Published: 06/01/2020 Updated: 31/01/2023

CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9

CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8

VMScore: 500

Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P

An issue exists in rConfig 3.9.3. The install script updates the /etc/sudoers file for rconfig specific tasks. After an "rConfig specific Apache configuration" update, apache has high privileges for some binaries. This can be exploited by an malicious user to bypass local security restrictions.

Vulnerable Product	Search on Vulmon	Subscribe to Product
rconfig rconfig 3.9.3

This Metasploit module takes advantage of a command injection vulnerability in the path parameter of the ajax archive file functionality within the rConfig web interface in order to execute the payload Valid credentials for a user with administrative privileges are required However, this module can bypass authentication via SQL injection ...

rConfig version 394 searchField unauthenticated remote root code execution exploit ...

This module exploits multiple vulnerabilities in rConfig version 39 in order to execute arbitrary commands This module takes advantage of a command injection vulnerability in the `path` parameter of the ajax archive file functionality within the rConfig web interface in order to execute the payload ...

This module exploits multiple vulnerabilities in rConfig version 3.9 in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in the `path` parameter of the ajax archive file functionality within the rConfig web interface in order to execute the payload. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via SQLI. This module has been successfully tested on Rconfig 3.9.3 and 3.9.4. The steps are: 1. SQLi on /commands.inc.php allows us to add an administrative user. 2. An authenticated session is established with the newly added user 3. Command Injection on /lib/ajaxHandlers/ajaxArchiveFiles.php allows us to execute the payload. 4. Remove the added admin user. Tips : once you get a shell, look at the CVE-2019-19585. You will probably get root because rConfig install script add Apache user to sudoers with nopasswd ;-)

msf > use exploit/linux/http/rconfig_ajaxarchivefiles_rce
msf exploit(rconfig_ajaxarchivefiles_rce) > show targets
    ...targets...
msf exploit(rconfig_ajaxarchivefiles_rce) > set TARGET < target-id >
msf exploit(rconfig_ajaxarchivefiles_rce) > show options
    ...show and set options...
msf exploit(rconfig_ajaxarchivefiles_rce) > exploit

Exploit codes for rconfig <= 3.9.4

exploits Three exploits for rconfig <= 394 : CVE-2019-19509 : authenticated RCE CVE-2019-19585 : Local Privilege Escalation (root) CVE-2020-10220 : unauthenticated SQLi rconfig_root_RCE_unauthpy : chaining the three CVEs above to get root reverse shell without authentication rconfig_ajaxarchivefiles_rcerb : Rconfig 3x - Chained Remote

CWE-269 https://raw.githubusercontent.com/v1k1ngfr/exploits/master/rconfig_lpe.sh?token=https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_lpe.sh http://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.html https://nvd.nist.gov https://github.com/v1k1ngfr/exploits-rconfig https://packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.html

CVE-2019-19585

Vulnerability Summary

Vulnerability Trend

Exploits

Metasploit Modules

Github Repositories

References

Vulmon Search

About

Products

Connect