Administrative credentials submitted to the Arris Touchstone TG1672 are sent over HTTP base64 encoded in a GET request.
491ff2f2f550a4e5a0c7b0c0e311c064-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
================================================================================
Title: Arris Touchstone TG1672 Administrative Login Vulnerabilities
Product: Arris Touchstone TG1672
Version: TS0901103AS_092216_16XX.GW_SIP (most likely other versions
affected by unconfirmed)
Product Page: https://www.arris.com/products/
touchstone-telephony-gateway-tg1672/
Published: 2019-04-05
Found by: Harley A.W. Lorenzo and daffy1234
GPG Key: 0xF6EF23904645BA53
================================================================================
================================================================================
Vendor Description
================================================================================
The Touchstone TG1672 is a DOCSIS 3.0 home telephony gateway supporting
16 x 4 channel bonding for up to 640Mbps of broadband data. It combines two
FXS ports of carrier-grade VoIP, a 4-port gigabit router, MoCA 1.1 over
coax, and a dual band 802.11n wireless access point with battery back-up
into a single integrated device.
================================================================================
Vulnerability Details
================================================================================
The Touchstone TG1672 telephony gateway contains an HTTP administrative
login webserver on port 80. There is no HTTPS version of the login
available. Additionally, there is no encryption of the username and password
of logins sent to the login form. Logins are passed in base64 encoding in
the form of [user]:[pass] to the webserver after a short GET webwalk then a
specific GET request of the server using values gained from the webwalk and
this encoding.
This allows anyone with access to the network data sent to the gateway to
trivially read and acquire the login details. This poses a major security
threat to networks containing these gateways once a sniffer can be placed
where login details may be sent.
================================================================================
Proof of Concept
================================================================================
1. Access the login page
2. Setup any packet/web sniffer
3. Enter in the form "proof" in both user and password
4. Skim through the GET webwalks and the last GET request is the login
request in the form of:
===
http://[URL]/login?arg=cHJvb2Y6cHJvb2Y=&_n=[walker]&_=[time]
===
where arg is the actual login information sent in [user]:[pass]
note: the walker and time values are not important to this PoC and vary
with each login attempt
5. Decode the base64 "cHJvb2Y6cHJvb2Y=" and see "proof:proof"
================================================================================
Timeline
================================================================================
2019-03-28: Flaw Discovered by Harley A.W. Lorenzo and daffy1234
2019-03-29: Vendor notified
2019-04-05: Full disclosure after no response from vendor
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEcryW+9CKz6i72NHW9u8jkEZFulMFAlym/aMACgkQ9u8jkEZF
ulMEMxAAnbiRMu8dVxfhr5/BJeJWdankRbphTz1QP66JlQOqchzbNS8Y50khmUGR
NZyGdKHYZUgQ6VfNO1+h24K0HdWxPuwvaFAe7IQhZ4ZIl8YOHbtJN55p6QNEYeUH
6uSzrDaoEMK/P2r3cLspS2ql8Ff0n+QlXJZnRZZKNMJzdm6P5NLUhsyHE2aCkT8J
V661LTT/Vixu9JfQ2nnseJ23gF2dYno4de41VEh6k1/k6ScdjcxFOk9EcJ16qY/i
xe0ulijFdjSyVlQ2R2l0rSNCr2KSjrtL0VQE6w3m44CCn950TjmK+ME831a+lMTL
OgUQu2j4ZsXdmyYTjKlEB5nMa3dXfn+/LsMxklCrTbZXlv0rKYa+TcvxGOmDEtwU
/RRp+Kseji+iY12+w2UbtjOWSvO3WLDQ7xrv03ObHopauySF8pwavyiUNuEwojK+
NpTaRXHHx8BsUuMw7p26zmZ/h1zUKi2PU8oXwZIHCPcZZyiCa8N9+1opx+hu4uHK
sGh0OmzPHsw3t5hp4Pu6keQauGucBT2yH4psNm6uCgKTwHiCMUkVsOlpQ2CaA7Ne
59mZy3uYGh4eK3ScO1fQNQneY+ejrKM5rrBGfYaZybIkQMxjsF+Ddp219ee9mD6X
sN+gxFNnpcad9NUBlrHB0jK2XtGvkvqVmitgmkyYWHfJSe5Rf94=
=jPB7
-----END PGP SIGNATURE-----