Exploiting a Cable Modem Termination System

During a recent engagement, I gained enable access on an Arris device by dumping the RAM remotely and parsing the dump file for Telnet and enable creds. This was due to two VxWorks vulns present on the device:

1. CVE-2010-2965 VxWorks debug service enabled by default
2. CVE-2010-2967 VxWorks weak default hashing algorithm

VxWorks is an embedded OS used in many different types of devices. In this case, the device was an Arris Cadant C3 CMTS (cable modem termination system) running VxWorks 5.4.2. The device apparently allows an ISP to bridge cable modems to the Internet.

 

The CVE-2010-2965 vuln is simply due to a debug service on port 17185/udp that allows read access to the RAM. It apparently allows write access to the RAM as well, though I wasn't successful in figuring out how to do that. Nevertheless, I gained full control over the device by extracting creds from the RAM dump and I'll outline how I did that in a moment. It seems this vuln can be mitigated by closing port 17185/udp. The second vuln, CVE-2010-2967, has to do with a poor home-grown hashing algorithm which is used for the enable password.

Don't judge, but I initially discovered the presence of these vulns using a Nessus scan. (If you'd like to debate the use of vuln scans during pentests, hit me up on twitter. :) ) After this initial discovery however, it wasn't immediately clear how to exploit the device. That's when I found the following post from 11 years ago by security researcher @hdmoore:

https://www.rapid7.com/blog/post/2010/08/02/shiny-old-vxworks-vulnerabilities/

In that post, HD Moore showed just how serious the poor hashing algorithm issue is. He was able to show that the high number of hash collisions results in there being only about 8,000 possible passwords, due to the nature of their home-grown algorithm. He also indicated that he would soon be releasing the full list of potential hashes and their corresponding passwords. I wasn't immediately able to locate that list online, so during the engagement I reached out to HD Moore about this post that he wrote 11 years before and he was kind enough to provide the list to me! More on that later.

So let's get down to the attack. Searching in Metasploit, I was able to find the modules authored by HD Moore. Of the most interest, were the modules for remote reboot and remote RAM dump. Although it was interesting to note that remote reboot was possible, I didn't want to DoS the device so I focused on the following RAM dump module:

auxiliary/admin/vxworks/wdbrpc_memory_dump

The tricky part about exploiting the device using this Metasploit module is that the remote RAM dump was extremely slow and would fail constantly. This may have been due to the stability of the device or remote network, but it's hard to say. I finally figured out though that if it failed and I reran it, the module was smart enough to pick up where it left off, which was helpful. So I just babysat it, rerunning it again and again for days, lol. Finally, it finished and I was the proud owner of a VxWorks dump file.

My first objective was to locate the Telnet username. This was done easily enough by using strings and grep.

Command: strings vxworks.dmp | grep -i username

Output: ! Login username = "redactedusername"

Now armed with the username, I began to look for the Telnet password. I didn't know what to expect, as far as whether it would be in cleartext or hashed using the weak algorithm. I started with grepping for the username I had discovered.

Command: strings vxworks.dmp | grep -i redactedusername

Output: redactedusername

This resulted in the discovery of a line within the file which contained only the username. After some trial and error, I was able to discover that the next 2 lines containing strings consisted of the cleartext Telnet password followed by the enable password hash. To display 2 adjacent lines occurring directly after a match, I used the -A command line switch with grep as shown below.

Command: strings vxworks.dmp | grep -A 2 -i redactedusername

Output:

redactedusername

redactedtelnetpassword

redactedenablepasswordhash

I tested the Telnet username/password and immediately gained access. However, I couldn't figure out what to do with the enable password hash. Actually, at first I thought the strange hash was just a plaintext enable password. But it didn't work as a password. Later, I noticed that it looked very much like the home-grown hash examples HD Moore showed in his slides (which are linked to in his post). It was then that I reached out to HD Moore, who was kind enough to provide me with some files he held onto for 11 years! He also gave me permission to post the zip of those files here. The file that really helped me out within that zip was this one (didn't try the others much):

masterpasswords.txt

This file is basically a list of each possible hash and its corresponding password. I then grepped the file for the enable password hash I had previously discovered:

Command: strings masterpasswords.txt | grep redactedenablepasswordhash 

Output: linenumber|redactedenablepasswordhash|redactedplaintextenablepassword

In the rightmost column, a very bizarre and unbelievable plaintext password that had repeated special characters was shown. It didn't look promising.

I learned later from HD Moore that the reason the plaintext of these hashes looks so weird has to do with his methodology of generating every possible hash. "{" is one of the highest-possible values in the hash model and the entries in masterpasswords.txt are probably nothing like the original source cleartext that generated the same hash. "{" being the max printable value made it easy to bump the internal counter in big steps and only fiddle with the end to get a workalike colliding value, he indicated. I didn't know this information at the time, so I was skeptical of this weird password. :)

Without much optimism, I Telnetted back into the device and typed 'enable'. When prompted for the enable password, I entered the bizarre password discovered using masterpasswords.txt...and it worked! I leapt to my feet at the sight of that beautiful little pound sign prompt!

Many thanks HD Moore!