Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.

Related links

1. Hacking Tools For Games
2. Hacker Tools For Windows
3. How To Make Hacking Tools
4. How To Hack
5. World No 1 Hacker Software
6. Hacker Tools For Ios
7. World No 1 Hacker Software
8. Pentest Tools Tcp Port Scanner
9. Pentest Tools Free
10. Hack Tools 2019
11. World No 1 Hacker Software
12. Hacker Tools 2020
13. Hacker Tools For Mac
14. Hacker Tools For Mac
15. Pentest Tools Linux
16. Hacking Tools
17. Hacking Tools Pc
18. Hacking Tools Pc
19. Hack Website Online Tool
20. Hacking Tools And Software
21. Hack Tools Download
22. Wifi Hacker Tools For Windows
23. Hacking Tools For Mac
24. Hack Tools For Windows
25. Wifi Hacker Tools For Windows
26. Black Hat Hacker Tools
27. Pentest Tools Alternative
28. Usb Pentest Tools
29. Pentest Tools Download
30. Hacker Hardware Tools
31. Pentest Tools List
32. Pentest Tools Find Subdomains
33. Hacking Tools Github
34. Hacking Tools Github
35. Hacking Tools Online
36. Hack Tools Pc
37. Hacking Tools And Software
38. Hacks And Tools
39. Pentest Box Tools Download
40. Kik Hack Tools
41. Hacker Security Tools
42. Hacker Tools Apk Download
43. Hacking Tools Kit
44. Hacker Techniques Tools And Incident Handling
45. Hacker Tools For Ios
46. Hacking Tools Online
47. Hacker Tools For Windows
48. Hacking Tools For Games
49. Hacker Tool Kit
50. Top Pentest Tools
51. Free Pentest Tools For Windows
52. Hacking Tools Usb
53. Hack Tools Online
54. Android Hack Tools Github
55. Ethical Hacker Tools
56. Hacker Tools Mac
57. Hacking Tools Software
58. Hacker Tool Kit
59. Hacking Tools Free Download
60. Black Hat Hacker Tools
61. Pentest Reporting Tools
62. Bluetooth Hacking Tools Kali
63. Hack Tools
64. Tools 4 Hack
65. World No 1 Hacker Software
66. Beginner Hacker Tools
67. Pentest Tools Find Subdomains
68. Hacking Tools Pc
69. Hacker Tools
70. World No 1 Hacker Software
71. Pentest Tools Bluekeep
72. Pentest Tools Tcp Port Scanner
73. Hacker Tools For Mac
74. Hack Website Online Tool
75. Game Hacking
76. Hack Apps
77. Pentest Tools Nmap
78. Hack Tools
79. Hacker Tools Apk Download
80. Hack Tool Apk
81. Hack Tools For Ubuntu
82. Install Pentest Tools Ubuntu
83. Pentest Tools Download
84. Hacker Techniques Tools And Incident Handling
85. Install Pentest Tools Ubuntu
86. Hacking Tools Software
87. Pentest Tools Website
88. Hacking Tools Hardware
89. Hacker Tools Hardware
90. Underground Hacker Sites
91. Underground Hacker Sites
92. Hacking Tools For Windows Free Download
93. Install Pentest Tools Ubuntu
94. Hacker Tools 2020
95. Pentest Tools Linux
96. Hacking Tools For Pc
97. Hacking Tools For Windows 7
98. Pentest Tools Website Vulnerability
99. Hacker Tools Apk
100. Hacker Tool Kit
101. Hack Website Online Tool
102. Best Hacking Tools 2019
103. Hacker Hardware Tools
104. Pentest Tools Port Scanner
105. Pentest Tools For Windows
106. Hack Tools For Windows
107. Hacker Tools For Ios
108. Pentest Tools Bluekeep
109. Hacking Tools Name
110. Pentest Tools For Mac
111. Hacking Tools Online
112. Pentest Tools Linux
113. Pentest Recon Tools
114. Pentest Tools Subdomain
115. Hacking Tools And Software
116. Pentest Tools Download
117. Pentest Tools For Windows
118. Blackhat Hacker Tools
119. Hacking Tools Pc
120. Hack Tools For Games
121. Hacking Tools For Games
122. Hacking Tools Name
123. Pentest Tools Bluekeep
124. Hacker Tool Kit
125. Computer Hacker
126. Hacker Tools Linux
127. Hacking Tools Kit
128. Hacking Tools For Beginners
129. Hacking Apps
130. Wifi Hacker Tools For Windows
131. Hacker Tools 2020
132. Hacker Tools Apk
133. Hack And Tools
134. Hacking Tools Github
135. Pentest Tools For Android
136. Ethical Hacker Tools
137. Hacker Tools Apk
138. Pentest Tools Framework
139. Pentest Tools Review
140. Pentest Tools Windows
141. Top Pentest Tools
142. Hack Tools Online
143. Hacker Tools Github
144. Hacker Tools Apk
145. Pentest Tools Download
146. Free Pentest Tools For Windows
147. Bluetooth Hacking Tools Kali
148. Hacking Tools Free Download
149. Hack Tools Online
150. New Hacker Tools
151. Hack Tools For Pc