Networking

More Information on the Juniper ScreenOS Authentication Backdoor…

Tagged: 

This topic contains 1 reply, has 2 voices, and was last updated by  jafomofomo 5 years ago.

  • Author
    Posts
  • December 21, 2015 at 6:04 am #10574

    gothe2go
    Participant

    The argument to the strcmp call is <<< %s(un=’%s’) = %u, which is the backdoor password, and was presumably chosen so that it would be mistaken for one of the many other debug format strings in the code. This password allows an attacker to bypass authentication through SSH and Telnet, as long as they know a valid username. If you want to test this issue by hand, telnet or ssh to a Netscreen device, specify a valid username, and the backdoor password. If the device is vulnerable, you should receive an interactive shell with the highest privileges.

  • December 21, 2015 at 6:06 am #10575

    jafomofomo
    Participant

    does this still only affect the version indicated by their advisory or has that changed also?

  • Author
    Posts

You must be logged in to reply to this topic.






© DigitalMunition  Privacy Policy Disclaimer  T&C



Back to Top ↑