CVE-2019-19585
published 2020-01-06CVE-2019-19585: An issue was discovered in rConfig 3.9.3. The install script updates the /etc/sudoers file for rconfig specific tasks. After an "rConfig specific Apache…
PriorityP348high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
5.67%
92.0th percentile
An issue was discovered in rConfig 3.9.3. The install script updates the /etc/sudoers file for rconfig specific tasks. After an "rConfig specific Apache configuration" update, apache has high privileges for some binaries. This can be exploited by an attacker to bypass local security restrictions.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rconfig | rconfig | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution
exploitdb·2020-03-27·CVSS 8.8
CVE-2019-19509 [HIGH] rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution
rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution
---
# Exploit Title: rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution
# Exploit Author: vikingfr
# Greetz : Orange Cyberdefense - team CSR-SO (https://cyberdefense.orange.com)
# Date: 2020-03-12
# CVE-2019-19509 + CVE-2019-19585 + CVE-2020-10220
# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_root_RCE_unauth.py
# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip
# Install scripts :
# https://www.rconfig.com/downloads/scripts/install_rConfig.sh
# https://www.rconfig.com/downloads/scripts/centos7_install.sh
# https://www.rconfig.com/downloads/scripts/centos
Exploit-DB
Rconfig 3.x - Chained Remote Code Execution (Metasploit)
exploitdb·2020-03-17·CVSS 7.8
CVE-2020-10220 [HIGH] Rconfig 3.x - Chained Remote Code Execution (Metasploit)
Rconfig 3.x - Chained Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Rconfig 3.x Chained Remote Code Execution',
'Description' => '
This module exploits multiple vulnerabilities in rConfig version 3.9
in order to execute arbitrary commands.
This module takes advantage of a command injection vulnerability in the
`path` parameter of the ajax archive file functionality within the rConfig web
interface in order to execute the payload.
Valid credentials for a user with administrative privileges are required.
However, this module can bypass authentication via SQLI.
This module has been successfully tested on Rconfig 3.9.3 and 3.9.4.
The step
Metasploit
Rconfig 3.x Chained Remote Code Execution
metasploit·CVSS 7.8
[HIGH] Rconfig 3.x Chained Remote Code Execution
Rconfig 3.x Chained Remote Code Execution
This module exploits multiple vulnerabilities in rConfig version 3.9 in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in the `path` parameter of the ajax archive file functionality within the rConfig web interface in order to execute the payload. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via SQLI. This module has been successfully tested on Rconfig 3.9.3 and 3.9.4. The steps are: 1. SQLi on /commands.inc.php allows us to add an administrative user. 2. An authenticated session is established with the newly added user 3. Command Injection on /lib/ajaxHandlers/ajaxArchiveFiles.php allows us to execute the payload. 4.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.htmlhttps://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_lpe.shhttps://raw.githubusercontent.com/v1k1ngfr/exploits/master/rconfig_lpe.sh?token=http://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.htmlhttps://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_lpe.shhttps://raw.githubusercontent.com/v1k1ngfr/exploits/master/rconfig_lpe.sh?token=
2020-01-06
Published