9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
Recent assessments:
theguly at March 12, 2020 3:39pm UTC reported:
i love these type of vulnerabilities because they chain three findings normally considered low/medium to take over a full infrastructure.
we have:
rConfig has access to network devices, and of course credentials (both standard and privileged) are kept in her database.
what makes this attack even more useful, is that by default rConfig doesnโt encrypt data so this sql injection will grant an attacker the plaintext of every juicy information about network infrastructure monitored by this tool: ip, username, password, eventual privileged ones, full configuration.
since version 3.8.0 itโs possible to encrypt just passwords: <http://help.rconfig.com/settings/mainsettings>
so point 3) is partially solved. in this case, an attacker will try to read files using sql injection, if user has FILE grants, to decrypt passwords and get loot anyway.
plus, the webapp uses PDO which supports stacked queries. public exploits (<https://www.exploit-db.com/exploits/48261>) abuses this to execute INSERT statement adding new administrator, giving the chance to have RCE by chaining this CVE to CVE-2019-19509 (RCE) and LPE to root with CVE-2019-19585.
as a bonus, we could chain this sqli to CVE-2020-10221 to get RCE: even if strong password are enforced (classes/usersession.class.php line 338), usersโ passwords are hashed using md5. a bruteforce is not that easy but way easier than against passwords hashed using modern algorithm.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
packetstormsecurity.com/files/156688/rConfig-3.9-SQL-Injection.html
packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.html
packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10220
github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py
github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_sqli.py
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C