Arris Touchstone TG1672 Credential Disclosure

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
================================================================================  
Title: Arris Touchstone TG1672 Administrative Login Vulnerabilities  
Product: Arris Touchstone TG1672  
Version: TS0901103AS_092216_16XX.GW_SIP (most likely other versions  
affected by unconfirmed)  
Product Page: https://www.arris.com/products/  
touchstone-telephony-gateway-tg1672/  
Published: 2019-04-05  
Found by: Harley A.W. Lorenzo and daffy1234  
GPG Key: 0xF6EF23904645BA53  
================================================================================  
  
================================================================================  
Vendor Description  
================================================================================  
The Touchstone TG1672 is a DOCSIS 3.0 home telephony gateway supporting  
16 x 4 channel bonding for up to 640Mbps of broadband data. It combines two  
FXS ports of carrier-grade VoIP, a 4-port gigabit router, MoCA 1.1 over  
coax, and a dual band 802.11n wireless access point with battery back-up  
into a single integrated device.  
  
================================================================================  
Vulnerability Details  
================================================================================  
  
The Touchstone TG1672 telephony gateway contains an HTTP administrative  
login webserver on port 80. There is no HTTPS version of the login  
available. Additionally, there is no encryption of the username and password  
of logins sent to the login form. Logins are passed in base64 encoding in  
the form of [user]:[pass] to the webserver after a short GET webwalk then a  
specific GET request of the server using values gained from the webwalk and  
this encoding.  
  
This allows anyone with access to the network data sent to the gateway to  
trivially read and acquire the login details. This poses a major security  
threat to networks containing these gateways once a sniffer can be placed  
where login details may be sent.  
  
================================================================================  
Proof of Concept  
================================================================================  
  
1. Access the login page  
2. Setup any packet/web sniffer  
3. Enter in the form "proof" in both user and password  
4. Skim through the GET webwalks and the last GET request is the login  
request in the form of:  
===  
http://[URL]/login?arg=cHJvb2Y6cHJvb2Y=&_n=[walker]&_=[time]  
===  
where arg is the actual login information sent in [user]:[pass]  
note: the walker and time values are not important to this PoC and vary  
with each login attempt  
5. Decode the base64 "cHJvb2Y6cHJvb2Y=" and see "proof:proof"  
  
================================================================================  
Timeline  
================================================================================  
2019-03-28: Flaw Discovered by Harley A.W. Lorenzo and daffy1234  
2019-03-29: Vendor notified  
2019-04-05: Full disclosure after no response from vendor  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEEcryW+9CKz6i72NHW9u8jkEZFulMFAlym/aMACgkQ9u8jkEZF  
ulMEMxAAnbiRMu8dVxfhr5/BJeJWdankRbphTz1QP66JlQOqchzbNS8Y50khmUGR  
NZyGdKHYZUgQ6VfNO1+h24K0HdWxPuwvaFAe7IQhZ4ZIl8YOHbtJN55p6QNEYeUH  
6uSzrDaoEMK/P2r3cLspS2ql8Ff0n+QlXJZnRZZKNMJzdm6P5NLUhsyHE2aCkT8J  
V661LTT/Vixu9JfQ2nnseJ23gF2dYno4de41VEh6k1/k6ScdjcxFOk9EcJ16qY/i  
xe0ulijFdjSyVlQ2R2l0rSNCr2KSjrtL0VQE6w3m44CCn950TjmK+ME831a+lMTL  
OgUQu2j4ZsXdmyYTjKlEB5nMa3dXfn+/LsMxklCrTbZXlv0rKYa+TcvxGOmDEtwU  
/RRp+Kseji+iY12+w2UbtjOWSvO3WLDQ7xrv03ObHopauySF8pwavyiUNuEwojK+  
NpTaRXHHx8BsUuMw7p26zmZ/h1zUKi2PU8oXwZIHCPcZZyiCa8N9+1opx+hu4uHK  
sGh0OmzPHsw3t5hp4Pu6keQauGucBT2yH4psNm6uCgKTwHiCMUkVsOlpQ2CaA7Ne  
59mZy3uYGh4eK3ScO1fQNQneY+ejrKM5rrBGfYaZybIkQMxjsF+Ddp219ee9mD6X  
sN+gxFNnpcad9NUBlrHB0jK2XtGvkvqVmitgmkyYWHfJSe5Rf94=  
=jPB7  
-----END PGP SIGNATURE-----  
  
  
  
`