Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2019-16662

Disclosure Date: October 28, 2019
CVE-2019-16662 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Purportedly, this affects versions of rConfig prior to 3.9.2, as well. rConfig installation leaves files lying around, asking the user to clean them up. If the user doesn’t take this step, then an attacker can use the ajaxServerSettingsChk.php file (leftover from installation) to gain unauthenticated command execution as the web server user. Chain this with a local privilege escalation, and things can go from bad to worse for the target…

One can remediate this by removing all files from the rConfig installation directory.

Log in to Add Reply
1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Common in enterpriseEasy to weaponizeGives privileged access
Technical Analysis

rConfig reports almost 3.5 million devices managed by this utility. A search of Shodan reveals there are several dozen instances exposed directly to the internet on a vulnerable version.

This exploit allows RCE on the host. If you can gain host access you can read the database keys in ./config/config.inc.php and then access the database.

By design the database contains the details for all of your network devices. It also contains clear text credentials for access to these devices.

MariaDB [rconfig]> select deviceUsername, deviceName, devicePassword, deviceEnablePassword, deviceIpAddr from nodes;

+----------------+------------+----------------+----------------------+--------------+

| deviceUsername | deviceName | devicePassword | deviceEnablePassword | deviceIpAddr |

+----------------+------------+----------------+----------------------+--------------+

| admin          | Primary    | password       | password             | 10.10.10.10  |

+----------------+------------+----------------+----------------------+--------------+

1 row in set (0.00 sec)



MariaDB [rconfig]>

This then permits any attacker to gain access to a wide range of internal network devices.
As rConfig is typically seen to access these devices it is easy for an attacker to hide amongst the background noise.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
exploit/unix/webapp/rconfig_install_cmd_exec
Reporter
Unknown

Vendors

  • rconfig

Products

  • rconfig 3.9.2
Technical Analysis