Part I: Initial Vulnerability Discovery

I recently conducted a security assessment of rConfig version 3.9.5 (www.rconfig.com), a network monitoring tool, and discovered several critical vulnerabilities. This is the first part of a multi-part series detailing these findings.

Local File Inclusion (LFI):

Location: /lib/crud/configcompare.crud.php

When comparing the path_a parameter to path_b, the file specified in path_a is disclosed if both files are completely different. The following example demonstrates reading /etc/passwd:

LFI Configuration Compare

LFI /etc/passwd disclosure

Arbitrary File Deletion:

Location: /lib/ajaxHandlers/ajaxDeleteAllLoggingFiles.php

This vulnerability allows deletion of any file by specifying:

  • The file path using the path parameter
  • The file extension using the ext parameter

File deletion request

File deletion confirmation

Server-Side Request Forgery (SSRF):

Location: /lib/ajaxHandlers/ajaxDeviceStatus.php

An attacker can establish connections to internal services using:

  • deviceIpAddr parameter for the target
  • connPort parameter for the port

SSRF request

Open port response:

SSRF open port

Cross-Site Scripting (XSS) Vulnerabilities:

XSS #1 - Device Management:

Location: /devices.php > Add device

  1. Inject payload <svg onload=alert(1)> in the Model field
  2. Fill remaining required fields
  3. Click Save
  4. Visit /devicemgmt.php?deviceId=1&device=devicename
XSS in device management

XSS #2 - Commands:

Location: /commands.php > Add command

  1. Inject payload <svg onload=alert(1)> in the Command field
  2. Click Save

XSS in commands

XSS #3 - Snippets:

Location: /snippets.php > Add snippet

  1. Inject payload <svg onload=alert(1)> in the Snippet field
  2. Fill remaining required fields
  3. Click Save

XSS in snippets

Privilege Escalation Vulnerabilities:

Method #1: Using sudo zip

Privilege escalation via zip

Method #2: Using sudo crontab

Execute sudo crontab -e and then escape to shell with :!/bin/bash

Method #3: Arbitrary File Read

Leverage sudo permissions with tail following GTFOBins documentation

Part II: Authentication Bypass and Remote Code Execution

Following the initial vulnerability disclosure, I discovered three authenticated Remote Code Execution (RCE) vulnerabilities along with two authentication bypass methods (one leveraging information disclosure).

Important Note: Many previously disclosed vulnerabilities (with assigned CVEs) remained present in version 3.9.5, providing additional exploitation vectors.

Full Technical Details:

Complete technical analysis and proof-of-concept exploits are available in the SSD Advisory:

SSD Advisory - rConfig Unauthenticated RCE

Impact Summary:

The combination of these vulnerabilities allows for:

  • Unauthenticated remote code execution
  • Complete system compromise
  • Arbitrary file operations
  • Internal network reconnaissance via SSRF
  • Privilege escalation to root

Timeline:

  • Discovery: August 2020
  • Public Disclosure: August 27, 2020

For questions or additional details about this research, please contact me via the channels listed on my About page.