-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

================================================================================
        Title: Arris Touchstone TG1672 Administrative Login Vulnerabilities
        Product: Arris Touchstone TG1672
        Version: TS0901103AS_092216_16XX.GW_SIP (most likely other versions
            affected by unconfirmed)
        Product Page: https://www.arris.com/products/
            touchstone-telephony-gateway-tg1672/
        Published: 2019-04-05
        Found by: Harley A.W. Lorenzo and daffy1234
        GPG Key: 0xF6EF23904645BA53
================================================================================

================================================================================
    Vendor Description
================================================================================
    The Touchstone TG1672 is a DOCSIS 3.0 home telephony gateway supporting
    16 x 4 channel bonding for up to 640Mbps of broadband data.  It combines two
    FXS ports of carrier-grade VoIP, a 4-port gigabit router, MoCA 1.1 over
    coax, and a dual band 802.11n wireless access point with battery back-up
    into a single integrated device.

================================================================================
    Vulnerability Details
================================================================================

    The Touchstone TG1672 telephony gateway contains an HTTP administrative
    login webserver on port 80. There is no HTTPS version of the login
    available. Additionally, there is no encryption of the username and password
    of logins sent to the login form. Logins are passed in base64 encoding in
    the form of [user]:[pass] to the webserver after a short GET webwalk then a
    specific GET request of the server using values gained from the webwalk and
    this encoding.

    This allows anyone with access to the network data sent to the gateway to
    trivially read and acquire the login details. This poses a major security
    threat to networks containing these gateways once a sniffer can be placed
    where login details may be sent.

================================================================================
    Proof of Concept
================================================================================

    1.  Access the login page
    2.  Setup any packet/web sniffer
    3.  Enter in the form "proof" in both user and password
    4.  Skim through the GET webwalks and the last GET request is the login
        request in the form of:
        ===
        http://[URL]/login?arg=cHJvb2Y6cHJvb2Y=&_n=[walker]&_=[time]
        ===
        where arg is the actual login information sent in [user]:[pass]
        note: the walker and time values are not important to this PoC and vary
        with each login attempt
    5.  Decode the base64 "cHJvb2Y6cHJvb2Y=" and see "proof:proof"

================================================================================
    Timeline
================================================================================
    2019-03-28: Flaw Discovered by Harley A.W. Lorenzo and daffy1234
    2019-03-29: Vendor notified
    2019-04-05: Full disclosure after no response from vendor
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEcryW+9CKz6i72NHW9u8jkEZFulMFAlym/aMACgkQ9u8jkEZF
ulMEMxAAnbiRMu8dVxfhr5/BJeJWdankRbphTz1QP66JlQOqchzbNS8Y50khmUGR
NZyGdKHYZUgQ6VfNO1+h24K0HdWxPuwvaFAe7IQhZ4ZIl8YOHbtJN55p6QNEYeUH
6uSzrDaoEMK/P2r3cLspS2ql8Ff0n+QlXJZnRZZKNMJzdm6P5NLUhsyHE2aCkT8J
V661LTT/Vixu9JfQ2nnseJ23gF2dYno4de41VEh6k1/k6ScdjcxFOk9EcJ16qY/i
xe0ulijFdjSyVlQ2R2l0rSNCr2KSjrtL0VQE6w3m44CCn950TjmK+ME831a+lMTL
OgUQu2j4ZsXdmyYTjKlEB5nMa3dXfn+/LsMxklCrTbZXlv0rKYa+TcvxGOmDEtwU
/RRp+Kseji+iY12+w2UbtjOWSvO3WLDQ7xrv03ObHopauySF8pwavyiUNuEwojK+
NpTaRXHHx8BsUuMw7p26zmZ/h1zUKi2PU8oXwZIHCPcZZyiCa8N9+1opx+hu4uHK
sGh0OmzPHsw3t5hp4Pu6keQauGucBT2yH4psNm6uCgKTwHiCMUkVsOlpQ2CaA7Ne
59mZy3uYGh4eK3ScO1fQNQneY+ejrKM5rrBGfYaZybIkQMxjsF+Ddp219ee9mD6X
sN+gxFNnpcad9NUBlrHB0jK2XtGvkvqVmitgmkyYWHfJSe5Rf94=
=jPB7
-----END PGP SIGNATURE-----