Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.

More info

1. Hack Tools For Windows
2. Hacking Apps
3. Nsa Hack Tools Download
4. Wifi Hacker Tools For Windows
5. Hacking Apps
6. Hacking Tools Windows
7. Hacker Tools List
8. Beginner Hacker Tools
9. Hacking Tools Online
10. What Is Hacking Tools
11. Physical Pentest Tools
12. Pentest Tools Website Vulnerability
13. Hack Tools For Mac
14. Install Pentest Tools Ubuntu
15. Pentest Tools List
16. Top Pentest Tools
17. Hacker Tools For Ios
18. How To Hack
19. Hacking Tools 2019
20. Pentest Recon Tools
21. Hacking Tools Download
22. Hacker Security Tools
23. Nsa Hack Tools Download
24. Hack Tools Mac
25. Pentest Tools Find Subdomains
26. Pentest Tools Nmap
27. Hacker Tools Windows
28. Hacker Tools Github
29. Hack Tools Online
30. Hacking Tools For Pc
31. Pentest Tools Framework
32. Tools For Hacker
33. Hacking Tools 2019
34. Tools Used For Hacking
35. What Is Hacking Tools
36. Hack Tools Online
37. Hacking Tools Github
38. Hacking Tools Windows 10
39. Hack Tools
40. Underground Hacker Sites
41. Hacker Tools Free
42. Pentest Tools Tcp Port Scanner
43. New Hack Tools
44. Hacker Tools Software
45. Hacker Techniques Tools And Incident Handling
46. Pentest Tools List
47. Free Pentest Tools For Windows
48. Hack Tools For Windows
49. Hacker Tool Kit
50. Hack Tool Apk
51. Pentest Tools Open Source
52. Hacking Tools Pc
53. Best Hacking Tools 2019
54. Game Hacking
55. Hack Tools
56. Hacker Tools 2019
57. Pentest Reporting Tools
58. Hack Tools Online
59. Hacker Tools List
60. Hack And Tools
61. Hacking Tools For Windows 7
62. Hacking Apps
63. Hack Website Online Tool
64. Pentest Tools For Ubuntu
65. Hacking Tools For Windows
66. Hack And Tools
67. Install Pentest Tools Ubuntu
68. Pentest Tools Download
69. Hacking Tools 2020
70. Hack Tools For Ubuntu
71. Beginner Hacker Tools
72. Pentest Tools For Mac
73. Hacking Tools Pc
74. Usb Pentest Tools
75. Pentest Tools Port Scanner
76. Hack Tools Github
77. Pentest Tools Framework
78. Hacking Tools For Beginners
79. Hacker Tools Free
80. Nsa Hack Tools Download
81. Pentest Tools Kali Linux
82. Pentest Tools Linux
83. Hacking Tools
84. Hacking Tools Hardware
85. Hacking Tools Pc
86. Hack Apps
87. Pentest Tools Linux
88. Hack Tools
89. Hacker
90. Hacker Tools Free Download
91. Hack And Tools
92. Hacking Tools Windows 10
93. What Is Hacking Tools
94. What Are Hacking Tools
95. How To Hack
96. Hacker Tools Mac
97. Best Pentesting Tools 2018