Slashdot Mirror
Juniper's Backdoor Password Disclosed, Likely Added In Late 2013 (rapid7.com)
itwbennett writes: In a blog post on Rapid7's community portal Sunday, HD Moore posted some notes on the Juniper ScreenOS incident, notably that his team discovered the backdoor password that enables the Telnet and SSH bypass. Quoting: "Although most folks are more familiar with x86 than ARM, the ARM binaries are significantly easier to compare due to minimal changes in the compiler output. ... Once the binary is loaded, it helps to identify and tag common functions. Searching for the text "strcmp" finds a static string that is referenced in the sub_ED7D94 function. Looking at the strings output, we can see some interesting string references, including auth_admin_ssh_special and auth_admin_internal. ... The argument to the strcmp call is <<< %s(un='%s') = %u, which is the backdoor password, and was presumably chosen so that it would be mistaken for one of the many other debug format strings in the code. This password allows an attacker to bypass authentication through SSH and Telnet, as long as they know a valid username. If you want to test this issue by hand, telnet or ssh to a Netscreen device, specify a valid username, and the backdoor password. If the device is vulnerable, you should receive an interactive shell with the highest privileges."
Really should be using Cisco gear anyway.
I expect similar things are present in a lot of other security products, just that there they are still undiscovered. Criticizing Juniper for this is entirely the wrong reaction.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
They must be using some sort of version control, right? So it should be trivial to find out who inserted the code and find out what exactly is going on (and prosecute those responsible). I mean, they'd like to "clear their name", wouldn't they?
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
. . . because there are enough people out there who consider disassembly "easy enough to do for fun (or profit)".
This interesting part will be the detective story for how it got into the code base.
That story may have similar versions for other equipment.
Maybe there are reasons to still have concerns about them but this goes beyond just concerns. How did this get into Juniper's code baseline? Is there a mole, working inside the company or did their servers get hacked. Why would their code servers be accessible from outside the company in any case? More importantly, how does this get fixed? Has Jupiter sent out patches yet or done a complete review of their code to verify that there aren't other security holes? Can this backdoor be disabled without patching? IT groups in a lot of companies must be having the cold sweats about now.
Whoever put it in was an Art of War fan....
Assuming Juniper has secure code audit logs and can personally identify the person who checked this in ("find the spook" if you will), will his identity be swept under the rug for some BS "privacy concerns" or will the Internet security community learn his identity so that he may be properly ostracized and precluded from any such future work?
Juniper has the money to settle any threats of lawsuits arising from such disclosure - doing the right thing here is probably the only way people will ever trust Juniper again - it may even be a 'cost of sales'.
If Juniper can't positively ID the perp then nobody can trust them going forward, so let's hope they can and do.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
So, anyone else besides me verify it? I did on two firewalls. I cry bullshit !!! Does not work.
Good thing people stopped using ScreenOS before 2013. Seriously they've been migrating people onto the vastly superior SRX/JunOS platform for over a decade. ScreenOS is purely legacy garbage at this point. Only resistance I've seen to people leaving ScreenOS is having to learn a new CLI, aka IT lifers who hate learning.
Bullshit, Juniper were notified by Snowden leaks their firewalls were under NSA attack:
http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
So I expect them to watch their backs, and keep tight control of their software. 2 years to spot a backdoor? Even when you know you're under attack from a group that previously back-doored your products?
> "In the case of Juniper, the name of this particular digital lock pick is "FEEDTROUGH." This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive "across reboots and software upgrades." In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH "has been deployed on many target platforms."
The suspicion is that they get paid. UK has just revealed its been spying on everyone for 15+ years using Telecoms act section 94, against non Telecoms companies, like hardware suppliers, database owners etc. Juniper could have been told to backdoor their hardware under Article 94.
Companies don't challenge it, because Article 7:
> "(7)There shall be paid out of money provided by Parliament any sums required by the Secretary of State for making grants under this section."
So the suspicion is that Juniper got paid to backdoor their kit, and now that all these revelations are coming out, (about how Parliaments have been deceived, how Ministers lied, Parallel Construction lies to Judiciary etc.) That Juniper is suddenly finding the backdoor and fixing it as if it just appeared.
Either they're incompetent, or they're complicity, but either way, other companies involvement in this scandal does not mitigate Junipers.
So where do we go? Russian hardware? Chinese hardware? If you think those countries are any safer, I have a bridge in a borough of New York city that's looking for a new owner...
I blame windows for this, but mostly because im a neckbeard. This is every bit as much the IT Managers fault for investing in technology and not people. What we have in this foul year of our lord 2015 is infrastructure managed by support ticket and not seasoned admin and as an old unix hand Im frankly chuckling whenever I see revelations of backdoors. These vendors include this garbage because they understand the race to the bottom includes hiring a junior admin to handle the stack for half the cost of a greybeard. The consequence of this is paying the rest of that greybeard salary times three to Juniper, who in turn need a way to un-fsck the device once junior leaves, or completely cocks up the device.
dont think of it as a backdoor. think of it as the technological equivalent of child safety locks or those little plastic outlet covers. The vendor doesnt trust you to handle the device on your own terms, because the majority of the vendors customers cant seem to make it much beyond the boot prompt before bricking the device. an argument could also be made that its not the fault of the admin here. Juniper took the logical, moneytrain route of locking away all their documentation to the licensed cloistered elite, so if youre out 3 admins of turnover and the support contract has been ignored for a month, that backdoor is likely getting used to bring you back into the loving embrace of the vendor.
now for the soap box. Back in my day there were real repercussions for not knowing your kit. You couldnt just open a support ticket and wait for a fix on an HPUX handling thirty million transactions per second. You needed to have a good escalation path in your organization to make sure problems got solved quickly, and management has forgotten the value of the most expensive part of this equation, the greybeard. Maybe we never had good visibility, or our people skills were just mediocre, but i for one am ambivalent about this kind of dictatorial lording over appliance, SaS, and anything "cloud."
Good people go to bed earlier.
Backdoors are not secrets! https://www.youtube.com/watch?...
Juniper is saying they were hacked and that the code was likely produced by a state-sponsored entity, but has that been confirmed? It seems to me that given the FBI's recent statements about requiring encryption backdoors in various applications and network products is perhaps a cover for those manufacturers that have already started to comply with a secret policy put forth by the FBI/NSA. This situations kinda reminds me of what happened when it was found out that telecoms were giving access to the NSA for mass communications surveillance. It that case, Congress had to pass a law giving the telecoms and the NSA backwards immunity from prosecution and civil lawsuits.
Given reduced manpower and increased difficulty in obtaining change approvals at this time of the year, doesn't it strike anyone else a bit soon to be publicly listing the exact password to use? Also they're publishing unpacked Juniper software, which may ellicit a Cease and Desist.
Yes I get that the bad guys could do this reverse engineering as well, but the reality is that there's a limited number of attackers with the engineering knowledge to proceed, compared to the much larger number of scipt kiddies that were just spoon fed another attack to run over the Christmas period.
I work in the industry, and while there's not one major issue I can fault them on, it just feels wrong. Perhaps they need to consider that responsible disclosure doesn't just mean waiting until the vendor has released a fix, but to allow a reasonable time for users to be notified and organise installation of the patch. Perhaps they've lost touch with would a reasonable period of time to patch is. A security researcher may think, patch immediately, but in an organisation with a large deployment it's not as simple as this. I'd love to patch our devices as soon as the vendor patch is available, but with inperfect vendor updates, particularly with this vendor, an update is just as likely to break things as fix them, so testing has to be carried out first.
https://wrgms.com/synologys-secret-telnet-password/
Remember the time they had bitcoin miners running on them :) lol
No thanks, that bridge is American hardware.
One thing that surprised me is that symbols were still in the executable. I'll admit that I'm kind of long in the tooth and have been out of the industry for 15 years now. It used to be that a standard practice was that the final compile had the symbols stripped out. It was done for space consideration mostly, which probably isn't a concern anymore, but also for security. Is it now standard practice to leave symbols in shipped code? If so, why? Yes it is somewhat of a security by obscurity, but leaving symbols in is like leaving the combination to your lock taped to the back of it, or at least a note as to where you've hidden the combination.
Chain the routers from multiple untrusted nations, their unlikely to share their back doors so getting through all the devices would be considerably harder.
So where do we go? Russian hardware? Chinese hardware? If you think those countries are any safer, I have a bridge in a borough of New York city that's looking for a new owner...
Assuming all of them being compromised I would go with Russian or Chinese yes. Neither of them trade information with my government so my personal data won't be used against me when it's with them.
For business hardware I would go with locally developed any time of the day. Your own government typically won't sell out its own companies.
Just like the Clipper chip, this is why backdoors are a bad idea. Yet the government wants such backdoors to otherwise secure systems. This will allow snooping by any malicious technically minded party.
It should be trivial for the FBI to discover who did this and why. Unless, of course, the NSA doesn't want them to...
Well, if I buy hardware from China, it maybe has a Chinese backdoor.
If I buy hardware from the USA, it maybe has an USA backdoor and a Chinese backdoor.
So I buy hardware from China, thank you very much.
Sealand has no documented history of doing any such thing.
People including NSA with a reason to find something and an axe to grind will have a look at chinese hardware for backdoor. The contrary is true too, for US hardware, but you will hardly hear any reporting from chinese news media about it.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Trade deals. The US sets up free trade deals or bilateral treaty that open entire nations to US goods and services. Very few nations can then say no due to their own security needs or national interest.
The other method is huge amounts of contacts between US gov/mil staff and then the US corporations follow in with US products and services.
Like buys like when a nations top political leaders mil and generals want what they saw in the USA. Standardization, friendships, generations of shared bases.
The products then ship with trap doors, backdoors so the US gov always has access to its 'friends' globally.
The only option is to fab as a nation and then deal with the power costs, heat, cooling, design and software to escape trap doors, backdoors as imported every generation.
Domestic spying is now "Benign Information Gathering"
I'm sure that JunOS being an unstable mess, that until very recently, was missing basic firewall functionality like logging the direction of a TCP RST, had nothing to do with the resistance.
Sealand also has no documented history of actually existing as a internationally recognized nation-state.