在2015年的12月18日,Juniper官網發布安全公告,指出在他們的Netscrren防火墻的ScreenOS軟件中發現未授權的代碼,其中涉及2個安全問題,一個是在VPN的認證代碼實現中被安放后門,允許攻擊者被動解密VPN的流量(CVE-2015-7756),另一個后門是允許攻擊者遠程繞過SSH和Telnet認證,利用后門密碼遠程接管設備(CVE-2015-7755).在Juniper的安全公告后的6個小時,Fox-IT公司找到了后門密碼,并發布了Sort規則
通過Sort規則我們可以看出SSH/Telnet的后門密碼是"<<< %s(un='%s') = %u" (3c3c3c20257328756e3d2725732729203d202575十六進制解碼)
Sort規則:
alert tcp $HOME_NET 23 -> any any (msg:"FOX-SRT - Flowbit - Juniper ScreenOS telnet (noalert)"; flow:established,to_client; content:"Remote Management Console|0d0a|"; offset:0; depth:27; flowbits:set,fox.juniper.screenos; flowbits:noalert; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:policy-violation; sid:21001729; rev:2;)
alert tcp any any -> $HOME_NET 23 (msg:"FOX-SRT - Backdoor - Juniper ScreenOS telnet backdoor password attempt"; flow:established,to_server; flowbits:isset,fox.juniper.screenos; flowbits:set,fox.juniper.screenos.password; content:"|3c3c3c20257328756e3d2725732729203d202575|"; offset:0; fast_pattern; classtype:attempted-admin; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; sid:21001730; rev:2;)
alert tcp $HOME_NET 23 -> any any (msg:"FOX-SRT - Backdoor - Juniper ScreenOS successful logon"; flow:established,to_client; flowbits:isset,fox.juniper.screenos.password; content:"-> "; isdataat:!1,relative; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:successful-admin; sid:21001731; rev:1;)
alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"FOX-SRT - Policy - Juniper ScreenOS SSH world reachable"; flow:to_client,established; content:"SSH-2.0-NetScreen"; offset:0; depth:17; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:policy-violation; priority:1; sid:21001728; rev:1;)
根據Juniper的安全公告提及,版本6.2.0r15到6.2.0r18和6.3.0r12到6.3.0r20受影響,Juniper提供了新的6.2.0和6.3.0build下載,也對去除后門的版本進行了重打包,標識為'b',如ssg500.6.3.0r12b.0.bin和ssg5ssg20.6.3.0r19b.0.bin.老外對CVE-2015-7756和CVE-2015-7755受影響的Juniper設備版本做了一個圖示,如圖1 (雖然我個人認為他標記2個CVE標記反了)
圖片引用自http://malwarejake.blogspot.tw/
這里只參考hdm的文章分析發現CVE-2015-7755后門漏洞的過程,CVE-2015-7756漏洞涉及很多密碼學的知識,我隨后發布.
hdm已經把firmware打包放在了https://github.com/hdm/juniper-cve-2015-7755,其中 SSG500固件是使用x86架構, SSG5和SSG20固件使用XScale (ARMB) 架構,這里直接把ssg5ssg20.6.3.0r19.0.bin載入IDA,在"Processor Type"里選擇ARMB,如圖2
圖2
然后修改Loading Address為 0x80000,File Offset為 0x20,如圖3
圖3
通過字符串參考搜索"strcmp"找到sub_ED7D94函數,但是引用太多,如圖4,圖5.繼續查看字符串參考,發現更有趣的字符如"auth_admin_ssh_special"和“auth_admin_internal",通過"auth_admin_internal"發現sub_13DBEC函數,這個函數有個BL sub_ED7D94,F5看下sub_ED7D94,類似"strcmp",如圖6
圖4
圖5
圖6
最后確定后門密碼為“<<< %s(un='%s') = %u“,如圖7
圖7
要想利用還需要知道SSH/TELNET登陸名,通過官方文檔,我們知道默認登陸名為netscreen,又根據sans 蜜罐的結果https://isc.sans.edu/forums/diary/The+other+Juniper+vulnerability+CVE20157756/20529/,摘錄出常用用戶名root/admin/,掃描結果見第三部分
經過我個人掃描,全球開放juniper的ssh設備有21869臺(為了避免麻煩,忽略了一些已知的蜜罐網絡和敏感網絡的IP段,實際應該更多),其中中國占2008臺.根據shodan的熱詞“netscreen counter:"CN""來看,他得到的中國受影響的IP是2130臺.如圖8,而其中受后門影響的設備已經驗證的有317臺.如圖9
圖8
圖9
另外要說的另一個敏感問題是,除了受后門影響的這317臺juniper設備,弱口令問題導致可以登陸設備的有20多臺,大部分是netscreen/netscreen,這種安全意識問題,還需要網絡管理員注意.
管理員可通過get event查看登陸日志.排查是否可以被掃描或登陸
ssg5-serial-> get event
Total event entries = 3072
Date Time Module Level Type Description
2015-12-23 17:25:27 system warn 00515 Admin user system has logged on via
SSH from 1.1.1.1:32366
2015-12-23 17:17:26 system warn 00528 SSH: Password authentication failed
雖然這個日志可以通過ssg5-serial-> get event 來刪除. :)
可以通過tftp和web接口來升級,具體步驟參考
http://puluka.com/home/techtalknetworking/screenoscriticalsecurityissue2015.html
Juniper ScreenOS backdoor: the attack demystified
http://www.pentest.guru/index.php/2015/12/21/juniper-screenos-backdoor-attack-demystified/
Juniper Networks - 2015-12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015-7755) - Knowledge Base
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST
Juniper Follow Up
http://malwarejake.blogspot.com/2015/12/juniper-follow-up.html
CVE-2015-7755: Juniper ScreenOS Authentication Backdoor
https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor
RY,低調的張老師