CVE-2020-10220
published 2020-03-07CVE-2020-10220: An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
99.68%
99.9th percentile
An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rconfig | rconfig | <= 3.9.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/commands.inc.php?searchOption=contains&searchField=vuln&search=search&searchColumn=command%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,md5('{{num}}'),0x5B50574E5D3C42523E)%20limit%200,1),NULL--↗
commandINSERT INTO `users` (`id`,`username`,`password`,`userid`,`userlevel`,`email`,`timestamp`,`status`) VALUES (...);--↗
bytes↗
0x223E3C42523E5B50574E5D
bytes↗
0x5B50574E5D3C42523E
- →Detect SQLi exploitation attempts against rConfig by monitoring GET requests to /commands.inc.php containing 'searchColumn' parameter values with SQL keywords such as UNION, INSERT, DELETE, or comment sequences (--;) ↗
- →Alert on GET requests to /lib/ajaxHandlers/ajaxArchiveFiles.php where the 'path' parameter contains backtick characters (`) or shell metacharacters, indicating command injection chained after SQLi auth bypass ↗
- →Detect the SQLi canary marker strings [PWN] (hex 0x5B50574E5D) in HTTP responses from rConfig, which are injected by the exploit to exfiltrate data ↗
- →Monitor for POST requests to /lib/crud/userprocess.php immediately following anomalous GET requests to /commands.inc.php, indicating the two-step SQLi-then-authenticate exploit chain ↗
- →Look for the MD5 hash 21232f297a57a5a743894a0e4a801fc3 (hash of 'admin') appearing in SQL INSERT payloads within the searchColumn parameter of /commands.inc.php requests ↗
- →Detect use of 'sudo zip' with the -T/-TT flags and a shell command as the test program in process execution logs, which is the privilege escalation technique chained with this CVE ↗
- →The Nuclei detection template matches rConfig SQLi by checking HTTP 200 responses from /commands.inc.php containing the MD5 of a known numeric canary value injected via UNION SELECT CONCAT with hex markers ↗
- ·The Metasploit module requires HTTPS (SSL=true) to function correctly because rConfig's PHP code handles HTTP-to-HTTPS redirects; HTTP-only deployments may not be exploitable via this module ↗
- ·Root privilege escalation (CVE-2019-19585) is only possible if the rConfig install script was used, as it adds the Apache user to sudoers with NOPASSWD; manually installed instances may not be vulnerable to privilege escalation ↗
- ·The SQLi vulnerability in /commands.inc.php is unauthenticated — no valid credentials are required to trigger the initial injection and add an admin user ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution
exploitdb·2020-03-27·CVSS 8.8
CVE-2019-19509 [HIGH] rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution
rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution
---
# Exploit Title: rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution
# Exploit Author: vikingfr
# Greetz : Orange Cyberdefense - team CSR-SO (https://cyberdefense.orange.com)
# Date: 2020-03-12
# CVE-2019-19509 + CVE-2019-19585 + CVE-2020-10220
# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_root_RCE_unauth.py
# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip
# Install scripts :
# https://www.rconfig.com/downloads/scripts/install_rConfig.sh
# https://www.rconfig.com/downloads/scripts/centos7_install.sh
# https://www.rconfig.com/downloads/scripts/centos
Exploit-DB
Rconfig 3.x - Chained Remote Code Execution (Metasploit)
exploitdb·2020-03-17·CVSS 7.8
CVE-2020-10220 [HIGH] Rconfig 3.x - Chained Remote Code Execution (Metasploit)
Rconfig 3.x - Chained Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Rconfig 3.x Chained Remote Code Execution',
'Description' => '
This module exploits multiple vulnerabilities in rConfig version 3.9
in order to execute arbitrary commands.
This module takes advantage of a command injection vulnerability in the
`path` parameter of the ajax archive file functionality within the rConfig web
interface in order to execute the payload.
Valid credentials for a user with administrative privileges are required.
However, this module can bypass authentication via SQLI.
This module has been successfully tested on Rconfig 3.9.3 and 3.9.4.
The step
Exploit-DB
rConfig 3.9 - 'searchColumn' SQL Injection
exploitdb·2020-03-12·CVSS 9.8
CVE-2020-10220 [CRITICAL] rConfig 3.9 - 'searchColumn' SQL Injection
rConfig 3.9 - 'searchColumn' SQL Injection
---
# Exploit Title: rConfig 3.9 - 'searchColumn' SQL Injection
# Exploit Author: vikingfr
# Date: 2020-03-03
# CVE-2020-10220
# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py
# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip
# Install scripts :
# https://www.rconfig.com/downloads/scripts/install_rConfig.sh
# https://www.rconfig.com/downloads/scripts/centos7_install.sh
# https://www.rconfig.com/downloads/scripts/centos6_install.sh
# Version: tested v3.9.4
# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24
#
# Notes : If you want to reproduce in your lab environment follo
Metasploit
Rconfig 3.x Chained Remote Code Execution
metasploit·CVSS 7.8
[HIGH] Rconfig 3.x Chained Remote Code Execution
Rconfig 3.x Chained Remote Code Execution
This module exploits multiple vulnerabilities in rConfig version 3.9 in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in the `path` parameter of the ajax archive file functionality within the rConfig web interface in order to execute the payload. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via SQLI. This module has been successfully tested on Rconfig 3.9.3 and 3.9.4. The steps are: 1. SQLi on /commands.inc.php allows us to add an administrative user. 2. An authenticated session is established with the newly added user 3. Command Injection on /lib/ajaxHandlers/ajaxArchiveFiles.php allows us to execute the payload. 4.
Nuclei
rConfig 3.9 - SQL Injection
nuclei·CVSS 9.8
CVE-2020-10220 [CRITICAL] rConfig 3.9 - SQL Injection
rConfig 3.9 - SQL Injection
An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
Template:
id: CVE-2020-10220
info:
name: rConfig 3.9 - SQL Injection
author: ritikchaddha,theamanrawat
severity: critical
description: |
An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
remediation: |
Upgrade to a patched version of rConfig or apply the vendor-supplied patch to mitigate this vulnerability.
reference:
- http://packetstormsecurity.com/f
http://packetstormsecurity.com/files/156688/rConfig-3.9-SQL-Injection.htmlhttp://packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.htmlhttps://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.pyhttps://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_sqli.pyhttp://packetstormsecurity.com/files/156688/rConfig-3.9-SQL-Injection.htmlhttp://packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.htmlhttps://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.pyhttps://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_sqli.py
2020-03-07
Published