AttackerKBAKB:0A5B2DC4-5EFF-454F-940A-E556F9D5E4C3CVE-2019-16662
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.
Recent assessments:
pbarry-r7 at November 20, 2019 3:00pm UTC reported:
Purportedly, this affects versions of rConfig prior to 3.9.2, as well. rConfig installation leaves files lying around, asking the user to clean them up. If the user doesnโt take this step, then an attacker can use the ajaxServerSettingsChk.php file (leftover from installation) to gain unauthenticated command execution as the web server user. Chain this with a local privilege escalation, and things can go from bad to worse for the targetโฆ
One can remediate this by removing all files from the rConfig installation directory.
kevthehermit at April 23, 2020 8:43pm UTC reported:
Purportedly, this affects versions of rConfig prior to 3.9.2, as well. rConfig installation leaves files lying around, asking the user to clean them up. If the user doesnโt take this step, then an attacker can use the ajaxServerSettingsChk.php file (leftover from installation) to gain unauthenticated command execution as the web server user. Chain this with a local privilege escalation, and things can go from bad to worse for the targetโฆ
One can remediate this by removing all files from the rConfig installation directory.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
References
packetstormsecurity.com/files/154999/rConfig-3.9.2-Remote-Code-Execution.html
packetstormsecurity.com/files/155186/rConfig-3.9.2-Command-Injection.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16662
drive.google.com/file/d/1bTpTn4-alJ8qGCEATLq-oVM6HbhE65iY/view?usp=sharing
drive.google.com/open?id=1OXI5cNuwWqc6y-7BgNCfYHgFPK2cpvnu
gist.github.com/mhaskar/ceb65fa4ca57c3cdccc1edfe2390902e
rconfig.com/download
shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C