Friday, November 27, 2015

SASL Authentication [BYPASS]

While working on a project i came across an error while trying to join an IRC server who had SASL Authentication with a custom-self-made client.
Note: With the official mIRC client it works just fine.

And here it started...

The mIRC debug:

The client SENDS BEFORE ANYTHING the CAP LS command (In my head the CAP LS command was more like a header where it  was indicatubg the SASL Authentication Request.)

SERVER: Command: CAP *TOKEN* LS :multi-prefix sasl tls
The server assigns to the client a random generated token *which is never used* and awaits for a response

Command:  CAP REQ :multi-prefix
We respond back to the server with the CAP REQ :multi-prefix command

The server send a Private Message and asks for the client version
Command:  NOTICE *SERVER ADDRESS* :VERSION mIRC v7.43                            <--- Here im just using the original mIRC version signature
We respond back to the server via PM using the NOTICE command and giving a fake client version "signature"

SERVER: Command: CAP *NICKNAME* ACK :multi-prefix
Last Authentication step , server asks for the client to confirm the end of auth. by sending the CAP END command.

Command: CAP END
We respond back to the server CAP END to end the authentication session

C# (Command Line Code):
  String token = buf.Split(' ')[2];
if (buf.Split(' ')[1] == "CAP")
                    Console.Write("Token=" + token + "\n");

                    //Stage 1 AUTHENTICATION
                    if (buf.Split(' ')[1] == "CAP" && buf.Split(' ')[2] == token && buf.Split(' ')[3] == "LS")
                        output.Write("CAP REQ :multi-prefix " + "\r\n");
                        Console.Write("Client: CAP REQ :multi-prefix SENT" + "\n");
                    else if (buf.Split(' ')[1] == "CAP" && buf.Split(' ')[2] == nick)
                        output.Write("CAP END " + "\r\n");
                        Console.Write("Client: CAP END SENT" + "\n");

                if (buf.Split(' ')[1] == "PRIVMSG")
                    output.Write("NOTICE : VERSION mIRC v7.43 ");
                    Console.Write("Client: PRIVMSG VERSION SENT" + "\n");



A couple of months ago, some friends invited me to give a talk at NullByte Security Conference. I started to study about some embedded device junk hacking hot topics and decided to talk about cable modem security. Braden Thomas keynoted at Infiltrate 2015 discussing about Practical Attacks on DOCSIS so, yeah, cable modem hacking is still mainstream.

On November 21st I'll be at Salvador speaking on "Hacking cable modems: The Later Years". It's not a talk about theft of service and getting free Internet access. I'll focus on the security of the cable modems, the technology used to manage them, how the data is protected and how the ISPs upgrade the firmwares. Spoiler Alert: everything's really really bad.

Securing cable modems is more difficult than other embedded devices because, on most cases, you can’t choose your own device/firmware and software updates are almost entirely controlled by your ISP.

While researching on the subject, I found a previously undisclosed backdoor on ARRIS cable modems, affecting many of their devices including TG862A, TG862G, DG860A. As of this writing, Shodan searches indicate that the backdoor affects over 600.000 externally accessible hosts and the vendor did not state whether it's going to fix it yet.

ARRIS Backdoors

ARRIS SOHO-grade cable modems contain an undocumented library ( that acts as a backdoor, allowing privileged logins using a custom password.

The following files load the backdoor library on ARRIS TG862A Firmware TS0705125D_031115_MODEL_862_GW (released on 2015):


ARRIS password of the day is a remote backdoor known since 2009. It uses a DES encoded seed (set by the ISP using the arrisCmDoc30AccessClientSeed MIB) to generate a daily backdoor password. The default seed is MPSJKMDHAI and guess what - many ISPs won't bother changing it at all.

The backdoor account can be used to enable Telnet and SSH remotely via the hidden HTTP Administrative interface "" or via custom SNMP MIBs.

The default password for the SSH user 'root' is 'arris'. When you access the telnet session or authenticate over SSH, the system spawns the 'mini_cli' shell asking for the backdoor password.

When you log using the password of the day, you are redirected to a restricted technician shell ('/usr/sbin/cli')

Restricted shells are ;restricted
In order to understand how the backdoor works, I built an Puma5 toolchain (ARMEB) and cross compiled some useful tools like strace, tcpdump and gdbserver. I hosted them on my Github, get them here:

While analyzing the backdoor library and the restricted shells, I found an interesting code on the authentication check:

Yes, they put a backdoor in the backdoor (Joel from Dlink is sure to be envy). The undocumented backdoor password is based on the last five digits from the modem's serial number. You get a full busybox shell when you log on the Telnet/SSH session using these passwords.

The vendor asked not to disclose details about the password generation algorithm. I'm really relieved knowing that those awful guys from Metasploit won't be able to reverse this in a timely manner.

Vulnerability, Disclosure and Marketing

Of course, we need a logo so the media can report about this with fancy graphs as well as vendors could distribute customized t-shits at Blackhat.

What I like most about lcamtuf is how visionary he is. While people were still writing dumb fuzzers, hewrote AFL performed a detailed Technical analysis of Qualys' GHOST. Based on his analysis, I hired a couple of marketing specialists to find out the best way to disclose the ARRIS backdoor.

What do we have here?

- Multiple backdoors allowing full remote access to ARRIS Cable modems
- An access key that is generated based on the Cable modem's serial number

After a thoughtful analysis, the marketing committee advised w00tsec members to write a Keygen. In order to write a Keygen, we need a leet ascii art and a cool chiptune. The chosen font wasROYAFNT1.TDF, from the legendary artist Roy/SAC and the chiptune is Toilet Story 5, by Ghidorah.

Here's the POC (make sure you turn the sound on):


I reported these flaws to CERT/CC on 2015-09-13 but we didn't receive much feedback from the vendor. CERT/CC was very helpful and responsive (10/10 would disclose again!). I was asked not to release the POCs immediately so I'm going to wait for the vendor to "fix" the issue.

CERT/CC set a disclosure policy of 45 days long ago. They waited for more than 65 days for them to "fix" it but ARRIS didn't remove the backdoors in a timely manner. Someone needs to update the Responsible Disclosure RFC and include a note describing that vendors shall lose disclosure points whenever they plant a backdoor on the device (ARRIS modems have a third backdoor too, check theConsoleCowboys Blog).

I'm pretty sure bad guys had been exploiting flaws on these devices for some time (just search forARRIS DNS on Twitter, for example). We need more people bypassing EULAs and reversing end-user software and firmware. If you haven't heard about the Firmware.RE, check them right now. A broader view on firmwares is not only beneficial, but necessary to discover new vulnerabilities and backdoors, correlating different device families and showing how vulnerabilities reappear across different products.



Security in Cyprus is bad. That is not a surprise.
Primetel uses insecure default passwords in their WIFI routers. A WPA password can be cracked in 4-5 seconds with a simple laptop. If you are interested in the details see below.
I used Primetel on the my previous apartment. The password was on the form of 12345678. 8 Digits, all integers. I thought that was strange, the password doesn’t have enough entropy, So I caclulated how must time someone needs to brute force the password.
At a rate of 900/passwords per second (a simple laptop) this can be brute forced in 30 hours. Its not that good but at least its not as bad as the whole Cyta/Thomson thing.
Soon I noticed some passwords containing a letter, like 1234567a 123456f8 sometimes 2. That is somewhat better, or so I thought. Clearly I didn’t have the whole story.
When I moved to another apartment I reconnected with PrimeTel. Then I noticed that the 4 first digits of the password were the same, only the latest 4 digits changed. That made me wonder. The first digits are clearly connected to the client. Are the latest 4 digits based on something else like mac or SSID ? There was a question bugging me, that needed to be answered.
That kids, is the garden variety programmer/hacker OCD. Sometimes useful, most times just annoying :)
Then I make a list of people I know, public places with Primetel routers, and aggregate their passwords, SSID (Wireless network name), bssid (The mac address of the router). All these information (excluding the password) are broadcasted for each router, you can easily see them.
I pushed the data to Dropbox for continue the research when I had time.
Then I forgot about the matter, until I was on an airplane for 2 hours with no internet. I opened my tablet, started reading a book. The of course I was bored from the first 5 minutes.
Then I saw the file in front of me staring at me: primetel.txt. Ok why not, lets take a look. I started looking at the numbers, and some patterns emerged. In all cases digits 3-4 of the password were the same as the password.
Mac: 00:21:96:2b:13:bc
Password     29 79 13 b4
  • If the last 2 digits of the mac address is an odd number then the latest 2 digits had a difference of one. If lets say the last 2 digits of the mac are 11, then the last 2 digits of the password are 10
  • If the last 2 digits of the mac address is an even number, then the latest 2 digits of the password was the latest 2 digits of the mac – 8. If for example 12 will give 04.
  • The last 2 digits of the mac is bc (even number)
  • The latest 2 password digits are bc – 08 = b4
  • The latest 2 digits are 85 (odd number)
  • Latest 2 password numbers are 85 – 1 = 84

Also latest 2 digits had some similarity. After some more intense number watching I noticed the second pattern.
In our example 00:21:96:2b:13:bc:
Another example is: 2c:ab:25:b9:22:85
That drops the entropy a lot. All possible passwords are basically 9000 since the first part is always decimal. That can be cracked in about 10 seconds with a simple laptop.
Not bad at all.
So I introduce my tool: primeTeller. Using the logic described here, generates a wordlist with 9000 passwords, and one of them is the password of your router.
What most people don’t know is that these matters are not just a matter of “someone is using my wifi”. The password is used to encrypt data. If someone has your password, then he is able to monitor your online activities wirelessly, from a great distance.