CVE-2019-19825 Information
Description
On certain TOTOLINK Realtek SDK based routers the CAPTCHA text can be retrieved via an \topicurl:\setting/getSanvas\ POST to the boafrm/formLogin URI leading to a CAPTCHA bypass. (Also the CAPTCHA text is not needed once the attacker has determined valid credentials. The attacker can perform router actions via HTTP requests with Basic Authentication.) This affects A3002RU through 2.0.0 A702R through 2.1.3 N301RT through 2.1.6 N302R through 3.4.0 N300RT through 3.4.0 N200RE through 4.0.0 N150RT through 3.4.0 and N100RE through 3.4.0.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Reference
http://packetstormsecurity.com/files/156083/Realtek-SDK-Information-Disclosure-Code-Execution.html
http://seclists.org/fulldisclosure/2020/Jan/36
http://seclists.org/fulldisclosure/2020/Jan/38
https://sploit.tech
On
certain
TOTOLINK
Realtek
SDK
based
routers
the
CAPTCHA
text
can
be
retrieved
via
an
\topicurl:\setting/getSanvas
POST
to
the
boafrm/formLogin
URI
leading
to
a
CAPTCHA
bypass.
(Also
the
CAPTCHA
text
is
not
needed
once
the
attacker
has
determined
valid
credentials.
The
attacker
can
perform
router
actions
via
HTTP
requests
with
Basic
Authentication.)
This
affects
A3002RU
through
2.0.0
A702R
through
2.1.3
N301RT
through
2.1.6
N302R
through
3.4.0
N300RT
through
3.4.0
N200RE
through
4.0.0
N150RT
through
3.4.0
and
N100RE
through
3.4.0.
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
9.8
Share on: