-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ================================================================================ Title: Arris Touchstone TG1672 Administrative Login Vulnerabilities Product: Arris Touchstone TG1672 Version: TS0901103AS_092216_16XX.GW_SIP (most likely other versions affected by unconfirmed) Product Page: https://www.arris.com/products/ touchstone-telephony-gateway-tg1672/ Published: 2019-04-05 Found by: Harley A.W. Lorenzo and daffy1234 GPG Key: 0xF6EF23904645BA53 ================================================================================ ================================================================================ Vendor Description ================================================================================ The Touchstone TG1672 is a DOCSIS 3.0 home telephony gateway supporting 16 x 4 channel bonding for up to 640Mbps of broadband data. It combines two FXS ports of carrier-grade VoIP, a 4-port gigabit router, MoCA 1.1 over coax, and a dual band 802.11n wireless access point with battery back-up into a single integrated device. ================================================================================ Vulnerability Details ================================================================================ The Touchstone TG1672 telephony gateway contains an HTTP administrative login webserver on port 80. There is no HTTPS version of the login available. Additionally, there is no encryption of the username and password of logins sent to the login form. Logins are passed in base64 encoding in the form of [user]:[pass] to the webserver after a short GET webwalk then a specific GET request of the server using values gained from the webwalk and this encoding. This allows anyone with access to the network data sent to the gateway to trivially read and acquire the login details. This poses a major security threat to networks containing these gateways once a sniffer can be placed where login details may be sent. ================================================================================ Proof of Concept ================================================================================ 1. Access the login page 2. Setup any packet/web sniffer 3. Enter in the form "proof" in both user and password 4. Skim through the GET webwalks and the last GET request is the login request in the form of: === http://[URL]/login?arg=cHJvb2Y6cHJvb2Y=&_n=[walker]&_=[time] === where arg is the actual login information sent in [user]:[pass] note: the walker and time values are not important to this PoC and vary with each login attempt 5. Decode the base64 "cHJvb2Y6cHJvb2Y=" and see "proof:proof" ================================================================================ Timeline ================================================================================ 2019-03-28: Flaw Discovered by Harley A.W. Lorenzo and daffy1234 2019-03-29: Vendor notified 2019-04-05: Full disclosure after no response from vendor -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEcryW+9CKz6i72NHW9u8jkEZFulMFAlym/aMACgkQ9u8jkEZF ulMEMxAAnbiRMu8dVxfhr5/BJeJWdankRbphTz1QP66JlQOqchzbNS8Y50khmUGR NZyGdKHYZUgQ6VfNO1+h24K0HdWxPuwvaFAe7IQhZ4ZIl8YOHbtJN55p6QNEYeUH 6uSzrDaoEMK/P2r3cLspS2ql8Ff0n+QlXJZnRZZKNMJzdm6P5NLUhsyHE2aCkT8J V661LTT/Vixu9JfQ2nnseJ23gF2dYno4de41VEh6k1/k6ScdjcxFOk9EcJ16qY/i xe0ulijFdjSyVlQ2R2l0rSNCr2KSjrtL0VQE6w3m44CCn950TjmK+ME831a+lMTL OgUQu2j4ZsXdmyYTjKlEB5nMa3dXfn+/LsMxklCrTbZXlv0rKYa+TcvxGOmDEtwU /RRp+Kseji+iY12+w2UbtjOWSvO3WLDQ7xrv03ObHopauySF8pwavyiUNuEwojK+ NpTaRXHHx8BsUuMw7p26zmZ/h1zUKi2PU8oXwZIHCPcZZyiCa8N9+1opx+hu4uHK sGh0OmzPHsw3t5hp4Pu6keQauGucBT2yH4psNm6uCgKTwHiCMUkVsOlpQ2CaA7Ne 59mZy3uYGh4eK3ScO1fQNQneY+ejrKM5rrBGfYaZybIkQMxjsF+Ddp219ee9mD6X sN+gxFNnpcad9NUBlrHB0jK2XtGvkvqVmitgmkyYWHfJSe5Rf94= =jPB7 -----END PGP SIGNATURE-----