In 600,000 Arris modems, they found a backdoor in a backdoor

According to a security specialist, 600,000 Arris cable modems will surprise users with an unpleasant surprise called “backdoor in backdoor”.

Software tester from Globo TV Bernardo Rodriguez has published a report on hidden libraries found in three Arris cable modems. In turn, thanks to the search engine Shodan, which allows to investigate data on all devices connected to the network, similar defects were detected in 600,000 modems.


')
Analyzing the above indicator, Rodriguez managed to find a backdoor, previously unusual for Arris modems. However, having continued the experiment with the help of Shodan, the specialist found out that more than 600,000 external hosts were under the blow of the backdoor. The initial administrator backdoor password based on the familiar algorithm has been known since 2009.

The backdoor is hidden in the administrative shell, which is responsible for the work of cable modems. You can manage backdoor logging remotely using Telnet and SSH, accessing the hidden HTTP admin interface or through standard SNMP MIBs.

Rodriguez explained that the default password for the SSH root user is 'arris'. By uploading the next session to Telnet, the system activates the 'mini_cli' shell, which requests the backdoor password. As soon as the user logs into the system through the one-day password generator utility, he is redirected to a zone with a limited set of commands.

When analyzing the backdoor library and images with a limited set of commands, Rodriguez found out that there was another backdoor in the algorithm. According to the expert, the undocumented backdoor password functions due to the last five digits of the serial number of the modem. Authorization to Telnet / SSH using these passwords allows you to enter the zone corresponding to the BusyBox level.



Rodriguez comes to the conclusion that such defects of the devices "certainly" have been used for some time. He argues that "to detect similar weaknesses and backdoors, you need to approach the study of firmware more systematically, analyze entire classes of devices and find out what kind of errors relate to certain types of products."

---

PS Today we, like many others, have “Black Friday” and, accordingly, big discounts on servers .