Vulnerability Analysis of remote Command execution in rConfig v3.9.2 01/18 Update SLTechnology News&Howtos

Vulnerability Analysis of remote Command execution in rConfig v3.9.2

2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you the loophole analysis of rConfig v3.9.2 remote command execution. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

Overview of rConfig

RConfig is an open source configuration management utility for network devices. With the help of rConfig, network engineers can manage snapshots of network devices quickly and frequently.

Loophole discovery

In a recent study, I found two remote code execution vulnerabilities in each of the two code files in rConfig.

The first file is ajaxServerSettingsChk.php, where the rootUname parameter is defined in line 2 of the source file, which is then passed to the exec function on line 13, while an attacker can send a specially crafted GET request through the rootUname parameter to trigger unauthorized remote code execution. An attacker only needs to inject a malicious command into this parameter and execute it on the target server to complete the exploit.

The second RCE vulnerability is located in the search.crud.php file and can be triggered by an attacker sending a specially crafted GET request. This request needs to contain two parameters, of which the searchTerm parameter can contain any value, but it must be present, otherwise the exec function on line 63 will not execute properly.

In the previous RCE vulnerability mining process, I developed a simple Python script to find all the possible unsafe functions of the target, and this time I intend to use the same script: [RCEScanner].

Vulnerability Analysis # 1

After running the script, we can see the output of the script. In the process of checking the file, I found a file called ajaxServerSettingsChk.php, the file path is install/lib/ajaxHandlers/ajaxServerSettingsChk.php, and part of the code snippet is as follows:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.