cbcvebase.
CVE-2019-19509
published 2020-01-06

CVE-2019-19509: An issue was discovered in rConfig 3.9.3. A remote authenticated user can directly execute system commands by sending a GET request to ajaxArchiveFiles.php…

PriorityP184high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.64%
99.3th percentile
An issue was discovered in rConfig 3.9.3. A remote authenticated user can directly execute system commands by sending a GET request to ajaxArchiveFiles.php because the path parameter is passed to the exec function without filtering, which can lead to command execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
rconfigrconfig

Detection & IOCsextracted from sources · hover to see the quote

path/lib/ajaxHandlers/ajaxArchiveFiles.php
path/commands.inc.php
path/lib/crud/userprocess.php
url/lib/ajaxHandlers/ajaxArchiveFiles.php?path=<payload>&ext=random
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS rConfig ajaxArchiveFiles.php Command Injection Inbound (CVE-2019-19509)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ajaxHandlers/ajaxArchiveFiles.php?path="; fast_pattern; http.uri.raw; content:"/ajaxHandlers/ajaxArchiveFiles.php?path="; pcre:"/^%(?:3B|0A|26|60|7C|24)/Ri"; reference:url,www.exploit-db.com/exploits/47982; reference:cve,2019-19509; classtype:attempted-admin; sid:2033424; rev:3; metadata:attack_target Server, created_at 2021_07_26, cve CVE_2019_19509, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_08_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • ·The Metasploit module defaults to RPORT 443 with SSL enabled; scanning or detection rules targeting only port 80/HTTP will miss exploitation attempts against default rConfig deployments.
  • ·Full root privilege escalation requires CVE-2019-19585 (Apache user added to sudoers with NOPASSWD by rConfig install script) to be present; CVE-2019-19509 alone yields apache-level code execution.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.