exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Arris Touchstone TG1672 Credential Disclosure

Arris Touchstone TG1672 Credential Disclosure
Posted Apr 5, 2019
Authored by Harley A.W. Lorenzo, daffy1234

Administrative credentials submitted to the Arris Touchstone TG1672 are sent over HTTP base64 encoded in a GET request.

tags | exploit, web, info disclosure
SHA-256 | e48c054b3486698da29dbc101e457d21bb8aac0ce639aa8505dade2aa0907a27

Arris Touchstone TG1672 Credential Disclosure

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

================================================================================
Title: Arris Touchstone TG1672 Administrative Login Vulnerabilities
Product: Arris Touchstone TG1672
Version: TS0901103AS_092216_16XX.GW_SIP (most likely other versions
affected by unconfirmed)
Product Page: https://www.arris.com/products/
touchstone-telephony-gateway-tg1672/
Published: 2019-04-05
Found by: Harley A.W. Lorenzo and daffy1234
GPG Key: 0xF6EF23904645BA53
================================================================================

================================================================================
Vendor Description
================================================================================
The Touchstone TG1672 is a DOCSIS 3.0 home telephony gateway supporting
16 x 4 channel bonding for up to 640Mbps of broadband data. It combines two
FXS ports of carrier-grade VoIP, a 4-port gigabit router, MoCA 1.1 over
coax, and a dual band 802.11n wireless access point with battery back-up
into a single integrated device.

================================================================================
Vulnerability Details
================================================================================

The Touchstone TG1672 telephony gateway contains an HTTP administrative
login webserver on port 80. There is no HTTPS version of the login
available. Additionally, there is no encryption of the username and password
of logins sent to the login form. Logins are passed in base64 encoding in
the form of [user]:[pass] to the webserver after a short GET webwalk then a
specific GET request of the server using values gained from the webwalk and
this encoding.

This allows anyone with access to the network data sent to the gateway to
trivially read and acquire the login details. This poses a major security
threat to networks containing these gateways once a sniffer can be placed
where login details may be sent.

================================================================================
Proof of Concept
================================================================================

1. Access the login page
2. Setup any packet/web sniffer
3. Enter in the form "proof" in both user and password
4. Skim through the GET webwalks and the last GET request is the login
request in the form of:
===
http://[URL]/login?arg=cHJvb2Y6cHJvb2Y=&_n=[walker]&_=[time]
===
where arg is the actual login information sent in [user]:[pass]
note: the walker and time values are not important to this PoC and vary
with each login attempt
5. Decode the base64 "cHJvb2Y6cHJvb2Y=" and see "proof:proof"

================================================================================
Timeline
================================================================================
2019-03-28: Flaw Discovered by Harley A.W. Lorenzo and daffy1234
2019-03-29: Vendor notified
2019-04-05: Full disclosure after no response from vendor
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEcryW+9CKz6i72NHW9u8jkEZFulMFAlym/aMACgkQ9u8jkEZF
ulMEMxAAnbiRMu8dVxfhr5/BJeJWdankRbphTz1QP66JlQOqchzbNS8Y50khmUGR
NZyGdKHYZUgQ6VfNO1+h24K0HdWxPuwvaFAe7IQhZ4ZIl8YOHbtJN55p6QNEYeUH
6uSzrDaoEMK/P2r3cLspS2ql8Ff0n+QlXJZnRZZKNMJzdm6P5NLUhsyHE2aCkT8J
V661LTT/Vixu9JfQ2nnseJ23gF2dYno4de41VEh6k1/k6ScdjcxFOk9EcJ16qY/i
xe0ulijFdjSyVlQ2R2l0rSNCr2KSjrtL0VQE6w3m44CCn950TjmK+ME831a+lMTL
OgUQu2j4ZsXdmyYTjKlEB5nMa3dXfn+/LsMxklCrTbZXlv0rKYa+TcvxGOmDEtwU
/RRp+Kseji+iY12+w2UbtjOWSvO3WLDQ7xrv03ObHopauySF8pwavyiUNuEwojK+
NpTaRXHHx8BsUuMw7p26zmZ/h1zUKi2PU8oXwZIHCPcZZyiCa8N9+1opx+hu4uHK
sGh0OmzPHsw3t5hp4Pu6keQauGucBT2yH4psNm6uCgKTwHiCMUkVsOlpQ2CaA7Ne
59mZy3uYGh4eK3ScO1fQNQneY+ejrKM5rrBGfYaZybIkQMxjsF+Ddp219ee9mD6X
sN+gxFNnpcad9NUBlrHB0jK2XtGvkvqVmitgmkyYWHfJSe5Rf94=
=jPB7
-----END PGP SIGNATURE-----



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close