Pwning rConfig part I

Pwning rConfig: part one

Hi everyone. I've been quite busy lately, but some weeks ago I decided to review the security of a software called rConfig version 3.9.5 ( which is a Network Monitoring tool and I found several vulnerabilities. So let's take a look at them ;)


Local file disclosure in /lib/crud/configcompare.crud.php, when comparing the parameter path_a to path_b, the file specified in path_a is disclosed if both files are completely different. Here we can see the contents of /etc/passwd

Arbitrary file deletion

Arbitrary file deletion in /lib/ajaxHandlers/ajaxDeleteAllLoggingFiles.php. You can delete any file with an extension by specifying the file with the path parameter and the extension with the ext extension

Server-Side Request Forgery

Server-Side Request Forgery in /lib/ajaxHandlers/ajaxDeviceStatus.php, you can open a connection to the inside of the machine with the deviceIpAddr parameter and the connPort parameter.




Cross-Site Scripting in /devices.php > Add device, introduce a payload such as <svg onload=alert(1)> in the Model field and clicking Save (it's needed to fill the rest of fields with info). Then visiting /devicemgmt.php?deviceId=1&device=devicename


Cross-Site Scripting in /commands.php > Add command, introduce a payload such as <svg onload=alert(1)> in the Command field and click Save.


Cross-Site Scripting in /snippets.php > Add snippet, introduce a payload such as <svg onload=alert(1)> in the Snippet field and click Save(fill the rest of fields first).

Privilege escalation 1

Using sudo zip:

Privilege escalation 2

By doing sudo crontab -e and then :!/bin/bash

Arbitrary file read:

Following this we can read any privileged file:

So those are some of the vulns I found during the research, hope you enjoyed the article. Back with the second part soon :)