Very High
CVE-2020-10220
CVE-2020-10220
Description
An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
Add Assessment
Technical Analysis
i love these type of vulnerabilities because they chain three findings normally considered low/medium to take over a full infrastructure.
we have:
- a web page that doesn’t check user session ( commands.inc.php doesn’t have the if (!$session->logged_in) check and therefore no auth required upon access )
- a trivial unescaped GET parameter used in a sql query in that page, therefore unauth sql injection
- plaintext storage by default, therefore profit
rConfig has access to network devices, and of course credentials (both standard and privileged) are kept in her database.
what makes this attack even more useful, is that by default rConfig doesn’t encrypt data so this sql injection will grant an attacker the plaintext of every juicy information about network infrastructure monitored by this tool: ip, username, password, eventual privileged ones, full configuration.
since version 3.8.0 it’s possible to encrypt just passwords: http://help.rconfig.com/settings/mainsettings
so point 3) is partially solved. in this case, an attacker will try to read files using sql injection, if user has FILE grants, to decrypt passwords and get loot anyway.
plus, the webapp uses PDO which supports stacked queries. public exploits (https://www.exploit-db.com/exploits/48261) abuses this to execute INSERT statement adding new administrator, giving the chance to have RCE by chaining this CVE to CVE-2019-19509 (RCE) and LPE to root with CVE-2019-19585.
as a bonus, we could chain this sqli to CVE-2020-10221 to get RCE: even if strong password are enforced (classes/usersession.class.php line 338), users’ passwords are hashed using md5. a bruteforce is not that easy but way easier than against passwords hashed using modern algorithm.
CVSS V3 Severity and Metrics
General Information
Vendors
- rconfig
Products
- rconfig
Metasploit Modules
References
Miscellaneous
Nice, what a great assessment! Knowledge like this is exactly what we wanted to be able to capture and highlight when AttackerKB was first dreamt up. Thanks so much—if you ever want to collaborate on a Metasploit module (scanner, exploit, LPE, post-exploitation) for a vuln you’ve been looking at, let us know and we’ll be happy to help out!