rConfig is an open-source network device configuration management utility tool natively written in PHP. By adding some extra modules to PHP, the features can be customized according to the need. This is widely used by the network administrators to take frequent configuration snapshots of their network devices. Being said that, it was many unique features like customizable device commands, connection templates, schedule tasks, database password encryption, monitor device configuration for policy compliance, etc.
In the past several years, security researchers have found many high severity level vulnerabilities in rconfig. Here are some of the CVEs: CVE-2019–16662, CVE-2019–16663, CVE-2019–19509, CVE-2019–19585, CVE-2020–10220.
In this post, I will demonstrate how one can chain CVE-2020–10220, CVE-2019–19509, CVE-2019–19585 in series, and exploit the application to gain initial access till privilege escalation(root). So without a further ado lets dive in.
Whenever we try to exploit any vulnerability, the first step is reconnaissance. We need to make sure the application version that we are trying to exploit is the vulnerable one. For rConfig, the version is readily visible on the landing page.
The web interface is prone to SQL injection via commands.inic.php searchColumn parameter. An attacker can exploit the SQL injection vulnerability either to extract the credentials from the database or insert dummy credentials into the web application.
The password is md5 hash digest which can be decrypted using an online platform or using tools like hashcat/john etc.
A remote authenticated user can directly execute system commands by sending a GET request to ajaxArchiveFiles.php because the path parameter is passed to the exec function without filtering, which can lead to command execution. After retrieving the credentials, now the attacker can log in to the web application to gain initial access.
The install script updates the /etc/sudoers file for rconfig specific tasks. After a “rConfig specific Apache configuration” update, apache has high privileges for some binaries. An attacker can use the loosely set sudo rights to gain root privilege.
If one can chain multiple vulnerabilities, the results are always destructive. As a security recommendation, It is always a best practice to use the latest version of the application and patch the application with security updates. The detailed explanation of the exploit can be viewed from below YouTube link.
Is your business effected by Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.
Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/
UK +44 20 8089 9944