module
Rconfig 3.x Chained Remote Code Execution
| Disclosed |
|---|
| Mar 11, 2020 |
Disclosed
Mar 11, 2020
Description
This module exploits multiple vulnerabilities in rConfig version 3.9
in order to execute arbitrary commands.
This module takes advantage of a command injection vulnerability in the
`path` parameter of the ajax archive file functionality within the rConfig web
interface in order to execute the payload.
Valid credentials for a user with administrative privileges are required.
However, this module can bypass authentication via SQLI.
This module has been successfully tested on Rconfig 3.9.3 and 3.9.4.
The steps are:
1. SQLi on /commands.inc.php allows us to add an administrative user.
2. An authenticated session is established with the newly added user
3. Command Injection on /lib/ajaxHandlers/ajaxArchiveFiles.php allows us to
execute the payload.
4. Remove the added admin user.
Tips : once you get a shell, look at the CVE-2019-19585.
You will probably get root because rConfig install script add Apache user to
sudoers with nopasswd ;-)
in order to execute arbitrary commands.
This module takes advantage of a command injection vulnerability in the
`path` parameter of the ajax archive file functionality within the rConfig web
interface in order to execute the payload.
Valid credentials for a user with administrative privileges are required.
However, this module can bypass authentication via SQLI.
This module has been successfully tested on Rconfig 3.9.3 and 3.9.4.
The steps are:
1. SQLi on /commands.inc.php allows us to add an administrative user.
2. An authenticated session is established with the newly added user
3. Command Injection on /lib/ajaxHandlers/ajaxArchiveFiles.php allows us to
execute the payload.
4. Remove the added admin user.
Tips : once you get a shell, look at the CVE-2019-19585.
You will probably get root because rConfig install script add Apache user to
sudoers with nopasswd ;-)
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.