Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


More information

1. Hacking Tools For Kali Linux
2. Black Hat Hacker Tools
3. New Hack Tools
4. Hacking Tools Pc
5. Hacking Tools Software
6. Hack Website Online Tool
7. Hacker Tools Free Download
8. Hacker Tool Kit
9. Free Pentest Tools For Windows
10. Hack Tool Apk
11. Hack Tools Online
12. Tools 4 Hack
13. Pentest Automation Tools
14. Hack Tools Download
15. Hackrf Tools
16. Hack App
17. Hacking App
18. Hacking Tools For Windows Free Download
19. How To Install Pentest Tools In Ubuntu
20. How To Install Pentest Tools In Ubuntu
21. Hacking Tools Usb
22. Pentest Tools Website Vulnerability
23. Pentest Tools Website Vulnerability
24. Hacker Tools For Mac
25. Pentest Tools For Mac
26. Hack App
27. Hacker Techniques Tools And Incident Handling
28. Hacking Tools Hardware
29. Hack Tool Apk
30. Hacker Tools List
31. Top Pentest Tools
32. Hacker Tools Free
33. New Hacker Tools
34. Ethical Hacker Tools
35. Pentest Tools Subdomain
36. Hacks And Tools
37. Wifi Hacker Tools For Windows
38. Hack Apps
39. Hacking Tools For Windows Free Download
40. Pentest Tools Apk
41. Pentest Tools Url Fuzzer
42. Pentest Tools For Android
43. Usb Pentest Tools
44. Hacker Tools For Ios
45. Hacking App
46. Pentest Tools Find Subdomains
47. Hacking App
48. Hacking Tools For Windows 7
49. Hacking Tools For Windows
50. Growth Hacker Tools
51. Hacker
52. Best Hacking Tools 2020
53. Hackrf Tools
54. Hacker Tools 2020
55. Hack Rom Tools
56. Hack Tools
57. Hacker Hardware Tools
58. New Hack Tools
59. Hacker Tools Hardware
60. Hacker Tools For Ios
61. Best Hacking Tools 2020
62. Pentest Tools Url Fuzzer
63. Hack Tools For Windows
64. Hacking Tools 2020
65. Pentest Tools
66. Black Hat Hacker Tools
67. Hack Website Online Tool
68. What Are Hacking Tools
69. Hack Rom Tools
70. Hack Tools For Windows
71. Kik Hack Tools
72. Pentest Tools Website Vulnerability
73. Hacking Tools Hardware
74. Wifi Hacker Tools For Windows
75. Pentest Tools Website
76. Hacking Tools For Pc
77. Hacker Tools Free Download
78. Hacking Tools For Kali Linux
79. Hacking Tools Kit
80. Hacking Tools Windows 10
81. Best Hacking Tools 2020
82. Hack Tools Mac
83. What Is Hacking Tools
84. Hacking Tools And Software
85. Hack Tools For Windows
86. Blackhat Hacker Tools
87. Easy Hack Tools
88. Hacking Tools For Kali Linux
89. Hack Tool Apk
90. Termux Hacking Tools 2019
91. Hacker Tools List
92. Hacker
93. Pentest Tools Website
94. Hacking Tools Free Download
95. Hacking Tools For Windows Free Download
96. Hacker Tools For Mac
97. Tools For Hacker
98. Hacker Search Tools
99. Hacker Tools Online
100. Hack Tools For Mac
101. Hacking Tools Download
102. Hacker Tools List
103. Nsa Hacker Tools
104. Hacking Tools Windows