Researcher Mohammad Askar from Shell Systems posted on the Web details and PoC codes for two critical remote code execution vulnerabilities in rConfig.
Their exploitation allows an unauthorized attacker remotely compromise target servers and connected network devices.RConfig is a free, open source network device configuration management utility that allows network engineers to set up and take frequent snapshots of network device configurations.
rConfig is used to manage more than 3.3 million network devices, including switches, routers, firewalls, load balancers, and WAN optimizers.
Read also: Four vulnerabilities in MikroTik routers could lead to a backdoor
The first issue (CVE-2019-16662) affects all versions of rConfig up to and including 3.9.2.
“The first one called “ajaxServerSettingsChk.php” file which suffers from an unauthenticated RCE that could triggered by sending a crafted GET request via “rootUname” parameter which is declared in line #2 and then passed to exec function in line #13 which you can inject it with a malicious OS command to be executed on the server”, — writes Mohammad Askar.
Second vulnerability (CVE-2019-16663) affects all rConfig versons up to 3.6.0.
“The second vulnerability has been discovered in a file called “search.crud.php” which suffers from an authenticated RCE that could triggered by sending a crafted GET request that contains two parameters, the first one called “searchTerm” and this parameter can contains any value you want”, — reports Mohammad Askar.
An unauthorized attacker can remotely exploit vulnerabilities.
In both cases, in order to exploit the vulnerability, the attacker needs to access the vulnerable files using a specially crafted GET parameter designed to execute malicious OS commands on the target server. An attacker can gain access to the command line on the victim’s server and execute any arbitrary command on the compromised server with web application privileges. Mohammad Askar reported about two vulnerabilities on September 19, 2019 to rConfig main developer, but since that time did not get any fix release date or even a statement that they will fix the vulnerability.