600,000 cable modems have an easy to pop backdoor in a backdoor

Brazilian whacks Arris for easy-t-o-guess default password, fix promised fast

11 Reg comments Got Tips?

Security bod Bernardo Rodrigues has found a backdoor-within-a-backdoor affecting some 600,000 Arris cable modems.

The broadband kit company said, in a statement to El Reg, that it is working "around the clock" to fix the problems.

Rodrigues (@bernardomr), a vulnerability tester with Brazil's Globo television network, reported the undocumented library in three Arris cable modems.

The Shodan exposed device search engine reveals some 600,000 are affected, he says.

The initial backdoor - an admin password based on a known seed - was disclosed in 2009.

Now Rodrigues has found a backdoor within the hidden administrative shell that can own the cable modems.

"The default password for the SSH user 'root' is 'arris'. When you access the telnet session or authenticate over SSH, the system spawns the 'mini_cli' shell asking for the backdoor password," Rodrigues says.

"When you log using the password of the day, you are redirected to a restricted technician shell ('/usr/sbin/cli')

"They put a backdoor in the backdoor [which gives] a full busybox shell when you log on the Telnet/SSH session using these (serial number -based) passwords."

That backdoor backdoor uses a password based on the last five digits from the modem's serial number, Rodrigues says.

Arris dubbed the flaw "low risk" and is unaware of related attacks.

"The risk related to this vulnerability is low, and we are unaware of any exploit related to it," a spokeswoman says.

"However, we take these issues very seriously and review them with the highest priority. Our team has been working around the clock on modem updates that address this reported vulnerability."

Professional box popper Rodrigues also generated an old-school keygen, complete with a chiptune, that can produce passwords for the backdoor backdoor.

"The chosen font was ROYAFNT1.TDF, from the legendary artist Roy/SAC, and the chiptune is Toilet Story 5, by Ghidorah.

He reported the flaws to CERT/CC which is working with the vendor to produce a fix.

The disclosure follows a vulnerability (CVE-2015-0964) revealed April affecting Arris Surfboard models that could allow web interfaces to be hijacked.

A Metasploit hacking module was produced to exploit that flaw. ®


Keep Reading

New Google rules mandate Android 'Poundland' Edition, Go, for sub-2GB RAM phones once Android 11 is out

Chocolate Factory actively pushing lightweight OS on less powerful devices

Android users, if you could pause your COVID-19 panic buying for one minute to install these critical security fixes, that would be great

MediaTek chipset flaw already exploited in the wild

Too bad, so sad, exploit devs: Google patches possibly several million dollars' worth of security flaws in Android

Except one – a 'your phone is now my phone' bug reported months ago and still not fixed

Android owners – you'll want to get these latest security patches, especially for this nasty Bluetooth hijack flaw

'Pwned with a broadcast' bug among 25 to be patched by Google

More than a billion hopelessly vulnerable Android gizmos in the wild that no longer receive security updates – research

Consumer mag Which? calls for manufacturers to be open about how long they will support devices

Android 11 will let users stop device-makers from killing background apps, says Google

Users will be able to 'override ... restrictions' on phones and other kit, says engineering team

Google promises another low-end Android effort as it buys into Indian mega-carrier Jio Platforms

$4.5bn splash turns out to be first installment in $10bn ‘Digitisation fund’ and development template for new products

Commit to Android codebase suggests Google may strong-arm phone makers into using 'seamless' partitioned updates

Such a move could standardise deployment of new versions, rather than it being at the whim of OEMs

Biting the hand that feeds IT © 1998–2020