Slashdot Mirror

← Back to Stories (view on slashdot.org)

Juniper's Backdoor Password Disclosed, Likely Added In Late 2013 (rapid7.com)

Posted by Soulskill on from the hand-in-the-cookie-jar dept.

itwbennett writes: In a blog post on Rapid7's community portal Sunday, HD Moore posted some notes on the Juniper ScreenOS incident, notably that his team discovered the backdoor password that enables the Telnet and SSH bypass. Quoting: "Although most folks are more familiar with x86 than ARM, the ARM binaries are significantly easier to compare due to minimal changes in the compiler output. ... Once the binary is loaded, it helps to identify and tag common functions. Searching for the text "strcmp" finds a static string that is referenced in the sub_ED7D94 function. Looking at the strings output, we can see some interesting string references, including auth_admin_ssh_special and auth_admin_internal. ... The argument to the strcmp call is <<< %s(un='%s') = %u, which is the backdoor password, and was presumably chosen so that it would be mistaken for one of the many other debug format strings in the code. This password allows an attacker to bypass authentication through SSH and Telnet, as long as they know a valid username. If you want to test this issue by hand, telnet or ssh to a Netscreen device, specify a valid username, and the backdoor password. If the device is vulnerable, you should receive an interactive shell with the highest privileges."

4 of 107 comments (clear)

  1. Re:Version control? by xaxa · · Score: 4, Informative

    https://git-scm.com/book/en/v2...

    Sign Git commits with GPG.

    It's not enforced, so you'd need a commit hook or whatever to check commits are signed.

  2. Re:And folks were concerned about Hauwei by Anonymous Coward · · Score: 2, Informative

    I am, because Huawei actually stole Cisco code and even hardware designs in a breach in the 90s for the 7200 series. They should not be allowed to sell products in the western world. Chinese will cheat their way to the top.

  3. Re:Serves anyone right that uses Juniper by Anonymous Coward · · Score: 3, Informative

    Whoosh.

    He didn't knock on Cisco's stability. Cisco is known to have backdoors and cooperate with NSA.
    They probably work great but if you are worried about the government snooping then you should probably pick something else.

  4. Re:Don't people strip symbols any more? by TheCarp · · Score: 3, Informative

    There is no actual security gain from stripping symbols. If the logic of the code allows for something to be performed which shouldn't be, then stripping symbols changes nothing at all.

    The most stripped symbols would do, is slow down a person reverse engineering the code, once done they still get their access and can reuse their knowledge, and even that assumes they don't have direct access to the source code...clearly a bad assumption here.

    Its similar to the old "no compilers in production". It doesn't actually protect you from anything but the most unsophisticated attackers. Which, admittedly, is a form of protection, but only from opportunists who don't care that much.

    --
    "I opened my eyes, and everything went dark again"