Brazilian whacks Arris for easy-t-o-guess default password, fix promised fast.
Security bod Bernardo Rodrigues has found a backdoor-within-a-backdoor affecting some 600,000 Arris cable modems.
The broadband kit company said, in a statement to El Reg, that it is working “around the clock” to fix the problems.
Rodrigues (@bernardomr), a vulnerability tester with Brazil’s Globo television network, reported the undocumented library in three Arris cable modems.
The Shodan exposed device search engine reveals some 600,000 are affected, he says.
The initial backdoor – an admin password based on a known seed – was disclosed in 2009.
Now Rodrigues has found a backdoor within the hidden administrative shell that can own the cable modems.
“The default password for the SSH user ‘root’ is ‘arris’. When you access the telnet session or authenticate over SSH, the system spawns the ‘mini_cli’ shell asking for the backdoor password,” Rodrigues says.
“When you log using the password of the day, you are redirected to a restricted technician shell (‘/usr/sbin/cli‘)
“They put a backdoor in the backdoor [which gives] a full busybox shell when you log on the Telnet/SSH session using these (serial number -based) passwords.”
That backdoor backdoor uses a password based on the last five digits from the modem’s serial number, Rodrigues says.
Arris dubbed the flaw “low risk” and is unaware of related attacks.
“The risk related to this vulnerability is low, and we are unaware of any exploit related to it,” a spokeswoman says.
“However, we take these issues very seriously and review them with the highest priority. Our team has been working around the clock on modem updates that address this reported vulnerability.”
Professional box popper Rodrigues also generated an old-school keygen, complete with a chiptune, that can produce passwords for the backdoor backdoor.
“The chosen font was ROYAFNT1.TDF, from the legendary artist Roy/SAC, and the chiptune is Toilet Story 5, by Ghidorah.
He reported the flaws to CERT/CC which is working with the vendor to produce a fix.
The disclosure follows a vulnerability (CVE-2015-0964) revealed April affecting Arris Surfboard models that could allow web interfaces to be hijacked.
A Metasploit hacking module was produced to exploit that flaw.