Yo Dawg! 600K Arris Cable Modems Exploitable With 'Backdoor Within A Backdoor'
We've talked lots in the past about vulnerabilities that hit home and enterprise routers, but not quite as much about cable modems, where the importance of good security is arguably even more paramount. The reason for that is that most often, customers do not have control over the firmware in such devices. If a vulnerability is found and patched, it's up to the ISP to issue it, automatically. As you might imagine, this could lead to some serious problems if your ISP isn't too on top of things.
A great example of this is brought forth by security researcher Bernardo Rodrigues. He found that with a series of Arris cable modems, a backdoor exists within a backdoor - a rather interesting discovery, to say the least. Ultimately, that second backdoor is tied to one that has been known about for a while, dubbed "Password Of The Day".
Some Arris cable modems have a backdoor that's protected by a password that changes once per day. This password is generated in such a way that anyone who knows how it works will always be able to get in on any given day. After accessing a modem this way, Bernardo found a link to a "tech_support_cgi" file that could be accessed through a Web browser. This page shows a password prompt along with various switches that can be toggled, including SSH and Telnet. The password for this is generated in a similar manner as the first, but involves the last five digits of the device's serial number.
While the process of finding this password isn't being revealed, an internal key generator tool has been created that will generate the correct password simply by typing in the unit's serial number. If you want to see the attack in action, you can do so with the video below.
It's hugely recommended that you listen to the video with audio, as you'll be treated to some excellent chiptune music. If you ever downloaded a keygen like this in the late 90s or early 00s, you'll probably feel a bit of a nostalgia hit. Regarding this keygen, Bernardo writes: "In order to write a Keygen, we need a leet ascii art and a cool chiptune. The chosen font was ROYAFNT1.TDF, from the legendary artist Roy/SAC and the chiptune is Toilet Story 5, by Ghidorah."
It's great to see that some security researchers have such a great sense of humor, even when it revolves around something that's really not that funny. It's noted in the article that up to this point, Arris hasn't commented on the vulnerability, and that confidence is high about the fact that there have been people out there exploiting this vulnerability for quite some time.
We'll see if that changes now that the cat is truly out of the bag.