Juniper's Backdoor Password Disclosed, Likely Added In Late 2013 (rapid7.com) 107
itwbennett writes: In a blog post on Rapid7's community portal Sunday, HD Moore posted some notes on the Juniper ScreenOS incident, notably that his team discovered the backdoor password that enables the Telnet and SSH bypass. Quoting: "Although most folks are more familiar with x86 than ARM, the ARM binaries are significantly easier to compare due to minimal changes in the compiler output. ... Once the binary is loaded, it helps to identify and tag common functions. Searching for the text "strcmp" finds a static string that is referenced in the sub_ED7D94 function. Looking at the strings output, we can see some interesting string references, including auth_admin_ssh_special and auth_admin_internal. ... The argument to the strcmp call is <<< %s(un='%s') = %u, which is the backdoor password, and was presumably chosen so that it would be mistaken for one of the many other debug format strings in the code. This password allows an attacker to bypass authentication through SSH and Telnet, as long as they know a valid username. If you want to test this issue by hand, telnet or ssh to a Netscreen device, specify a valid username, and the backdoor password. If the device is vulnerable, you should receive an interactive shell with the highest privileges."
Serves anyone right that uses Juniper (Score:5, Funny)
Re: (Score:1)
Shouldn't that be modded "Funny" or at least "Redundant"?
Re: (Score:1)
Fundundant
Re: (Score:3, Informative)
Whoosh.
He didn't knock on Cisco's stability. Cisco is known to have backdoors and cooperate with NSA.
They probably work great but if you are worried about the government snooping then you should probably pick something else.
Re: (Score:3)
I don't see many people criticizing Juniper. Most seem to make fun of the US government and its three-letter agencies working against each other.
Juniper were listed in Snowden docs (Score:5, Interesting)
Bullshit, Juniper were notified by Snowden leaks their firewalls were under NSA attack:
http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
So I expect them to watch their backs, and keep tight control of their software. 2 years to spot a backdoor? Even when you know you're under attack from a group that previously back-doored your products?
> "In the case of Juniper, the name of this particular digital lock pick is "FEEDTROUGH." This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive "across reboots and software upgrades." In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH "has been deployed on many target platforms."
The suspicion is that they get paid. UK has just revealed its been spying on everyone for 15+ years using Telecoms act section 94, against non Telecoms companies, like hardware suppliers, database owners etc. Juniper could have been told to backdoor their hardware under Article 94.
Companies don't challenge it, because Article 7:
> "(7)There shall be paid out of money provided by Parliament any sums required by the Secretary of State for making grants under this section."
So the suspicion is that Juniper got paid to backdoor their kit, and now that all these revelations are coming out, (about how Parliaments have been deceived, how Ministers lied, Parallel Construction lies to Judiciary etc.) That Juniper is suddenly finding the backdoor and fixing it as if it just appeared.
Either they're incompetent, or they're complicity, but either way, other companies involvement in this scandal does not mitigate Junipers.
Re: (Score:3)
> 2 years to spot a backdoor?
I assume they have a fairly large codebase. Without the tip from Snowden, maybe they would never have discovered it at all?
It sounds pretty weird that they've discovered two completely separate and unrelated backdoors at the same time.
Re:Juniper were listed in Snowden docs (Score:4, Insightful)
Um, given TFS, I'd say they put it in so they probably knew about it from day 1.
Re: (Score:1)
That'll take longer than 2 years to uncover, if ever.
Re: (Score:1)
I expect similar things are present in a lot of other security products, just that there they are still undiscovered. Criticizing Juniper for this is entirely the wrong reaction.
Hell yeah! Poor Juniper now has to enable another backdoor.
Re:At least they noticed something (Score:5, Insightful)
I expect similar things are present in a lot of other security products, just that there they are still undiscovered. Criticizing Juniper for this is entirely the wrong reaction.
I don't understand your logic at all here. It's like saying, "Lots of people murder other people. Criticizing one murderer is entirely the wrong reaction."
You can -- and should -- criticize the murderer and look to solve the greater problem at the same time.
Re: (Score:2)
What you are doing is criticizing the action of the murderer to turn himself in, not the murder. Looks kind of different, doesn't it?
Re: (Score:2)
And to all the nay-sayers: Cisco has just decided that now they need to audit their code after all as well. So tell me again how Juniper did badly here after they had a suspicion?
Version control? (Score:5, Insightful)
They must be using some sort of version control, right? So it should be trivial to find out who inserted the code and find out what exactly is going on (and prosecute those responsible). I mean, they'd like to "clear their name", wouldn't they?
Re: (Score:3)
i expect the answer will be something like 'David' where David will have no recollection of inserting anything like that.
on a related note, is there a version control system that requires/allows users to cryptographically sign their commits? (i've only ever used svn and git)
Re:Version control? (Score:5, Informative)
https://git-scm.com/book/en/v2... [git-scm.com]
Sign Git commits with GPG.
It's not enforced, so you'd need a commit hook or whatever to check commits are signed.
Re: (Score:1)
Sign Git commits with GPG.
Fine. So rather than having no recollection of his unsigned commit, David will have no recollection of his signed commit.
What has this accomplished?
Re:Version control? (Score:4, Interesting)
How did it get signed with his key if he didn't do it?
His system is compromised with a dozen backdoors, and CIA / Shin Bet signed it with his key?
Re:Version control? (Score:4, Insightful)
What has this accomplished?
It will make it easier for us to fire David, have him arrested, and call the problem fixed? ;)
Re: (Score:2)
lol
Re: (Score:3)
Not necessarily anything conclusive. Commercial software providers can be somewhat hidebound about version control systems.
I wouldn't be surprised if they were using CVS, and if multiple people didn't have access to the repository storage. In which case it's pretty trivial to insert the code in a way where it's impossible to tell the origin.
Git with signed commits would be resistant to hiding the identity of the commit author, but a lot of corporations are paranoid about using it because of a perceived lack
Re:Version control? (Score:5, Interesting)
Yes but you have to consider the sophistication here. This was code designed to appear to be a debug statement. It might not be the very most cleverly obfuscated code in history but it was done by someone with a lot of knowledge about internal style and practices, and software development skills in general. Its like state sponsored as well. So we have at least the potential for a fairly advanced threat actor here.
I would say its highly unusual a skilled pentester doing an internal test does not enjoy at least some success. Even if they don't end up pwning all the key systems etc, they will as rule at least be able to get on some developers or administrators boxes. Somebody always slips up up somewhere. Assuming this person was willing to be patient and wait weeks or months and was on the inside, maybe a plant who got hired on, they could eventually compromise some developers box and get hold of their creds, signing keys, or whatever was needed to do a source commit. So attribution might be easy but correct attribution might be a hard problem. Just because someone clicks 'blame' and Bob Smith shows up, does not mean Bob had much to do with it other than he clicked the wrong link sometime, used a backdoored tool, etc..
Re: (Score:3)
They must be using some sort of version control, right? So it should be trivial to find out who inserted the code and find out what exactly is going on (and prosecute those responsible). I mean, they'd like to "clear their name", wouldn't they?
Where I work, our source code repository has logins but no passwords (unless you set one, and most developers don't, for whatever reason). My old boss used to check in things under my name.
After I set a password, he used to throw code "over the fence" and have me check it in verbatim.
Having your name/login on checked in code is not a terribly reliable way to identify the guilty party.
(btw, I'm not saying my old boss ever did anything nefarious -- I'm quite sure he didn't -- I'm just demonstrating that your
Re: (Score:2)
LOL at what industry is this.
EVERY ONE THAT WRITES SOFTWARE.
Yes, it's a bad, but very common, practice.
Any clues as to how it got in the code? (Score:1)
This interesting part will be the detective story for how it got into the code base.
That story may have similar versions for other equipment.
Re: Any clues as to how it got in the code? (Score:3, Insightful)
The register had article saying the devteam is in China.
Re: (Score:1)
"The Capitalists will sell us the rope with which we will hang them."
-Vladimir Lenin
There are no words...
And folks were concerned about Hauwei (Score:5, Interesting)
Maybe there are reasons to still have concerns about them but this goes beyond just concerns. How did this get into Juniper's code baseline? Is there a mole, working inside the company or did their servers get hacked. Why would their code servers be accessible from outside the company in any case? More importantly, how does this get fixed? Has Jupiter sent out patches yet or done a complete review of their code to verify that there aren't other security holes? Can this backdoor be disabled without patching? IT groups in a lot of companies must be having the cold sweats about now.
Re: (Score:3)
Their code servers don't have to be accessible from the outside. Juniper has many employees, and hacking a single one of them is probably sufficient to sneak in a backdoor.
Re: (Score:2, Informative)
I am, because Huawei actually stole Cisco code and even hardware designs in a breach in the 90s for the 7200 series. They should not be allowed to sell products in the western world. Chinese will cheat their way to the top.
sun su (Score:3)
Whoever put it in was an Art of War fan....
Re: (Score:2)
...if it was chinese speaker using latin chacters but not knowing the western spelling they would spell it 'sun zu' or something, since the second word starts with a zzz sounds...
Actually, he would probably write it as "Sunzi", and the initial consonant of the second syllable is pronounced "dz".
Community Defense (Score:4, Insightful)
Assuming Juniper has secure code audit logs and can personally identify the person who checked this in ("find the spook" if you will), will his identity be swept under the rug for some BS "privacy concerns" or will the Internet security community learn his identity so that he may be properly ostracized and precluded from any such future work?
Juniper has the money to settle any threats of lawsuits arising from such disclosure - doing the right thing here is probably the only way people will ever trust Juniper again - it may even be a 'cost of sales'.
If Juniper can't positively ID the perp then nobody can trust them going forward, so let's hope they can and do.
Re:Community Defense (Score:4, Insightful)
Whoever put it there may well have hacked a developer's computer, whether they were working at Juniper or not.
Re: (Score:1)
The last time we investigated this they had used the key of the director of development.....and the pc was 'leaking and receiving' data so 'who checked it in' doesn't tell you much.
Re: (Score:2)
Re: (Score:2)
And if Juniper was paid by the gov't to do exactly this, then what?
Re: (Score:2)
And if Juniper was paid by the gov't to do exactly this, then what?
Paid? Forced is more likely.
The secret courts working for your dollar!
Re: (Score:2)
Lots of years old traces, code samples, some splitter locations for collect it all...
If any top regional security experts get too near that nations security services take over.
Recall Opera
Good thing people stopped using ScreenOS before (Score:1)
Good thing people stopped using ScreenOS before 2013. Seriously they've been migrating people onto the vastly superior SRX/JunOS platform for over a decade. ScreenOS is purely legacy garbage at this point. Only resistance I've seen to people leaving ScreenOS is having to learn a new CLI, aka IT lifers who hate learning.
Comment removed (Score:5, Interesting)
Re: (Score:1)
Every network appliance vendor has backdoors (mostly), for your safety :D
Synology, is at least creative in having a daily backdoor lol
https://wrgms.com/synologys-secret-telnet-password/
Re: (Score:2)
Mr. Potato head...Mr. Potato head !!! (Score:2)
Are we sure Juniper didn't do it? (Score:2, Interesting)
Juniper is saying they were hacked and that the code was likely produced by a state-sponsored entity, but has that been confirmed? It seems to me that given the FBI's recent statements about requiring encryption backdoors in various applications and network products is perhaps a cover for those manufacturers that have already started to comply with a secret policy put forth by the FBI/NSA. This situations kinda reminds me of what happened when it was found out that telecoms were giving access to the NSA for
Re: (Score:2)
Seems irresponsible (Score:2, Insightful)
Given reduced manpower and increased difficulty in obtaining change approvals at this time of the year, doesn't it strike anyone else a bit soon to be publicly listing the exact password to use? Also they're publishing unpacked Juniper software, which may ellicit a Cease and Desist.
Yes I get that the bad guys could do this reverse engineering as well, but the reality is that there's a limited number of attackers with the engineering knowledge to proceed, compared to the much larger number of scipt kiddies
Don't people strip symbols any more? (Score:4, Interesting)
One thing that surprised me is that symbols were still in the executable. I'll admit that I'm kind of long in the tooth and have been out of the industry for 15 years now. It used to be that a standard practice was that the final compile had the symbols stripped out. It was done for space consideration mostly, which probably isn't a concern anymore, but also for security. Is it now standard practice to leave symbols in shipped code? If so, why? Yes it is somewhat of a security by obscurity, but leaving symbols in is like leaving the combination to your lock taped to the back of it, or at least a note as to where you've hidden the combination.
Re:Don't people strip symbols any more? (Score:4, Informative)
There is no actual security gain from stripping symbols. If the logic of the code allows for something to be performed which shouldn't be, then stripping symbols changes nothing at all.
The most stripped symbols would do, is slow down a person reverse engineering the code, once done they still get their access and can reuse their knowledge, and even that assumes they don't have direct access to the source code...clearly a bad assumption here.
Its similar to the old "no compilers in production". It doesn't actually protect you from anything but the most unsophisticated attackers. Which, admittedly, is a form of protection, but only from opportunists who don't care that much.
Who!? (Score:2)
It should be trivial for the FBI to discover who did this and why. Unless, of course, the NSA doesn't want them to...
Re:Why do people even buy U.S hardware? (Score:5, Insightful)
So where do we go? Russian hardware? Chinese hardware? If you think those countries are any safer, I have a bridge in a borough of New York city that's looking for a new owner...
Re: (Score:1)
No thanks, that bridge is American hardware.
Re: (Score:1)
So where do we go? Russian hardware? Chinese hardware? If you think those countries are any safer, I have a bridge in a borough of New York city that's looking for a new owner...
Assuming all of them being compromised I would go with Russian or Chinese yes. Neither of them trade information with my government so my personal data won't be used against me when it's with them.
For business hardware I would go with locally developed any time of the day. Your own government typically won't sell out its own companies.
Re: (Score:2, Insightful)
Well, if I buy hardware from China, it maybe has a Chinese backdoor.
If I buy hardware from the USA, it maybe has an USA backdoor and a Chinese backdoor.
So I buy hardware from China, thank you very much.
In a way chinese hardware might be more secure (Score:3)
Re: (Score:2)
The other method is huge amounts of contacts between US gov/mil staff and then the US corporations follow in with US products and services.
Like buys like when a nations top political leaders mil and generals want what they saw in the USA. Standardization, friendships, generations of shared bases.
The