Bernardo Rodrigues, a vulnerability tester with Brazil’s Globo TV network said that 600,000 Arris cable modems could be affected by a “backdoor-within-a-backdoor.”
Rodrigues discovered the undocumented library within three Arris cable modems. However, using the search engine for internet-connected devices, Shodan, this found that in fact, 600,000 modems were affected.
He had previously found an undisclosed backdoor on Arris cable modems. But when extending the search through Shodan, Rodrigues claims that more than 600,000 externally accessible hosts are affected by it.
The initial backdoor-admin password was disclosed as far back as 2009 and is based on a known seed.
The backdoor was found in the hidden administrative shell that can control the cable modems. The backdoor account can be used to remotely allow Telnet and SSH through the hidden HTTP administrative interface, or through custom SNMP MIBs.
Rodrigues said the default password for the SSH user ‘root’ is ‘arris’. When the Telnet session is accessed, the system spawns the ‘mini_cli’ shell which requests the backdoor password. After log in using the password of the day, this redirects the user to a restricted technician shell.
But when having a shifty at the backdoor library and the restricted shells, Rodrigues that a backdoor had been put in the backdoor. Rodrigues says that the undocumented backdoor password is based on the final five digits from the modem’s serial number.
After logging in on the Telnet/SSH with these passwords you get a full busybox shell.