We’ve been having a lot of internet issues at the Romhaus, the subject of which will have to be a topic for another post.
While we’ve been trying to get it fixed, one of the things that was recommended to us by Cox was purchasing a new modem to replace our old (but still otherwise functional) Arris Surfboard, as it supported only DOCSIS 3.0 and was a few years old. We decided to replace it with a shiny new Motorola MB8600, which was the only DOCSIS 3.1 modem we could find nearby. (Unsurprisingly, it didn’t help, so that was a cool $160 we spent on not fixing the problem.)
While the old modem had no authentication, it also didn’t pretend to. There also wasn’t anything you could actually do with it — it was strictly a view-only interface, as far as I remember. The Motorola instead requires a username and password to log in. Logging in allows you to reboot the modem, restore it to factory defaults, or change the username and password.
The entire interface is a mess of Javascript in place of meaningful HTML; rather than using normal links, everything is based on onclick events. The layout is built on tables within tables within tables, even in places where it isn’t useful (for example, the header of each table is itself a table, with the green-to-white transition provided by an image). There’s no reason for any of this, and it’s usually a sign of bad design further down.
And of course it is. As part of my network monitoring, I wrote a script that checks the connection status page and extracts the power levels, to help diagnose our ongoing issues. With the old modem, it was just a matter of requesting the status page; with the new one, that’s behind a login page, so I had to figure out how to have the script log itself in.
Beyond the login form being a further mess of needless JavaScript (you don’t need onBlur and onFocus if you just use ::placeholder like normal people), I dug through the login page to figure out how, exactly, it logged you in. And of course. Of course it’s horrible.
function btnApply() // (Called when you hit submit)
{
var loc = '/login_auth.html?';
with ( document.forms[0] ) {
loc += 'loginUsername=' + encodeUrl(loginUsername.value);
loc += '&loginPassword=' + encode(loginPassword.value);
loc += '&';
var code = 'location="' + loc + '"';
eval(code);
}
}
aaagh
What this does, in human terms:
- URL encodes your username.
- base64-encodes your password.
- Glues those together into a URL, “
/login_auth.html?loginUsername=(url-encoded username)&loginPassword=(base64-encoded password)&
“ - Prepends a JavaScript fragment to redirect you to that URL and executes it.
Yeeeep, it sends it over GET, completely in the clear. Making the script log in after finding this out was trivial.
That’s bad enough, but there’s more. Because of course there is.
When I first started developing this, I didn’t need to log in at all. It turns out that — surprise! — logging into the modem authenticates it for everyone. If you log into it on Computer A, and then open the modem page on Computer B, you’ll be presented with the information screen, without needing to log in again. At first I thought it might be a fluke or based on IP addresses, since I had the page open in my browser as well, but after letting the script log in, I opened the modem page on a computer in another room that hadn’t been touched for hours and, well, I didn’t have to log in.
So you don’t even need to sniff the password; you just need someone to log in for you.
I hate computers.
UPDATE!!! As pointed out in the comments, the current usernames and passwords are straight up dumped in plain text in the Security tab. I can’t even make this shit up, oh my god.
dfasgfdvcdfllghkfdsghk