Safety warning: the domestic more than 3 0 0 Station juniper network equipment by back door influence-vulnerability warning-the black bar safety net

2015-12-27T00:00:00
ID MYHACK58:62201570414
Type myhack58
Reporter 佚名
Modified 2015-12-27T00:00:00

Description

In 2 0 1 5 year 1 2 on 1 8 November,Juniper's official website released a security Bulletin,noted that in their Netscrren firewall ScreenOS software found unauthorized code,which relates to the 2 security questions,one is in the VPN authentication code is placed in the back door,allowing an attacker to passively decrypt your VPN traffic(CVE-2 0 1 5-7 7 5 6),another Backdoor is to allow an attacker to remotely bypass the SSH and Telnet authentication,use the backdoor password to remotely take over the device(CVE-2 0 1 5-7 7 5 5). In Juniper security Bulletin after 6 hours,The Fox-IT firm found a back door password,and Sort rules By the Sort of rules we can see that the SSH/Telnet Backdoor password is" Sort rule: alert tcp $HOME_NET 2 3 -> any any (msg:"FOX-SRT - Flowbit - Juniper ScreenOS telnet (noalert)"; flow:established,to_client; content:"Remote Management Console|0d0a|"; offset:0; depth:2 7; flowbits:set,fox. juniper. screenos; flowbits:noalert; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:policy-violation; sid:2 1 0 0 1 7 2 9; rev:2;) alert tcp any any -> $HOME_NET 2 3 (msg:"FOX-SRT - Backdoor - Juniper ScreenOS telnet backdoor password attempt"; flow:established,to_server; flowbits:isset,fox. juniper. screenos; flowbits:set,fox. juniper. screenos. password; content:"|3c3c3c20257328756e3d2725732729203d202575|"; offset:0; fast_pattern; classtype:attempted-admin; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; sid:2 1 0 0 1 7 3 0; rev:2;) alert tcp $HOME_NET 2 3 -> any any (msg:"FOX-SRT - Backdoor - Juniper ScreenOS successful logon"; flow:established,to_client; flowbits:isset,fox. juniper. screenos. password; content:"-> "; isdataat:! 1,relative; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:successful-admin; sid:2 1 0 0 1 7 3 1; rev:1;) alert tcp $HOME_NET 2 2 -> $EXTERNAL_NET any (msg:"FOX-SRT - Policy - Juniper ScreenOS SSH world reachable"; flow:to_client,established; content:"SSH-2.0-NetScreen"; offset:0; depth:1 7; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:policy-violation; priority:1; sid:2 1 0 0 1 7 2 8; rev:1;) 0x01. Affected by CVE-2 0 1 5-7 7 5 5 back door influence of the Juniper device model According to Juniper security Bulletin mentioned,version 6. 2. 0r15 to 6. 2. 0r18 and 6. 3. 0r12 to 6. 3. 0r20 affected,the Juniper provides a new 6. 2. 0 and 6. 3. 0 build download,also to remove Backdoor version has been re-packaged,identified as'b',such as the ssg500. 6. 3. 0r12b. 0. bin and ssg5ssg20. 6. 3. 0r19b. 0. bin. Foreigners on the CVE-2 0 1 5-7 7 5 6 and CVE-2 0 1 5-7 7 5 5 affected by the Juniper device version do a diagram, as shown in Figure 1 (Although personally I think his mark of 2 CVE labeled anti-a) ! Pictures quoted from http://malwarejake. blogspot. tw/ 0x02. Technical analysis: Here only the reference to the hdm of the article analysis found that the CVE-2 0 1 5-7 7 5 5 Backdoor vulnerability process,and CVE-2 0 1 5-7 7 5 6 vulnerability involves a lot of cryptography knowledge,I subsequently published. hdm have put the firmware package on https://github. com/hdm/juniper-cve-2 0 1 5-7 7 5 5,wherein the SSG500 firmware is to use the x86 architecture, the SSG5 and SSG20 firmware using XScale (ARMB) architecture,here directly to the ssg5ssg20. 6. 3. 0r19. 0. bin loaded into IDA,in the"Processor Type"select ARMB,as shown in Figure 2 ! Figure 2 And then modify the Loading Address is 0x80000,the File Offset is 0x20,as shown in Figure 3 ! Figure 3 Through a string reference search for"strcmp"found sub_ED7D94 function,but the reference too much,as shown in Figure 4,Figure 5. Continue to see string reference,Find more interesting characters, such as"auth_admin_ssh_special"and“auth_admin_internal",by"auth_admin_internal"found sub_13DBEC Function,This function has a BL sub_ED7D94,F5 see sub_ED7D94,similar to"strcmp",as shown in Figure 6 ! Figure 4 ! Figure 5 ! Figure 6 Finally, to determine the backdoor password is“,as shown in Figure 7 ! Figure 7 Want to use also need to know the SSH/TELNET login name,through official documentation,we know that the default login name netscreen,and according to sans honeypot results https://isc. sans. edu/forums/diary/The+other+Juniper+vulnerability+CVE20157756/2 0 5 2 9/,an excerpt from a commonly used username root/admin/,the scan results see the third part 0x03. Domestic impact: After my personal scan,the global open juniper ssh device has 2 1 8 6 9 station(in order to avoid trouble,ignore some of the known honeypot network and sensitive network of the IP segment,the actual should be more),of which China accounted for 2 0 0 8 Station. According to shodan's hot words“netscreen counter:"CN""of view,he gets the China, the affected IP is 2 1 3 0 Station. As shown in Figure 8,and one by the back door influence of the device has been verified To of a 3 1 7 Station. As shown in Figure 9

[1] [2] next