Juniper ScreenOS backdoor: the attack demystified

Juniper Networks is a multinational corporation headquartered in Sunnyvale, California that develops and markets networking products. Its products include routers, switches, network management software, network security products and software-defined networking technology.

On 18th December 2015 a critical vulnerability (CVE-2015-7755) affecting ScreenOS 6.3.0r17 through 6.3.0r20 was disclosed. The impact is huge because many routers and switches are powered by Juniper ScreenOS. This vulnerability allows remote attackers to obtain administrative access by entering an unspecified password during a (1) SSH or (2) TELNET session.


In order to discover this we can use a IoT search engine like Shodan or Censys. In this article I’ll use Shodan to show you how a simple query netscreen product:”NetScreen sshd” currently exposes 27,659 devices.

sample results

sample results


top countries

top countries

Juniper Networks is a US company so it is not suprising to see the USA as the most affected country but as you can see this technology is used worldwide so we can state that this vulnerability literally broke the internet.


top organisations

top organisations

Analysing this statistics we can see that some major telecommunication companies (ISP) are affected, this means that potentially anyone who uses their services could be at risk. Now while this is scary, I expect ISPs to have already fixed the issue, but there will still be thousands of vulnerable devices at this time.


If you have got a vulnerable system you can connect to it via SSH or Telnet if you know a valid username. Usernames can be guessed or found via dictionary or bruteforce attacks if no efficient security measures are in place.

Once you have got the username you simply need to insert the magic password: <<< %s(un=’%s’) = %u …and you are in.

normal and compromised login as shown in logs

normal and compromised login as shown in logs


backdoor's password

backdoor’s password

The password was created in a way to be hard to read and to be disguised as a debug code, but it is clearly inspired by a book called “The Art of War” written by Sun Tzu. That’s a particular detail and obviously it was choosen intentionally, so you may ask…….


There are many speculations over this, obviously it must be someone who can have access to the Juniper Networks codebase. It could be Juniper Networks itself, an unknown hacker or hacking group, or a Government.


The best thing to do in this case is to simply update to ScreenOS 6.2.0r19, 6.3.0r21 and later releases. You can download the firmware from here: .

SNORT IDS rules are also available:

# Signatures to detect successful abuse of the Juniper backdoor password over telnet.
# Additionally a signature for detecting world reachable ScreenOS devices over SSH.

alert tcp $HOME_NET 23 -> any any (msg:”FOX-SRT – Flowbit – Juniper ScreenOS telnet (noalert)”; flow:established,to_client; content:”Remote Management Console|0d0a|”; offset:0; depth:27; flowbits:set,; flowbits:noalert; reference:cve,2015-7755; reference:url,; classtype:policy-violation; sid:21001729; rev:2;)
alert tcp any any -> $HOME_NET 23 (msg:”FOX-SRT – Backdoor – Juniper ScreenOS telnet backdoor password attempt”; flow:established,to_server; flowbits:isset,; flowbits:set,; content:”|3c3c3c20257328756e3d2725732729203d202575|”; offset:0; fast_pattern; classtype:attempted-admin; reference:cve,2015-7755; reference:url,; sid:21001730; rev:2;)
alert tcp $HOME_NET 23 -> any any (msg:”FOX-SRT – Backdoor – Juniper ScreenOS successful logon”; flow:established,to_client; flowbits:isset,; content:”-> “; isdataat:!1,relative; reference:cve,2015-7755; reference:url,; classtype:successful-admin; sid:21001731; rev:1;)
alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:”FOX-SRT – Policy – Juniper ScreenOS SSH world reachable”; flow:to_client,established; content:”SSH-2.0-NetScreen”; offset:0; depth:17; reference:cve,2015-7755; reference:url,; classtype:policy-violation; priority:1; sid:21001728; rev:1;)

Note that if you have NetScreen devices running on a non default telnet port, you will need to change port 23 to that specific port or to any.


If you are curious about this vulnerability the unpacked firmwares of the affected versions are available for download.

The firmwares were extracted and analysed by Ralf-Philipp Weinmann of Comsecuris using binwalk. You can simply load them in IDA Pro or another disassembler and have a look by yourself.

Did you enjoy this article?
Signup today and receive free updates straight in your inbox. We will never share or sell your email address.

Author: Fabio Baroni   Date: 2015-12-21 15:17:37

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *