VARIoT IoT vulnerabilities database

A OS Command Injection vulnerability in the bootstrap stage of Bitdefender BOX 2 allows the manipulation of the `get_image_url()` function in special circumstances to inject a system command. Bitdefender BOX is a smart home security control device from Bitdefender in Romania. The vulnerability stems from the fact that the network system or product did not properly filter the special characters, commands, etc. during the process of constructing the executable command of the operating system by external input data. An attacker could use this vulnerability to execute illegal operating system commands

An Improper Neutralization of Input vulnerability in the description and title parameters of a Device Maintenance Schedule in FortiSIEM version 5.2.5 and below may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious JavaScript code into the description field of a Device Maintenance schedule. FortiSIEM Contains a cross-site scripting vulnerability.The information may be obtained and the information may be falsified. Fortinet FortiSIEM is a security information and event management system developed by Fortinet Corporation. The system includes features such as asset discovery, workflow automation and unified management. A cross-site scripting vulnerability exists in Fortinet FortiSIEM 5.2.5 and earlier versions. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by providing crafted data to a specific field within the interface. A successful exploit could allow the attacker to store an XSS attack within the interface. This stored XSS attack would then be executed on the system of any user viewing the attacker-supplied data element. Cisco Unity Connection (UC) is a set of voice message platform of Cisco (Cisco). The platform can utilize voice commands to make calls or listen to messages hands-free

A vulnerability in the zip decompression engine of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper validation of zip files. An attacker could exploit this vulnerability by sending an email message with a crafted zip-compressed attachment. A successful exploit could trigger a restart of the content-scanning process, causing a temporary DoS condition. This vulnerability affects Cisco AsyncOS Software for Cisco ESA releases earlier than 13.0. AsyncOS Software is a set of operating systems running on it

A vulnerability in the implementation of the Intermediate System–to–Intermediate System (IS–IS) routing protocol functionality in Cisco IOS XR Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition in the IS–IS process. The vulnerability is due to improper handling of a Simple Network Management Protocol (SNMP) request for specific Object Identifiers (OIDs) by the IS–IS process. An attacker could exploit this vulnerability by sending a crafted SNMP request to the affected device. A successful exploit could allow the attacker to cause a DoS condition in the IS–IS process. Cisco IOS XR is an operating system developed by Cisco for its network equipment. The following products and versions are affected: Cisco IOS XR prior to 6.6.3, prior to 7.0.2, prior to 7.1.1, and prior to 7.2.1

A vulnerability in the out of band (OOB) management interface IP table rule programming for Cisco Application Policy Infrastructure Controller (APIC) could allow an unauthenticated, remote attacker to bypass configured deny entries for specific IP ports. These IP ports would be permitted to the OOB management interface when, in fact, the packets should be dropped. The vulnerability is due to the configuration of specific IP table entries for which there is a programming logic error that results in the IP port being permitted. An attacker could exploit this vulnerability by sending traffic to the OOB management interface on the targeted device. A successful exploit could allow the attacker to bypass configured IP table rules to drop specific IP port traffic. The attacker has no control over the configuration of the device itself. This vulnerability affects Cisco APIC releases prior to the first fixed software Release 4.2(3j). Cisco Application Policy Infrastructure Controller (APIC) Contains an input validation vulnerability.Information may be altered

A vulnerability in the web-based management interface of Cisco Jabber Guest could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because the web-based management interface of the affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or to access sensitive, browser-based information. This vulnerability affects Cisco Jabber Guest releases 11.1(2) and earlier. Cisco Jabber Guest Contains a cross-site scripting vulnerability.The information may be obtained and the information may be falsified

A vulnerability in Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow an unauthenticated, remote attendee to join a password-protected meeting without providing the meeting password. The connection attempt must initiate from a Webex mobile application for either iOS or Android. The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications. An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application. A successful exploit could allow the unauthorized attendee to join the password-protected meeting. The unauthorized attendee will be visible in the attendee list of the meeting as a mobile attendee. Cisco has applied updates that address this vulnerability and no user action is required. This vulnerability affects Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites releases earlier than 39.11.5 and 40.1.3

A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. The vulnerability is due to the lack of input validation in the API. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to change or corrupt user account information which could grant the attacker administrator access or prevent legitimate user access to the web interface, resulting in a denial of service (DoS) condition. Cisco Smart Software Manager On-Prem Contains an input validation vulnerability.Information is falsified and denial of service (DoS) May be in a state

With the Internet of Things communication technology as the core, Some People Network has launched a variety of networked communications equipment such as industrial communications, LPWAN and gateways, IoT modules, industrial computers, network IO controllers, etc., of which USR-TCP232-410s is an industrial-grade dual serial Server, realize the function of RS232 + 485 to Ethernet two-way transparent transmission. USR-TCP232-410S has a denial of service vulnerability. An attacker can use this vulnerability to implement a denial of service attack.

A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) allows remote attackers to retrieve the configuration, including sensitive data (usernames and passwords). This affects TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0; Rutek RTK 11N AP through 2019-12-12; Sapido GR297n through 2019-12-12; CIK TELECOM MESH ROUTER through 2019-12-12; KCTVJEJU Wireless AP through 2019-12-12; Fibergate FGN-R2 through 2019-12-12; Hi-Wifi MAX-C300N through 2019-12-12; HCN MAX-C300N through 2019-12-12; T-broad GN-866ac through 2019-12-12; Coship EMTA AP through 2019-12-12; and IO-Data WN-AC1167R through 2019-12-12. Multiple products contain vulnerabilities in insufficient protection of credentials.Information may be obtained. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ MULTIPLE VULNERABILITIES IN SEVERAL SERIES OF REALTEK SDK BASED ROUTERS (TOTOLINK AND MANY OTHER) Blazej Adamczyk (br0x) blazej.adamczyk@gmail.com https://sploit.tech/ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 11.12.2019 1 Sensitive data disclosure and incorrect access control in several series of Realtek SDK based routers ══════════════════════════════════════════════════════════════════════════ CVE: CVE-2019-19822 SDK vendor: Realtek Device vendor: TOTOLINK, Sapido, CIK Telecom, Fibergate Inc., MAX-C300N, T-BROAD and possibly others.. Product: Realtek SDK based routers backed by Boa HTTP server (and possibly others) and using apmib library for memory management. This affects: • TOTOLINK A3002RU through 2.0.0, • TOTOLINK 702R through 2.1.3, • TOTOLINK N301RT through 2.1.6, • TOTOLINK N302R through 3.4.0, • TOTOLINK N300RT through 3.4.0, • TOTOLINK N200RE through 4.0.0, • TOTOLINK N150RT through 3.4.0, and • TOTOLINK N100RE through 3.4.0; • Rutek RTK 11N AP through 2019-12-12; • Sapido GR297n through 2019-12-12; • CIK TELECOM MESH ROUTER through 2019-12-12; • KCTVJEJU Wireless AP through 2019-12-12; • Fibergate FGN-R2 through 2019-12-12; • Hi-Wifi MAX-C300N through 2019-12-12; • HCN MAX-C300N through 2019-12-12; • T-broad GN-866ac through 2019-12-12; • Coship EMTA AP through 2019-12-12; and • IO-Data WN-AC1167R through 2019-12-12; and • possibly others. Technical details: The apmib library at some point of initialization dumps the whole memory contents the file /web/config.dat. This folder is actually used by the boa http server as index directory. Additionally if the router is configured for form-based authentication the access control verifies credentials only for some URLs but ".dat" files are not restricted. This issue does not affect routers which use HTTP Basic authentication to secure all URLs. PoC: ┌──── │ $ curl http://routerip/config.dat └──── 2 Password stored in plaintext in Realtek SDK based routers ═══════════════════════════════════════════════════════════ CVE: CVE-2019-19823 SDK vendor: Realtek Device vendor: TOTOLINK, Sapido, CIK Telecom, Fibergate Inc., MAX-C300N, T-BROAD and possibly others.. Product: Realtek SDK based routers backed by Boa HTTP server (and possibly others) and using apmib library for memory management. Boa Version: <= Boa/0.94.14rc21 SDK Version: < 2020/02/15 Description: Realtek SDK based routers (that includes Realtek APMIB 0.11f and Boa HTTP server 0.94.14rc21) store passwords in plaintext. This affects: • TOTOLINK A3002RU through 2.0.0, • TOTOLINK 702R through 2.1.3, • TOTOLINK N301RT through 2.1.6, • TOTOLINK N302R through 3.4.0, • TOTOLINK N300RT through 3.4.0, • TOTOLINK N200RE through 4.0.0, • TOTOLINK N150RT through 3.4.0, and • TOTOLINK N100RE through 3.4.0; • Rutek RTK 11N AP through 2019-12-12; • Sapido GR297n through 2019-12-12; • CIK TELECOM MESH ROUTER through 2019-12-12; • KCTVJEJU Wireless AP through 2019-12-12; • Fibergate FGN-R2 through 2019-12-12; • Hi-Wifi MAX-C300N through 2019-12-12; • HCN MAX-C300N through 2019-12-12; • T-broad GN-866ac through 2019-12-12; • Coship EMTA AP through 2019-12-12; and • IO-Data WN-AC1167R through 2019-12-12; and • possibly others. Technical details: Data stored in memory in COMPCS (apmib library) format contains device administration and other passwords in plaintext. The apmib library additionally at some point of initialization dumps the whole memory contents the file /web/config.dat which might be used to easily retrieve user passwords. 3 Code execution in several TOTOLINK routers ════════════════════════════════════════════ CVE: CVE-2019-19824 Vendor: TOTOLINK Product: TOTOLINK Realtek SDK based routers Boa Version: <= Boa/0.94.14rc21 Description: On several Realted SDK based TOTOLINK routers, an authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available. This allows for full control over the device's internals. This affects: • A3002RU through 2.0.0, • A702R through 2.1.3, • N301RT through 2.1.6, • N302R through 3.4.0, • N300RT through 3.4.0, • N200RE through 4.0.0, • N150RT through 3.4.0, • N100RE through 3.4.0, and • possibly others. PoC: ┌──── │ $ curl 'http://routerip/boafrm/formSysCmd' --user "admin:password" │ --data 'submit-url=%2Fsyscmd.htm&sysCmdselect=5&sysCmdselects=0& │ save_apply=Run+Command&sysCmd=cp%20%2Fetc%2Fpasswd%20%2Fweb%2Fxxxx.dat' └──── 4 Incorrectly implemented captcha protection in TOTOLINK routers ════════════════════════════════════════════════════════════════ CVE: CVE-2019-19825 Vendor: TOTOLINK Product: TOTOLINK Realtek SDK based routers Boa Version: <= Boa/0.94.14rc21 Description: Guessable captcha vulnerability (CWE-804) in several series of TOTOLINK routers allows a remote attacker to automatically login to the router without reading and providing real captcha. The following command returns captcha in plain text: ┌──── │ $ curl 'http://routerip/boafrm/formLogin' --data '{"topicurl":"setting/getSanvas"}' └──── Additionally by using the HTTP Basic in a HEADER the attacker can execute router actions without providing captcha at all. This affects: • A3002RU through 2.0.0, • A702R through 2.1.3, • N301RT through 2.1.6, • N302R through 3.4.0, • N300RT through 3.4.0, • N200RE through 4.0.0, • N150RT through 3.4.0, • N100RE through 3.4.0, and • possibly others. 5 Exploiting all together on TOTOLINK routers ═════════════════════════════════════════════ CVSS v3 socre: 9.6 AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (assuming Administrative Access on WAN is enabled the score is 10.0) Exploiting all the vulnerabilities together allows a remote unauthenticated attacker to execute any code with root permissions and reveal administration password. The only thing that is needed is the access to router administration interface (either access to local network or Administrative Access on WAN enabled) Description, video and possibly an exploit: https://sploit.tech/2019/12/16/Realtek-TOTOLINK.html Timeline: • 17.12.2019 - Contacted all identified vendors, i.e. TOTOLINK, CIK Telecom, Sapido, Fibergate and Coship. • 18.12.2019 - received TOTOLINK first line support response totally not related to my message and showing me how to log into my router. I responded right away and asked to forward the message to technical/security team. • 19.12.2019 - received response from CIK Telecom stating that the routers support encryption (SIC!). I replied asking to forward the message to technical/security team. • 19.12.20219 - CIK Telecom responded that for further assistance I should contact them over the phone. I replied that I need to explain the details as a written message as this is technical. • 27.12.2019, 06.01.2020 - I resent the messages to TOTOLINK and CIK Telecom but none have replied till the date of disclosure. • 06.01.2020 - I finally contacted Realtek as the Supplier of the SDK. • 10.01.2020 - I got a response and I replied with encrypted details on the bugs. • 14-15.01.2020 - Realtek replied that the issue with dumping configuration by apmib exists but it is not directly exploitable in the defualt SDK configuration becuase it uses HTTP Basic authentication which protects all URLs. They agreed however that most of the Vendors modify the software including authentication mechanism thus making it vulnerable. • 23.01.2020 - Realtek responded that they are goining to fix the issue with dumping configuration to the config.dat file in version released on 15.02.2020. They also said that after fixing the issue the impact of storing password in plaintext is less significant thus they will not fix the CVE-2019-19823 yet but will try to fix it in the future. Temporary workaround: Unfortunately I did not get any good information from real vendors like TOTOLINK and for now I would suggest to disable administration interface from WAN and restricting LAN router administration interface access using some kind of firewall if possible. Credit: Blazej Adamczyk | blazej.adamczyk@gmail.com | http://sploit.tech/

A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) stores cleartext administrative passwords in flash memory and in a file. This affects TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0; Rutek RTK 11N AP through 2019-12-12; Sapido GR297n through 2019-12-12; CIK TELECOM MESH ROUTER through 2019-12-12; KCTVJEJU Wireless AP through 2019-12-12; Fibergate FGN-R2 through 2019-12-12; Hi-Wifi MAX-C300N through 2019-12-12; HCN MAX-C300N through 2019-12-12; T-broad GN-866ac through 2019-12-12; Coship EMTA AP through 2019-12-12; and IO-Data WN-AC1167R through 2019-12-12. Multiple products contain vulnerabilities in insufficient protection of credentials.Information may be obtained. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ MULTIPLE VULNERABILITIES IN SEVERAL SERIES OF REALTEK SDK BASED ROUTERS (TOTOLINK AND MANY OTHER) Blazej Adamczyk (br0x) blazej.adamczyk@gmail.com https://sploit.tech/ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 11.12.2019 1 Sensitive data disclosure and incorrect access control in several series of Realtek SDK based routers ══════════════════════════════════════════════════════════════════════════ CVE: CVE-2019-19822 SDK vendor: Realtek Device vendor: TOTOLINK, Sapido, CIK Telecom, Fibergate Inc., MAX-C300N, T-BROAD and possibly others.. Product: Realtek SDK based routers backed by Boa HTTP server (and possibly others) and using apmib library for memory management. Boa Version: <= Boa/0.94.14rc21 SDK Version: < 2020/02/15 Description: Realtek SDK based routers which use form based instead HTTP Basic authentication (that includes Realtek APMIB 0.11f and Boa HTTP server 0.94.14rc21) allows remote attackers to retrieve the configuration, including sensitive data (usernames and passwords). This affects: • TOTOLINK A3002RU through 2.0.0, • TOTOLINK 702R through 2.1.3, • TOTOLINK N301RT through 2.1.6, • TOTOLINK N302R through 3.4.0, • TOTOLINK N300RT through 3.4.0, • TOTOLINK N200RE through 4.0.0, • TOTOLINK N150RT through 3.4.0, and • TOTOLINK N100RE through 3.4.0; • Rutek RTK 11N AP through 2019-12-12; • Sapido GR297n through 2019-12-12; • CIK TELECOM MESH ROUTER through 2019-12-12; • KCTVJEJU Wireless AP through 2019-12-12; • Fibergate FGN-R2 through 2019-12-12; • Hi-Wifi MAX-C300N through 2019-12-12; • HCN MAX-C300N through 2019-12-12; • T-broad GN-866ac through 2019-12-12; • Coship EMTA AP through 2019-12-12; and • IO-Data WN-AC1167R through 2019-12-12; and • possibly others. Technical details: The apmib library at some point of initialization dumps the whole memory contents the file /web/config.dat. This folder is actually used by the boa http server as index directory. Additionally if the router is configured for form-based authentication the access control verifies credentials only for some URLs but ".dat" files are not restricted. This issue does not affect routers which use HTTP Basic authentication to secure all URLs. PoC: ┌──── │ $ curl http://routerip/config.dat └──── 2 Password stored in plaintext in Realtek SDK based routers ═══════════════════════════════════════════════════════════ CVE: CVE-2019-19823 SDK vendor: Realtek Device vendor: TOTOLINK, Sapido, CIK Telecom, Fibergate Inc., MAX-C300N, T-BROAD and possibly others.. Product: Realtek SDK based routers backed by Boa HTTP server (and possibly others) and using apmib library for memory management. Boa Version: <= Boa/0.94.14rc21 SDK Version: < 2020/02/15 Description: Realtek SDK based routers (that includes Realtek APMIB 0.11f and Boa HTTP server 0.94.14rc21) store passwords in plaintext. This affects: • TOTOLINK A3002RU through 2.0.0, • TOTOLINK 702R through 2.1.3, • TOTOLINK N301RT through 2.1.6, • TOTOLINK N302R through 3.4.0, • TOTOLINK N300RT through 3.4.0, • TOTOLINK N200RE through 4.0.0, • TOTOLINK N150RT through 3.4.0, and • TOTOLINK N100RE through 3.4.0; • Rutek RTK 11N AP through 2019-12-12; • Sapido GR297n through 2019-12-12; • CIK TELECOM MESH ROUTER through 2019-12-12; • KCTVJEJU Wireless AP through 2019-12-12; • Fibergate FGN-R2 through 2019-12-12; • Hi-Wifi MAX-C300N through 2019-12-12; • HCN MAX-C300N through 2019-12-12; • T-broad GN-866ac through 2019-12-12; • Coship EMTA AP through 2019-12-12; and • IO-Data WN-AC1167R through 2019-12-12; and • possibly others. Technical details: Data stored in memory in COMPCS (apmib library) format contains device administration and other passwords in plaintext. The apmib library additionally at some point of initialization dumps the whole memory contents the file /web/config.dat which might be used to easily retrieve user passwords. 3 Code execution in several TOTOLINK routers ════════════════════════════════════════════ CVE: CVE-2019-19824 Vendor: TOTOLINK Product: TOTOLINK Realtek SDK based routers Boa Version: <= Boa/0.94.14rc21 Description: On several Realted SDK based TOTOLINK routers, an authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available. This allows for full control over the device's internals. This affects: • A3002RU through 2.0.0, • A702R through 2.1.3, • N301RT through 2.1.6, • N302R through 3.4.0, • N300RT through 3.4.0, • N200RE through 4.0.0, • N150RT through 3.4.0, • N100RE through 3.4.0, and • possibly others. PoC: ┌──── │ $ curl 'http://routerip/boafrm/formSysCmd' --user "admin:password" │ --data 'submit-url=%2Fsyscmd.htm&sysCmdselect=5&sysCmdselects=0& │ save_apply=Run+Command&sysCmd=cp%20%2Fetc%2Fpasswd%20%2Fweb%2Fxxxx.dat' └──── 4 Incorrectly implemented captcha protection in TOTOLINK routers ════════════════════════════════════════════════════════════════ CVE: CVE-2019-19825 Vendor: TOTOLINK Product: TOTOLINK Realtek SDK based routers Boa Version: <= Boa/0.94.14rc21 Description: Guessable captcha vulnerability (CWE-804) in several series of TOTOLINK routers allows a remote attacker to automatically login to the router without reading and providing real captcha. The following command returns captcha in plain text: ┌──── │ $ curl 'http://routerip/boafrm/formLogin' --data '{"topicurl":"setting/getSanvas"}' └──── Additionally by using the HTTP Basic in a HEADER the attacker can execute router actions without providing captcha at all. This affects: • A3002RU through 2.0.0, • A702R through 2.1.3, • N301RT through 2.1.6, • N302R through 3.4.0, • N300RT through 3.4.0, • N200RE through 4.0.0, • N150RT through 3.4.0, • N100RE through 3.4.0, and • possibly others. 5 Exploiting all together on TOTOLINK routers ═════════════════════════════════════════════ CVSS v3 socre: 9.6 AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (assuming Administrative Access on WAN is enabled the score is 10.0) Exploiting all the vulnerabilities together allows a remote unauthenticated attacker to execute any code with root permissions and reveal administration password. The only thing that is needed is the access to router administration interface (either access to local network or Administrative Access on WAN enabled) Description, video and possibly an exploit: https://sploit.tech/2019/12/16/Realtek-TOTOLINK.html Timeline: • 17.12.2019 - Contacted all identified vendors, i.e. TOTOLINK, CIK Telecom, Sapido, Fibergate and Coship. • 18.12.2019 - received TOTOLINK first line support response totally not related to my message and showing me how to log into my router. I responded right away and asked to forward the message to technical/security team. • 19.12.2019 - received response from CIK Telecom stating that the routers support encryption (SIC!). I replied asking to forward the message to technical/security team. • 19.12.20219 - CIK Telecom responded that for further assistance I should contact them over the phone. I replied that I need to explain the details as a written message as this is technical. • 27.12.2019, 06.01.2020 - I resent the messages to TOTOLINK and CIK Telecom but none have replied till the date of disclosure. • 06.01.2020 - I finally contacted Realtek as the Supplier of the SDK. • 10.01.2020 - I got a response and I replied with encrypted details on the bugs. • 14-15.01.2020 - Realtek replied that the issue with dumping configuration by apmib exists but it is not directly exploitable in the defualt SDK configuration becuase it uses HTTP Basic authentication which protects all URLs. They agreed however that most of the Vendors modify the software including authentication mechanism thus making it vulnerable. • 23.01.2020 - Realtek responded that they are goining to fix the issue with dumping configuration to the config.dat file in version released on 15.02.2020. They also said that after fixing the issue the impact of storing password in plaintext is less significant thus they will not fix the CVE-2019-19823 yet but will try to fix it in the future. Temporary workaround: Unfortunately I did not get any good information from real vendors like TOTOLINK and for now I would suggest to disable administration interface from WAN and restricting LAN router administration interface access using some kind of firewall if possible. Credit: Blazej Adamczyk | blazej.adamczyk@gmail.com | http://sploit.tech/

On certain TOTOLINK Realtek SDK based routers, an authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available. This allows for full control over the device's internals. This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, N100RE through 3.4.0, and N302RE 2.0.2. plural TOTOLINK The product has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This affects A3002RU up to and including 2.0.0, A702R up to and including 2.1.3, N301RT up to and including 2.1.6, N302R up to and including 3.4.0, N300RT up to and including 3.4.0, N200RE up to and including 4.0.0, N150RT up to and including 3.4.0, and N100RE up to and including 3.4.0. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ MULTIPLE VULNERABILITIES IN SEVERAL SERIES OF REALTEK SDK BASED ROUTERS (TOTOLINK AND MANY OTHER) Blazej Adamczyk (br0x) blazej.adamczyk@gmail.com https://sploit.tech/ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 11.12.2019 1 Sensitive data disclosure and incorrect access control in several series of Realtek SDK based routers ══════════════════════════════════════════════════════════════════════════ CVE: CVE-2019-19822 SDK vendor: Realtek Device vendor: TOTOLINK, Sapido, CIK Telecom, Fibergate Inc., MAX-C300N, T-BROAD and possibly others.. Product: Realtek SDK based routers backed by Boa HTTP server (and possibly others) and using apmib library for memory management. Boa Version: <= Boa/0.94.14rc21 SDK Version: < 2020/02/15 Description: Realtek SDK based routers which use form based instead HTTP Basic authentication (that includes Realtek APMIB 0.11f and Boa HTTP server 0.94.14rc21) allows remote attackers to retrieve the configuration, including sensitive data (usernames and passwords). This affects: • TOTOLINK A3002RU through 2.0.0, • TOTOLINK 702R through 2.1.3, • TOTOLINK N301RT through 2.1.6, • TOTOLINK N302R through 3.4.0, • TOTOLINK N300RT through 3.4.0, • TOTOLINK N200RE through 4.0.0, • TOTOLINK N150RT through 3.4.0, and • TOTOLINK N100RE through 3.4.0; • Rutek RTK 11N AP through 2019-12-12; • Sapido GR297n through 2019-12-12; • CIK TELECOM MESH ROUTER through 2019-12-12; • KCTVJEJU Wireless AP through 2019-12-12; • Fibergate FGN-R2 through 2019-12-12; • Hi-Wifi MAX-C300N through 2019-12-12; • HCN MAX-C300N through 2019-12-12; • T-broad GN-866ac through 2019-12-12; • Coship EMTA AP through 2019-12-12; and • IO-Data WN-AC1167R through 2019-12-12; and • possibly others. Technical details: The apmib library at some point of initialization dumps the whole memory contents the file /web/config.dat. This folder is actually used by the boa http server as index directory. Additionally if the router is configured for form-based authentication the access control verifies credentials only for some URLs but ".dat" files are not restricted. This issue does not affect routers which use HTTP Basic authentication to secure all URLs. PoC: ┌──── │ $ curl http://routerip/config.dat └──── 2 Password stored in plaintext in Realtek SDK based routers ═══════════════════════════════════════════════════════════ CVE: CVE-2019-19823 SDK vendor: Realtek Device vendor: TOTOLINK, Sapido, CIK Telecom, Fibergate Inc., MAX-C300N, T-BROAD and possibly others.. Product: Realtek SDK based routers backed by Boa HTTP server (and possibly others) and using apmib library for memory management. Boa Version: <= Boa/0.94.14rc21 SDK Version: < 2020/02/15 Description: Realtek SDK based routers (that includes Realtek APMIB 0.11f and Boa HTTP server 0.94.14rc21) store passwords in plaintext. This affects: • TOTOLINK A3002RU through 2.0.0, • TOTOLINK 702R through 2.1.3, • TOTOLINK N301RT through 2.1.6, • TOTOLINK N302R through 3.4.0, • TOTOLINK N300RT through 3.4.0, • TOTOLINK N200RE through 4.0.0, • TOTOLINK N150RT through 3.4.0, and • TOTOLINK N100RE through 3.4.0; • Rutek RTK 11N AP through 2019-12-12; • Sapido GR297n through 2019-12-12; • CIK TELECOM MESH ROUTER through 2019-12-12; • KCTVJEJU Wireless AP through 2019-12-12; • Fibergate FGN-R2 through 2019-12-12; • Hi-Wifi MAX-C300N through 2019-12-12; • HCN MAX-C300N through 2019-12-12; • T-broad GN-866ac through 2019-12-12; • Coship EMTA AP through 2019-12-12; and • IO-Data WN-AC1167R through 2019-12-12; and • possibly others. Technical details: Data stored in memory in COMPCS (apmib library) format contains device administration and other passwords in plaintext. The apmib library additionally at some point of initialization dumps the whole memory contents the file /web/config.dat which might be used to easily retrieve user passwords. This affects: • A3002RU through 2.0.0, • A702R through 2.1.3, • N301RT through 2.1.6, • N302R through 3.4.0, • N300RT through 3.4.0, • N200RE through 4.0.0, • N150RT through 3.4.0, • N100RE through 3.4.0, and • possibly others. PoC: ┌──── │ $ curl 'http://routerip/boafrm/formSysCmd' --user "admin:password" │ --data 'submit-url=%2Fsyscmd.htm&sysCmdselect=5&sysCmdselects=0& │ save_apply=Run+Command&sysCmd=cp%20%2Fetc%2Fpasswd%20%2Fweb%2Fxxxx.dat' └──── 4 Incorrectly implemented captcha protection in TOTOLINK routers ════════════════════════════════════════════════════════════════ CVE: CVE-2019-19825 Vendor: TOTOLINK Product: TOTOLINK Realtek SDK based routers Boa Version: <= Boa/0.94.14rc21 Description: Guessable captcha vulnerability (CWE-804) in several series of TOTOLINK routers allows a remote attacker to automatically login to the router without reading and providing real captcha. The following command returns captcha in plain text: ┌──── │ $ curl 'http://routerip/boafrm/formLogin' --data '{"topicurl":"setting/getSanvas"}' └──── Additionally by using the HTTP Basic in a HEADER the attacker can execute router actions without providing captcha at all. This affects: • A3002RU through 2.0.0, • A702R through 2.1.3, • N301RT through 2.1.6, • N302R through 3.4.0, • N300RT through 3.4.0, • N200RE through 4.0.0, • N150RT through 3.4.0, • N100RE through 3.4.0, and • possibly others. 5 Exploiting all together on TOTOLINK routers ═════════════════════════════════════════════ CVSS v3 socre: 9.6 AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (assuming Administrative Access on WAN is enabled the score is 10.0) Exploiting all the vulnerabilities together allows a remote unauthenticated attacker to execute any code with root permissions and reveal administration password. The only thing that is needed is the access to router administration interface (either access to local network or Administrative Access on WAN enabled) Description, video and possibly an exploit: https://sploit.tech/2019/12/16/Realtek-TOTOLINK.html Timeline: • 17.12.2019 - Contacted all identified vendors, i.e. TOTOLINK, CIK Telecom, Sapido, Fibergate and Coship. • 18.12.2019 - received TOTOLINK first line support response totally not related to my message and showing me how to log into my router. I responded right away and asked to forward the message to technical/security team. • 19.12.2019 - received response from CIK Telecom stating that the routers support encryption (SIC!). I replied asking to forward the message to technical/security team. • 19.12.20219 - CIK Telecom responded that for further assistance I should contact them over the phone. I replied that I need to explain the details as a written message as this is technical. • 27.12.2019, 06.01.2020 - I resent the messages to TOTOLINK and CIK Telecom but none have replied till the date of disclosure. • 06.01.2020 - I finally contacted Realtek as the Supplier of the SDK. • 10.01.2020 - I got a response and I replied with encrypted details on the bugs. • 14-15.01.2020 - Realtek replied that the issue with dumping configuration by apmib exists but it is not directly exploitable in the defualt SDK configuration becuase it uses HTTP Basic authentication which protects all URLs. They agreed however that most of the Vendors modify the software including authentication mechanism thus making it vulnerable. • 23.01.2020 - Realtek responded that they are goining to fix the issue with dumping configuration to the config.dat file in version released on 15.02.2020. They also said that after fixing the issue the impact of storing password in plaintext is less significant thus they will not fix the CVE-2019-19823 yet but will try to fix it in the future. Temporary workaround: Unfortunately I did not get any good information from real vendors like TOTOLINK and for now I would suggest to disable administration interface from WAN and restricting LAN router administration interface access using some kind of firewall if possible. Credit: Blazej Adamczyk | blazej.adamczyk@gmail.com | http://sploit.tech/

On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {"topicurl":"setting/getSanvas"} POST to the boafrm/formLogin URI, leading to a CAPTCHA bypass. (Also, the CAPTCHA text is not needed once the attacker has determined valid credentials. The attacker can perform router actions via HTTP requests with Basic Authentication.) This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0. plural TOTOLINK The product contains an authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ MULTIPLE VULNERABILITIES IN SEVERAL SERIES OF REALTEK SDK BASED ROUTERS (TOTOLINK AND MANY OTHER) Blazej Adamczyk (br0x) blazej.adamczyk@gmail.com https://sploit.tech/ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 11.12.2019 1 Sensitive data disclosure and incorrect access control in several series of Realtek SDK based routers ══════════════════════════════════════════════════════════════════════════ CVE: CVE-2019-19822 SDK vendor: Realtek Device vendor: TOTOLINK, Sapido, CIK Telecom, Fibergate Inc., MAX-C300N, T-BROAD and possibly others.. Product: Realtek SDK based routers backed by Boa HTTP server (and possibly others) and using apmib library for memory management. Boa Version: <= Boa/0.94.14rc21 SDK Version: < 2020/02/15 Description: Realtek SDK based routers which use form based instead HTTP Basic authentication (that includes Realtek APMIB 0.11f and Boa HTTP server 0.94.14rc21) allows remote attackers to retrieve the configuration, including sensitive data (usernames and passwords). This affects: • TOTOLINK A3002RU through 2.0.0, • TOTOLINK 702R through 2.1.3, • TOTOLINK N301RT through 2.1.6, • TOTOLINK N302R through 3.4.0, • TOTOLINK N300RT through 3.4.0, • TOTOLINK N200RE through 4.0.0, • TOTOLINK N150RT through 3.4.0, and • TOTOLINK N100RE through 3.4.0; • Rutek RTK 11N AP through 2019-12-12; • Sapido GR297n through 2019-12-12; • CIK TELECOM MESH ROUTER through 2019-12-12; • KCTVJEJU Wireless AP through 2019-12-12; • Fibergate FGN-R2 through 2019-12-12; • Hi-Wifi MAX-C300N through 2019-12-12; • HCN MAX-C300N through 2019-12-12; • T-broad GN-866ac through 2019-12-12; • Coship EMTA AP through 2019-12-12; and • IO-Data WN-AC1167R through 2019-12-12; and • possibly others. Technical details: The apmib library at some point of initialization dumps the whole memory contents the file /web/config.dat. This folder is actually used by the boa http server as index directory. Additionally if the router is configured for form-based authentication the access control verifies credentials only for some URLs but ".dat" files are not restricted. PoC: ┌──── │ $ curl http://routerip/config.dat └──── 2 Password stored in plaintext in Realtek SDK based routers ═══════════════════════════════════════════════════════════ CVE: CVE-2019-19823 SDK vendor: Realtek Device vendor: TOTOLINK, Sapido, CIK Telecom, Fibergate Inc., MAX-C300N, T-BROAD and possibly others.. Product: Realtek SDK based routers backed by Boa HTTP server (and possibly others) and using apmib library for memory management. Boa Version: <= Boa/0.94.14rc21 SDK Version: < 2020/02/15 Description: Realtek SDK based routers (that includes Realtek APMIB 0.11f and Boa HTTP server 0.94.14rc21) store passwords in plaintext. This affects: • TOTOLINK A3002RU through 2.0.0, • TOTOLINK 702R through 2.1.3, • TOTOLINK N301RT through 2.1.6, • TOTOLINK N302R through 3.4.0, • TOTOLINK N300RT through 3.4.0, • TOTOLINK N200RE through 4.0.0, • TOTOLINK N150RT through 3.4.0, and • TOTOLINK N100RE through 3.4.0; • Rutek RTK 11N AP through 2019-12-12; • Sapido GR297n through 2019-12-12; • CIK TELECOM MESH ROUTER through 2019-12-12; • KCTVJEJU Wireless AP through 2019-12-12; • Fibergate FGN-R2 through 2019-12-12; • Hi-Wifi MAX-C300N through 2019-12-12; • HCN MAX-C300N through 2019-12-12; • T-broad GN-866ac through 2019-12-12; • Coship EMTA AP through 2019-12-12; and • IO-Data WN-AC1167R through 2019-12-12; and • possibly others. Technical details: Data stored in memory in COMPCS (apmib library) format contains device administration and other passwords in plaintext. The apmib library additionally at some point of initialization dumps the whole memory contents the file /web/config.dat which might be used to easily retrieve user passwords. 3 Code execution in several TOTOLINK routers ════════════════════════════════════════════ CVE: CVE-2019-19824 Vendor: TOTOLINK Product: TOTOLINK Realtek SDK based routers Boa Version: <= Boa/0.94.14rc21 Description: On several Realted SDK based TOTOLINK routers, an authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available. This allows for full control over the device's internals. This affects: • A3002RU through 2.0.0, • A702R through 2.1.3, • N301RT through 2.1.6, • N302R through 3.4.0, • N300RT through 3.4.0, • N200RE through 4.0.0, • N150RT through 3.4.0, • N100RE through 3.4.0, and • possibly others. PoC: ┌──── │ $ curl 'http://routerip/boafrm/formSysCmd' --user "admin:password" │ --data 'submit-url=%2Fsyscmd.htm&sysCmdselect=5&sysCmdselects=0& │ save_apply=Run+Command&sysCmd=cp%20%2Fetc%2Fpasswd%20%2Fweb%2Fxxxx.dat' └──── 4 Incorrectly implemented captcha protection in TOTOLINK routers ════════════════════════════════════════════════════════════════ CVE: CVE-2019-19825 Vendor: TOTOLINK Product: TOTOLINK Realtek SDK based routers Boa Version: <= Boa/0.94.14rc21 Description: Guessable captcha vulnerability (CWE-804) in several series of TOTOLINK routers allows a remote attacker to automatically login to the router without reading and providing real captcha. The following command returns captcha in plain text: ┌──── │ $ curl 'http://routerip/boafrm/formLogin' --data '{"topicurl":"setting/getSanvas"}' └──── Additionally by using the HTTP Basic in a HEADER the attacker can execute router actions without providing captcha at all. This affects: • A3002RU through 2.0.0, • A702R through 2.1.3, • N301RT through 2.1.6, • N302R through 3.4.0, • N300RT through 3.4.0, • N200RE through 4.0.0, • N150RT through 3.4.0, • N100RE through 3.4.0, and • possibly others. 5 Exploiting all together on TOTOLINK routers ═════════════════════════════════════════════ CVSS v3 socre: 9.6 AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (assuming Administrative Access on WAN is enabled the score is 10.0) Exploiting all the vulnerabilities together allows a remote unauthenticated attacker to execute any code with root permissions and reveal administration password. The only thing that is needed is the access to router administration interface (either access to local network or Administrative Access on WAN enabled) Description, video and possibly an exploit: https://sploit.tech/2019/12/16/Realtek-TOTOLINK.html Timeline: • 17.12.2019 - Contacted all identified vendors, i.e. TOTOLINK, CIK Telecom, Sapido, Fibergate and Coship. • 18.12.2019 - received TOTOLINK first line support response totally not related to my message and showing me how to log into my router. I responded right away and asked to forward the message to technical/security team. • 19.12.2019 - received response from CIK Telecom stating that the routers support encryption (SIC!). I replied asking to forward the message to technical/security team. • 19.12.20219 - CIK Telecom responded that for further assistance I should contact them over the phone. I replied that I need to explain the details as a written message as this is technical. • 27.12.2019, 06.01.2020 - I resent the messages to TOTOLINK and CIK Telecom but none have replied till the date of disclosure. • 06.01.2020 - I finally contacted Realtek as the Supplier of the SDK. • 10.01.2020 - I got a response and I replied with encrypted details on the bugs. • 14-15.01.2020 - Realtek replied that the issue with dumping configuration by apmib exists but it is not directly exploitable in the defualt SDK configuration becuase it uses HTTP Basic authentication which protects all URLs. They agreed however that most of the Vendors modify the software including authentication mechanism thus making it vulnerable. • 23.01.2020 - Realtek responded that they are goining to fix the issue with dumping configuration to the config.dat file in version released on 15.02.2020. They also said that after fixing the issue the impact of storing password in plaintext is less significant thus they will not fix the CVE-2019-19823 yet but will try to fix it in the future. Temporary workaround: Unfortunately I did not get any good information from real vendors like TOTOLINK and for now I would suggest to disable administration interface from WAN and restricting LAN router administration interface access using some kind of firewall if possible. Credit: Blazej Adamczyk | blazej.adamczyk@gmail.com | http://sploit.tech/

CODESYS Control V3, Gateway V3, and HMI V3 before 3.5.15.30 allow uncontrolled memory allocation which can result in a remote denial of service condition. CODESYS Control , Gateway , HMI Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state. CoDeSys is a powerful PLC software programming tool. CODESYS Control memory allocation is secure. Remote attackers can use this vulnerability to submit special requests to conduct denial-of-service attacks. 3S-Smart Software Solutions CODESYS Control is a set of industrial control program programming software from 3S-Smart Software Solutions in Germany

JCG Q9PRO is a home wireless router that supports WPS one-key encryption, etc., and has high device compatibility. The JCG gateway Q9PRO has a command execution vulnerability. An attacker can use the vulnerability to execute arbitrary instructions.

Beijing Wenwang Yilian Information Technology Co., Ltd. is a long-term research, development and construction of a network culture computer supervision platform related to cultural management departments and a youth Internet addiction monitoring project. WWWS-7150 full gigabit multi-WAN smart router has unauthorized access vulnerabilities. Attackers can use the vulnerabilities to obtain sensitive information such as databases or website directories.

An issue was discovered in Ricoh (including Savin and Lanier) Windows printer drivers prior to 2020 that allows attackers local privilege escalation. Affected drivers and versions are: PCL6 Driver for Universal Print - Version 4.0 or later PS Driver for Universal Print - Version 4.0 or later PC FAX Generic Driver - All versions Generic PCL5 Driver - All versions RPCS Driver - All versions PostScript3 Driver - All versions PCL6 (PCL XL) Driver - All versions RPCS Raster Driver - All version. plural Ricoh The product contains a privilege management vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. are all RICOH printer drivers. Multiple RICOH printer drivers have privilege elevation vulnerabilities. Attackers can use this vulnerability to elevate permissions

Dell EMC OpenManage Enterprise (OME) versions prior to 3.2 and OpenManage Enterprise-Modular (OME-M) versions prior to 1.10.00 contain an injection vulnerability. A remote authenticated malicious user with low privileges could potentially exploit this vulnerability to gain access to sensitive information or cause denial-of-service

Dell EMC OpenManage Enterprise-Modular (OME-M) versions prior to 1.10.00 contain a command injection vulnerability. A remote authenticated malicious user with high privileges could potentially exploit the vulnerability to execute arbitrary shell commands on the affected system. (DoS) It may be in a state