs in to the underlying shell instead of the user interface.

The following commands then illustrate the basic strategy:

% cd ~ % mkdir junosHack % find / | grep "junosscript.php"

(The next command is dependent on the previous grep output and JUNOS version.)

% cp -r /root/etc/packages/mnt/jweb-9.5R1.8/html/core ~/junosHack/ % vi ~/junosHack/core/junosscript.php

(At the top of junosscript.php, add an echo command to test strategy.)

% mount_nullfs /root/etc/packages/mnt/jweb-9.5R1.8/html/core ~/junosHack/core

Your echo command should now appear at the top of every page using the main junosscript.php file.

Note that you have to match the path names to your specific version and device and that you have to choose your echo command and insertion accordingly.

Also note that your changes will not be persistent through reboots unless you add the mount_nullfs command to the device's rc.local file, which is run at the end of every boot sequence.

More Advanced - Changing Web UI Configurations

The actual php.ini file exists in a jail that has files which you will not be able to copy, even with the root account (mostly password and authorization files).

Don't worry, you can use a few commands to recreate these files from the ones that you can copy and still edit the configuration files.

The reason you need to recreate them is that if you null mount over these sections without the password and authorization information files, then no one will be able to log into the device anymore.  It will still function, but anyone managing the device (such as yourself) will be locked out until you fix it from the console or reboot (if you have not made the changes persistent).

% cd ~ % mkdir recreatePasswordFiles % find / | grep "php.ini" % cp -r /packages/mnt/jweb-9.5R1.8/jail/etc/ ~/recreatePasswordFiles/ % vi /recreatePasswordFiles/etc/php.ini

Edit memory limits, sessions limits, or whatever you want in the php.ini file.

% cd ~/recreatePasswordFiles/etc % pwd_kdb -p -d /packages/mnt/web-9.5R1.8/jail/etc /packages/mnt/jweb-9.5R1.8/jail/etc/master.passwd

(Null mount as explained in previous section.)

The examples above were performed on Juniper M120 device for educational and bug-fixing purposes only.