Security Warning: more than 300 juniper network devices in China are affected by Backdoors

Security Warning: more than 300 juniper network devices in China are affected by Backdoors

On July 15, the Juniper official website published a Security Bulletin stating that unauthorized code was found in their Netscrren firewall's screnos software, which involved two security issues, one is in the VPN authentication code implementation is placed in the backdoor, allow attackers to passively decrypt the VPN traffic (CVE-2015-7756), the other backdoor is to allow attackers to remotely bypass SSH and Telnet AUTHENTICATION, use a backdoor password to remotely take over the device (CVE-2015-7755 ). six hours after Juniper's Security Bulletin, Fox-IT found the backdoor password and released the Sort rule.
According to the Sort rule, we can see that the SSH/Telnet backdoor password is"
Sort rules:
Alert tcp $ HOME_NET 23-> any (msg: "FOX-SRT-Flowbit-Juniper screnos telnet (noalert)"; flow: established, to_client; content: "Remote Management Console | 0d0a |"; offset: 0; depth: 27; flowbits: set, fox. juniper. screnos; flowbits: noalert; reference: cve, 2015-7755; reference: url, http://kb.juniper.net/jsa%13; classtype: policy-violation; sid: 21001729; rev: 2 ;)
Alert tcp any-> $ HOME_NET 23 (msg: "FOX-SRT-Backdoor-Juniper screenoch telnet backdoor password attempt"; flow: established, to_server; flowbits: isset, fox. juniper. screnos; flowbits: set, fox. juniper. screnos. password; content: "| expiration |"; offset: 0; fast_pattern; classtype: attempted-admin; reference: cve, 2015-7755; reference: url, http://kb.juniper.net/jsa%13; sid: 21001730; rev: 2 ;)
Alert tcp $ HOME_NET 23-> any (msg: "FOX-SRT-Backdoor-Juniper screnos successful logon"; flow: established, to_client; flowbits: isset, fox. juniper. screnos. password; content: "->"; isdataat :! 1, relative; reference: cve, 2015-7755; reference: url, http://kb.juniper.net/jsa%13; classtype: successful-admin; sid: 21001731; rev: 1 ;)
Alert tcp $ HOME_NET 22-> $ EXTERNAL_NET any (msg: "FOX-SRT-Policy-Juniper screanossh world reachable"; flow: to_client, established; content: "SSH-2.0-NetScreen"; offset: 0; depth: 17; reference: cve, 2015-7755; reference: url, http://kb.juniper.net/jsa%13; classtype: policy-violation; priority: 1; sid: 21001728; rev: 1 ;)
0x01. Juniper device model affected by CVE-2015-7755 Backdoor
According to Juniper's Security Bulletin, versions 6.2.0r15 to 6.2.0r18 and 6.3.0r12 to 6.3.0r20 are affected. Juniper provides new versions 6.2.0 and 6.3.0build for downloading and repackaging versions for backdoor removal, marked as 'B', for example, ssg500.6.3.0r12b. 0. bin and ssg5ssg00006.3.0r19b. 0. bin. foreigners made an illustration of the Juniper device versions affected by CVE-2015-7756 and CVE-2015-7755, 1 (although I personally think he marked 2 CVE tags reversed)

0x02. Technical Analysis:
Here only refer to the analysis of hdm found that CVE-2015-7755 backdoor vulnerability process, CVE-2015-7756 vulnerability involves a lot of cryptography knowledge, I subsequently released.
Hdm has packaged firmware in the firmware SSG500 using the x86 architecture, and SSG5 and SSG20 firmware using the XScale (ARMB) architecture. Here ssg5ssg20.6.3.0r19.0 is directly used. binload IDA, select ARMB, 2 in "Processor Type"

Figure 2
Modify the Loading Address to 0x80000, and the File Offset to 0x20, 3.

Figure 3
Find the sub_ED7D94 function through the string reference search "strcmp", but there are too many references. 4, figure 5. continue to view the string reference and find more interesting characters such as "handler" and "auth_admin_internal". Use "auth_admin_internal" to find the sub_13DBEC function. This function has a BL sub_ED7D94. F5 can see sub_ED7D94, similar to "strcmp", 6

Figure 4

Figure 5

Figure 6
Finally, confirm that the backdoor password is ", 7

Figure 7
You need to know the SSH/TELNET login name. Through the official documentation, we know that the default login name is netscreen, and refer to the sans honeypot results.
0x03. Domestic impact:
After my personal scan, there are 21869 ssh devices open to juniper around the world (to avoid the trouble, ignore some known honeypot networks and IP segments of sensitive networks, actually more ), china accounts for 2008. according to shodan's hot term "netscreen counter:" CN "", the affected IP addresses in China he obtained were 2130. 8. Among them, 317 devices affected by backdoors have been verified. 9

Figure 8

Figure 9
Another sensitive issue is that, apart from the 317 juniper devices affected by backdoors, more than 20 devices can be logged on due to weak passwords, most of which are netscreen/netscreen, network administrators must pay attention to this security awareness problem.
The administrator can view the login log through get event. Check whether the log can be scanned or logged on.
Ssg5-serial-> get event
Total event entries = 3072
Date Time Module Level Type Description
17:25:27 system warn 00515 Admin user system has logged on
SSH from 1.1.1.1: 32366
17:17:26 system warn 00528 SSH: Password authentication failed
Although this log can be deleted via ssg5-serial-> get event .:)