twc routers
379 views
Skip to first unread message
Kyle McDonald
Sep 21, 2015, 9:49:16 PM9/21/15
to art...@googlegroups.com
i was having issues with my home internet connection so i made a passive aggressive complaint on twitter. they contacted me promising they'd look into it, and then 20 minutes later they told me they reconfigured my router a bit and it should be working better.
of course this sets off all kinds of warnings in my head, so i did a little sleuthing and it turns out this model (Arris DG1670A) has a default username and password that i can't change ( technician / T!m3W4rn3rC4bl3 , very cute twc, u so leet).
then i saw this post, someone trying to disclose a vulnerability in the device:
if i'm reading this correctly, it sounds like the router could be hacked by someone who gets me to click on a link (assuming chrome doesn't save me), but not just by knowing my ip address.
just curious, i want to know to what degree the entire nyc metro area is vulnerable... :)
kyle
Max Henstell
Sep 21, 2015, 11:28:29 PM9/21/15
to art...@googlegroups.com
I assume you saw the low-level status page: http://192.168.100.1/cgi-bin/status_cgi (or click HSD from 192.168.0.1)
I tried accessing the advanced settings (http://192.168.100.1/cgi-bin/product_cgi) a long time ago but it looked like it has a password that changes with the date - turns out T!m3W4rn3rC4bl3 works fine for that too. Looks like the Config Params page (http://192.168.100.1/cgi-bin/config_params_cgi) has a tftp link, I wonder if someone who knows more about router configuration could spoof their own config this way.
It would be neat if you could access this data through a visitor's browser, collect it, and map out time warner signal integrity or uptime across the city.
--
You received this message because you are subscribed to the Google Groups "artsec" group.
To unsubscribe from this group and stop receiving emails from it, send an email to artsec+un...@googlegroups.com.
To post to this group, send email to art...@googlegroups.com.
Visit this group at http://groups.google.com/group/artsec.
To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/CAO9UE65t6TO4pv5UuABkc-bQ%3DvpTJQCDjxXB2pOYJ2bHYRxh5g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Ben Turner
Sep 22, 2015, 12:59:43 AM9/22/15
to artsec
Wow, nice find!
This didn't work on my model (CM820) but I found this password of the day generator which DID work.
Also I like one of the comments on that TWC forum: "I just spoke with Arris, and they do not support this modem. It is supported only by Time Warner Cable." Yeah I wouldn't want to be on the hook for that either.
Ali Sajjadi
Sep 22, 2015, 8:45:08 AM9/22/15
to art...@googlegroups.com
Maybe I missed this but how did they link your twitter back to your account?
Did you tell them? I don't remember Twitters API leaking IP information.
-Ali
Analog Digital Converter
Sep 22, 2015, 11:53:15 AM9/22/15
to art...@googlegroups.com
Really interesting discussion here. So many things to rant about. Anyone know a good secure router to buy btw?
More or less, the story is that with CSRF you perform actions on behalf of users without their knowledge because the browser automatically sends cookies. Academics call this a confused-depty attack.
Anyway -- want to take advantage here to dive in on CSRF attacks in case you, artsec reader, have not exploited them before.
CSRF - CROSS SITE REQUEST FORGERY.
More or less, the story is that with CSRF you perform actions on behalf of users without their knowledge because the browser automatically sends cookies. Academics call this a confused-depty attack.
The attacker doesnt know the cookie of course, but the browser sends them automatically, and the attacker can forge actions.
Some fun things to keep in mind;
1) It doesn't matter if it's a GET or a POST request
2) User-interaction is very passive (just visiting a website is enough, without clicks or mouseovers)
And defense?
The way websites defend against this is with CSRF tokens, these are basically a nonce or other credential embedded in the web-page, tied to that user's session somehow or the current page view, and requiring those tokens for actions.
Not sure if that makes sense, maybe that's helpful to some people though.
On Mon, Sep 21, 2015 at 9:49 PM, Kyle McDonald <ky...@kylemcdonald.net> wrote:
--
Kyle McDonald
Sep 22, 2015, 12:58:23 PM9/22/15
to art...@googlegroups.com
ali, i gave them the full name on the account and that was enough.
ben & max, i stumbled across the password of the day research but when it didn't work on my model i kept searching -- that's what lead me to the "T!m3" password. afaict it's been floating around since may 2014 but it's unclear who was the first to leak it and why.
some users on dslreports.com say they've configured their router over telnet with this username/pass, but i only saw DNS and HTTP open internally (and all ports 0-1024 closed externally). so i'm very curious what the vulnerability that "enables SSH/telnet" actually looks like... maybe malformed HTTP request?
To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/CAByyxYW%2B0Js3rpMbXnSs0kTz3pqG6V%2BOOh%2BzQgmCqWOWPHa5BQ%40mail.gmail.com.
Analog Digital Converter
Sep 22, 2015, 2:07:41 PM9/22/15
to art...@googlegroups.com
do you have a firmware image link? might require some reverse engineering if you dont see telnet/ssh options in the web UI
To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/CAO9UE667QCOy6Liaw83x7%3DjjzN%3D0P8JO%2B_yq2YOEiyQN9zS5jQ%40mail.gmail.com.
Samy Kamkar
Sep 22, 2015, 2:35:52 PM9/22/15
to art...@googlegroups.com
Here's an example CSRF attack capable of changing an alternate router's settings (like DNS!): http://samy.pl/belkin
There are a couple other vulns on this router though that can definitely lead to a full compromise...
To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/CAByyxYW%2B0Js3rpMbXnSs0kTz3pqG6V%2BOOh%2BzQgmCqWOWPHa5BQ%40mail.gmail.com.
Kyle McDonald
Sep 22, 2015, 2:38:52 PM9/22/15
to art...@googlegroups.com
adc, i don't have a firmware image (updates happen automatically, without any intervention, another red flag...). if i find a way to dump it i'll let you know.
To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/CAEP2GG3Yg4vR_RJymckK5Y5Owcqrh2V_5yWjY48bKAodexiTaw%40mail.gmail.com.
Surya Mattu
Sep 22, 2015, 2:40:44 PM9/22/15
to art...@googlegroups.com
you could in "theory" use standalone mitmproxy or selenium with a frame work such as openWPM to intercept? I have had some luck using openWPM and adding a FourthParty extension to overload all js objects on a browser page and make calls using the token the server provides.
Can explain more clearly if you think its helpful
from a phone
To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/CAEP2GG3Yg4vR_RJymckK5Y5Owcqrh2V_5yWjY48bKAodexiTaw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
sent from a phone
Kyle McDonald
Nov 27, 2015, 7:13:36 PM11/27/15
to art...@googlegroups.com
It's back. Someone did a write up on the hack to enable ssh remotely:
At least 600k of these devices are vulnerable in the wild. If someone hasn't already made a router botnet I would be surprised.
To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/CAPWdaAhOBij9gTJX-BJdf%3DcSgcPbWMLtLA_Dd19qKiR25gKS%3Dw%40mail.gmail.com.
Noah Swartz
Nov 28, 2015, 6:24:24 AM11/28/15
to art...@googlegroups.com
Wow this is stunning.
Kyle, in your case did they have you click on a link or do you think they have remote (ssh?) access?
To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/CAO9UE67ugPqO-WTRvtsKyN%2BhkfWgXRFrRT0BjJAhLA-99o5XLA%40mail.gmail.com.
Julian Oliver
Nov 28, 2015, 7:13:06 AM11/28/15
to art...@googlegroups.com
..on Sat, Nov 28, 2015 at 01:13:34AM +0100, Kyle McDonald wrote:
> It's back. Someone did a write up on the hack to enable ssh remotely:
>
> http://w00tsec.blogspot.com/2015/11/arris-cable-modem-has-backdoor-in.html
Completely nuts.
> It's back. Someone did a write up on the hack to enable ssh remotely:
>
> http://w00tsec.blogspot.com/2015/11/arris-cable-modem-has-backdoor-in.html
> At least 600k of these devices are vulnerable in the wild. If someone
> hasn't already made a router botnet I would be surprised.
Census Project 2012:
http://internetcensus2012.bitbucket.org/paper.html
Julian
>
> On Tuesday, September 22, 2015, Surya Mattu <su...@suryamattu.com> wrote:
>
> > you could in "theory" use standalone mitmproxy or selenium with a frame
> > have had some luck using openWPM and adding a FourthParty
> > <https://github.com/citp/OpenWPM/wiki/Javascript-Instrumentation-(Experimental)>
> > extension to overload all js objects on a browser page and make calls using
> > the token the server provides.
> >
> > Can explain more clearly if you think its helpful
> >
> > from a phone
> >
> > On Tue, Sep 22, 2015 at 2:35 PM Samy Kamkar <sa...@samy.pl
> > <javascript:_e(%7B%7D,'cvml','sa...@samy.pl');>> wrote:
> >
> >> Here's an example CSRF attack capable of changing an alternate router's
> >> settings (like DNS!): http://samy.pl/belkin
> >>
> >> (Un)fortunately you can't CSRF here on this Arris because the login
> >> doesn't drop a cookie but rather is an AJAX request that returns JSON with
> >> the token embedded. JS then takes the token and sends it in future requests.
> >>
> >> There are a couple other vulns on this router though that can definitely
> >> lead to a full compromise...
> >>
> >> On Tue, Sep 22, 2015 at 8:53 AM, Analog Digital Converter <
> >> a...@intruded.net <javascript:_e(%7B%7D,'cvml','a...@intruded.net');>>
> > the token the server provides.
> >
> > Can explain more clearly if you think its helpful
> >
> > from a phone
> >
> > On Tue, Sep 22, 2015 at 2:35 PM Samy Kamkar <sa...@samy.pl
> > <javascript:_e(%7B%7D,'cvml','sa...@samy.pl');>> wrote:
> >
> >> Here's an example CSRF attack capable of changing an alternate router's
> >> settings (like DNS!): http://samy.pl/belkin
> >>
> >> (Un)fortunately you can't CSRF here on this Arris because the login
> >> doesn't drop a cookie but rather is an AJAX request that returns JSON with
> >> the token embedded. JS then takes the token and sends it in future requests.
> >>
> >> There are a couple other vulns on this router though that can definitely
> >> lead to a full compromise...
> >>
> >> On Tue, Sep 22, 2015 at 8:53 AM, Analog Digital Converter <
> >>>> .
> >>>> To post to this group, send email to art...@googlegroups.com
> >>>> <javascript:_e(%7B%7D,'cvml','art...@googlegroups.com');>.
> >>>> Visit this group at http://groups.google.com/group/artsec.
> >>>> To view this discussion on the web visit
> >>>> https://groups.google.com/d/msgid/artsec/CAO9UE65t6TO4pv5UuABkc-bQ%3DvpTJQCDjxXB2pOYJ2bHYRxh5g%40mail.gmail.com
> >>>> <https://groups.google.com/d/msgid/artsec/CAO9UE65t6TO4pv5UuABkc-bQ%3DvpTJQCDjxXB2pOYJ2bHYRxh5g%40mail.gmail.com?utm_medium=email&utm_source=footer>
> >>>> To view this discussion on the web visit
> >>>> https://groups.google.com/d/msgid/artsec/CAO9UE65t6TO4pv5UuABkc-bQ%3DvpTJQCDjxXB2pOYJ2bHYRxh5g%40mail.gmail.com
> >>>> .
> >>>> For more options, visit https://groups.google.com/d/optout.
> >>>>
> >>>
> >>> --
> >>> You received this message because you are subscribed to the Google
> >>> Groups "artsec" group.
> >>> To unsubscribe from this group and stop receiving emails from it, send
> >>> an email to artsec+un...@googlegroups.com
> >>> <javascript:_e(%7B%7D,'cvml','artsec%2Bunsu...@googlegroups.com');>.
> >>>>
> >>>
> >>> --
> >>> You received this message because you are subscribed to the Google
> >>> Groups "artsec" group.
> >>> To unsubscribe from this group and stop receiving emails from it, send
> >>> an email to artsec+un...@googlegroups.com
> >>> To post to this group, send email to art...@googlegroups.com
> >>> <javascript:_e(%7B%7D,'cvml','art...@googlegroups.com');>.
> >>> Visit this group at http://groups.google.com/group/artsec.
> >>> To view this discussion on the web visit
> >>> https://groups.google.com/d/msgid/artsec/CAByyxYW%2B0Js3rpMbXnSs0kTz3pqG6V%2BOOh%2BzQgmCqWOWPHa5BQ%40mail.gmail.com
> >>> To view this discussion on the web visit
> >>> <https://groups.google.com/d/msgid/artsec/CAByyxYW%2B0Js3rpMbXnSs0kTz3pqG6V%2BOOh%2BzQgmCqWOWPHa5BQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> >>> .
> >>>
> >>> For more options, visit https://groups.google.com/d/optout.
> >>>
> >>
> >>
> >>
> >> --
> >> @SamyKamkar <https://twitter.com/samykamkar>
> >>> For more options, visit https://groups.google.com/d/optout.
> >>>
> >>
> >>
> >>
> >> --
> >> http://samy.pl
> >>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "artsec" group.
> >> To unsubscribe from this group and stop receiving emails from it, send an
> >> email to artsec+un...@googlegroups.com
> >> <javascript:_e(%7B%7D,'cvml','artsec%2Bunsu...@googlegroups.com');>.
> >>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "artsec" group.
> >> To unsubscribe from this group and stop receiving emails from it, send an
> >> email to artsec+un...@googlegroups.com
> >> To post to this group, send email to art...@googlegroups.com
> >> <javascript:_e(%7B%7D,'cvml','art...@googlegroups.com');>.
> >> Visit this group at http://groups.google.com/group/artsec.
> >> To view this discussion on the web visit
> >> https://groups.google.com/d/msgid/artsec/CAEP2GG3Yg4vR_RJymckK5Y5Owcqrh2V_5yWjY48bKAodexiTaw%40mail.gmail.com
> >> To view this discussion on the web visit
> >> <https://groups.google.com/d/msgid/artsec/CAEP2GG3Yg4vR_RJymckK5Y5Owcqrh2V_5yWjY48bKAodexiTaw%40mail.gmail.com?utm_medium=email&utm_source=footer>
> >> .
> >> For more options, visit https://groups.google.com/d/optout.
> >>
> > --
> > sent from a phone
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "artsec" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to artsec+un...@googlegroups.com
> > <javascript:_e(%7B%7D,'cvml','artsec%2Bunsu...@googlegroups.com');>.
> >>
> > --
> > sent from a phone
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "artsec" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to artsec+un...@googlegroups.com
> > To post to this group, send email to art...@googlegroups.com
> > <javascript:_e(%7B%7D,'cvml','art...@googlegroups.com');>.
> > Visit this group at http://groups.google.com/group/artsec.
> > To view this discussion on the web visit
> > https://groups.google.com/d/msgid/artsec/CAPWdaAhOBij9gTJX-BJdf%3DcSgcPbWMLtLA_Dd19qKiR25gKS%3Dw%40mail.gmail.com
> > To view this discussion on the web visit
> > <https://groups.google.com/d/msgid/artsec/CAPWdaAhOBij9gTJX-BJdf%3DcSgcPbWMLtLA_Dd19qKiR25gKS%3Dw%40mail.gmail.com?utm_medium=email&utm_source=footer>
> > .
> > For more options, visit https://groups.google.com/d/optout.
> >
>
> --
> You received this message because you are subscribed to the Google Groups "artsec" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to artsec+un...@googlegroups.com.
> To post to this group, send email to art...@googlegroups.com.
> Visit this group at http://groups.google.com/group/artsec.
> To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/CAO9UE67ugPqO-WTRvtsKyN%2BhkfWgXRFrRT0BjJAhLA-99o5XLA%40mail.gmail.com.
> >
>
> --
> You received this message because you are subscribed to the Google Groups "artsec" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to artsec+un...@googlegroups.com.
> To post to this group, send email to art...@googlegroups.com.
> Visit this group at http://groups.google.com/group/artsec.
Julian Oliver
http://julianoliver.com
http://criticalengineering.org
PGP key: https://julianoliver.com/key.asc
Beware the auto-complete life.
Noah Swartz
Nov 30, 2015, 11:06:02 AM11/30/15
to art...@googlegroups.com
through write-up here: http://w00tsec.blogspot.de/2015/11/arris-cable-modem-has-backdoor-in.html
which implicates models: TG862A, TG862G, & DG860A
To view this discussion on the web visit https://groups.google.com/d/msgid/artsec/20151128121301.GQ3963%40rimu.
john p
Apr 30, 2018, 1:46:27 PM4/30/18
to artsec
Well this thread is a BIT old but.. I was hoping someone could help. I have a DG1670 Arris modem and was able to get into it before to port forward etc. But now the password and ID do not work anymore. When I called TW they told me that I was never to be able to get in to access the GUI. Seems odd I have for YEARS accessed my GUI and just now I cant? I need to get in there to at the very least get the port forwarding information out of there so i can see what I need to do to set this up some otherway. But NO HELP from TW at all.. Well thanks in advance for any help!
> >>>> <javascript:_e(%7B%7D,'cvml','artsec%2Bunsubscribe@googlegroups.com');>
> >>>> .
> >>>> To post to this group, send email to art...@googlegroups.com
> >>>> <javascript:_e(%7B%7D,'cvml','art...@googlegroups.com');>.
> >>>> Visit this group at http://groups.google.com/group/artsec.
> >>>> To view this discussion on the web visit
> >>>> https://groups.google.com/d/msgid/artsec/CAO9UE65t6TO4pv5UuABkc-bQ%3DvpTJQCDjxXB2pOYJ2bHYRxh5g%40mail.gmail.com
> >>>> <https://groups.google.com/d/msgid/artsec/CAO9UE65t6TO4pv5UuABkc-bQ%3DvpTJQCDjxXB2pOYJ2bHYRxh5g%40mail.gmail.com?utm_medium=email&utm_source=footer>
> >>>> .
> >>>> For more options, visit https://groups.google.com/d/optout.
> >>>>
> >>>
> >>> --
> >>> You received this message because you are subscribed to the Google
> >>> Groups "artsec" group.
> >>> To unsubscribe from this group and stop receiving emails from it, send
> >>> an email to artsec+un...@googlegroups.com
> >>> <javascript:_e(%7B%7D,'cvml','artsec%2Bunsubscribe@googlegroups.com');>.
> >>> To post to this group, send email to art...@googlegroups.com
> >>> <javascript:_e(%7B%7D,'cvml','art...@googlegroups.com');>.
> >>> Visit this group at http://groups.google.com/group/artsec.
> >>> To view this discussion on the web visit
> >>> https://groups.google.com/d/msgid/artsec/CAByyxYW%2B0Js3rpMbXnSs0kTz3pqG6V%2BOOh%2BzQgmCqWOWPHa5BQ%40mail.gmail.com
> >>> <https://groups.google.com/d/msgid/artsec/CAByyxYW%2B0Js3rpMbXnSs0kTz3pqG6V%2BOOh%2BzQgmCqWOWPHa5BQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> >>> .
> >>>
> >>> For more options, visit https://groups.google.com/d/optout.
> >>>
> >>
> >>
> >>
> >> --
> >> @SamyKamkar <https://twitter.com/samykamkar>
> >> http://samy.pl
> >>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "artsec" group.
> >> To unsubscribe from this group and stop receiving emails from it, send an
> >> email to artsec+un...@googlegroups.com
> >> <javascript:_e(%7B%7D,'cvml','artsec%2Bunsubscribe@googlegroups.com');>.
> >> To post to this group, send email to art...@googlegroups.com
> >> <javascript:_e(%7B%7D,'cvml','art...@googlegroups.com');>.
> >> Visit this group at http://groups.google.com/group/artsec.
> >> To view this discussion on the web visit
> >> https://groups.google.com/d/msgid/artsec/CAEP2GG3Yg4vR_RJymckK5Y5Owcqrh2V_5yWjY48bKAodexiTaw%40mail.gmail.com
> >> <https://groups.google.com/d/msgid/artsec/CAEP2GG3Yg4vR_RJymckK5Y5Owcqrh2V_5yWjY48bKAodexiTaw%40mail.gmail.com?utm_medium=email&utm_source=footer>
> >> .
> >> For more options, visit https://groups.google.com/d/optout.
> >>
> > --
> > sent from a phone
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "artsec" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to artsec+un...@googlegroups.com
> > <javascript:_e(%7B%7D,'cvml','artsec%2Bunsubscribe@googlegroups.com');>.
Reply all
Reply to author
Forward
0 new messages