Pwning rConfig: part one
Hi everyone. I've been quite busy lately, but some weeks ago I decided to review the security of a software called rConfig version 3.9.5 (www.rconfig.com) which is a Network Monitoring tool and I found several vulnerabilities. So let's take a look at them ;)
Local file disclosure in /lib/crud/configcompare.crud.php, when comparing the parameter path_a to path_b, the file specified in path_a is disclosed if both files are completely different. Here we can see the contents of /etc/passwd
Arbitrary file deletion
Arbitrary file deletion in /lib/ajaxHandlers/ajaxDeleteAllLoggingFiles.php. You can delete any file with an extension by specifying the file with the path parameter and the extension with the ext extension
Server-Side Request Forgery
Server-Side Request Forgery in /lib/ajaxHandlers/ajaxDeviceStatus.php, you can open a connection to the inside of the machine with the deviceIpAddr parameter and the connPort parameter.
Cross-Site Scripting in /devices.php > Add device, introduce a payload such as <svg onload=alert(1)> in the Model field and clicking Save (it's needed to fill the rest of fields with info). Then visiting /devicemgmt.php?deviceId=1&device=devicename
Cross-Site Scripting in /commands.php > Add command, introduce a payload such as <svg onload=alert(1)> in the Command field and click Save.
Cross-Site Scripting in /snippets.php > Add snippet, introduce a payload such as <svg onload=alert(1)> in the Snippet field and click Save(fill the rest of fields first).
Privilege escalation 1
Using sudo zip:
Privilege escalation 2
By doing sudo crontab -e and then :!/bin/bash
Arbitrary file read:
Following this we can read any privileged file: https://gtfobins.github.io/gtfobins/tail/
So those are some of the vulns I found during the research, hope you enjoyed the article. Back with the second part soon :)