Following Juniper’s announcement that its ScreenOS platform contained unidentified code that it couldn’t trace, it took just three days for security researchers to reverse engineer the patch and find the backdoor.
According to a post on Rapid7 Community, the password was discovered by analyzing the difference between the patched NetScreen update released Friday and the previous version.
The password is cleverly disguised as a string that may look like a debug format used elsewhere in the code — << %s(un=’%s’) = %u, — which allows a user to bypass authentication via SSH and Telnet provided a valid username is provided.
