CVE-2019-16663
published 2019-10-28CVE-2019-16663: An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to search.crud.php because the catCommand…
PriorityP279high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
84.70%
99.7th percentile
An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to search.crud.php because the catCommand parameter is passed to the exec function without filtering, which can lead to command execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rconfig | rconfig | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/search.crud.php?searchTerm=&catCommand=%22%22
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS rConfig search.crud.php Command Injection (CVE-2019-16663)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.crud.php?searchTerm="; http.uri.raw; content:"&catCommand=%22%22"; fast_pattern; reference:cve,2019-16663; classtype:attempted-admin; sid:2033428; rev:1; metadata:attack_target Server, created_at 2021_07_26, cve CVE_2019_16663, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →CVE-2019-16663 is exploited via HTTP GET request to /search.crud.php with the `catCommand` parameter containing unsanitized OS commands passed directly to exec(). Monitor for GET requests to this path with shell metacharacters (e.g., `;`, `|`, `&`) in the `catCommand` parameter. ↗
- →The Emerging Threats Snort rule (SID 2033428) triggers on HTTP GET requests to `/search.crud.php?searchTerm=` with `&catCommand=%22%22` in the raw URI. Deploy this rule at perimeter and internal network sensors.
- →Proof-of-concept exploits for CVE-2019-16663 were publicly published. Both CVE-2019-16662 and CVE-2019-16663 affect all versions of rConfig and were unpatched at time of disclosure. ↗
- ·The Snort rule (SID 2033428) targets the specific URI pattern `/search.crud.php?searchTerm=` with `&catCommand=%22%22`. Attackers may URL-encode payloads differently or use alternate shell metacharacters, potentially evading this exact signature.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS rConfig search.crud.php Command Injection (CVE-2019-16663)
suricata·2021-07-26·CVSS 8.8
CVE-2019-16663 [HIGH] ET WEB_SPECIFIC_APPS rConfig search.crud.php Command Injection (CVE-2019-16663)
ET WEB_SPECIFIC_APPS rConfig search.crud.php Command Injection (CVE-2019-16663)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS rConfig search.crud.php Command Injection (CVE-2019-16663)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.crud.php?searchTerm="; http.uri.raw; content:"&catCommand=%22%22"; fast_pattern; reference:cve,2019-16663; classtype:attempted-admin; sid:2033428; rev:1; metadata:attack_target Server, created_at 2021_07_26, cve CVE_2019_16663, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Exploit-DB
rConfig - install Command Execution (Metasploit)
exploitdb·2019-11-08
CVE-2019-16662 rConfig - install Command Execution (Metasploit)
rConfig - install Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'rConfig install Command Execution',
'Description' => %q{
This module exploits an unauthenticated command injection vulnerability
in rConfig versions 3.9.2 and prior. The `install` directory is not
automatically removed after installation, allowing unauthenticated users
to execute arbitrary commands via the `ajaxServerSettingsChk.php` file
as the web server user.
This module has been tested successfully on rConfig version 3.9.2 on
CentOS 7.7.1908 (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
'mhaskar', # Discovery and exploit
'bcoles' # Metasploit
],
'References' =>
[
['C
Nuclei
rConfig 3.9.2 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2019-16662 [CRITICAL] rConfig 3.9.2 - Remote Code Execution
rConfig 3.9.2 - Remote Code Execution
rConfig 3.9.2 is susceptible to a remote code execution vulnerability. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.
Template:
id: CVE-2019-16662
info:
name: rConfig 3.9.2 - Remote Code Execution
author: pikpikcu
severity: critical
description: rConfig 3.9.2 is susceptible to a remote code execution vulnerability. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.
impact: |
Successful exploitation of this vu
https://drive.google.com/open?id=1XmR2MSMb3cKARFk3XxmPkwz6GhAP1JxLhttps://drive.google.com/open?id=1kQGmboKfwob4RwlMjnv6ER2Za1GUptOihttps://gist.github.com/mhaskar/e7e454c7cb0dd9a139b0a43691e258a0https://rconfig.com/downloadhttps://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/https://drive.google.com/open?id=1XmR2MSMb3cKARFk3XxmPkwz6GhAP1JxLhttps://drive.google.com/open?id=1kQGmboKfwob4RwlMjnv6ER2Za1GUptOihttps://gist.github.com/mhaskar/e7e454c7cb0dd9a139b0a43691e258a0https://rconfig.com/downloadhttps://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/
2019-10-28
Published