More Information on the Juniper ScreenOS Authentication Backdoor…

This topic contains 1 reply, has 2 voices, and was last updated by  jafomofomo 5 years ago.

  • Author
  • #10574


    The argument to the strcmp call is <<< %s(un=’%s’) = %u, which is the backdoor password, and was presumably chosen so that it would be mistaken for one of the many other debug format strings in the code. This password allows an attacker to bypass authentication through SSH and Telnet, as long as they know a valid username. If you want to test this issue by hand, telnet or ssh to a Netscreen device, specify a valid username, and the backdoor password. If the device is vulnerable, you should receive an interactive shell with the highest privileges.

  • #10575


    does this still only affect the version indicated by their advisory or has that changed also?

You must be logged in to reply to this topic.