CVE-2020-10220

2020-03-0700:00:00

attackerkb.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

JSON

An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.

Recent assessments:

theguly at March 12, 2020 3:39pm UTC reported:

i love these type of vulnerabilities because they chain three findings normally considered low/medium to take over a full infrastructure.

we have:

a web page that doesn’t check user session ( commands.inc.php doesn’t have the if (!$session->logged_in) check and therefore no auth required upon access )
a trivial unescaped GET parameter used in a sql query in that page, therefore unauth sql injection
plaintext storage by default, therefore profit

rConfig has access to network devices, and of course credentials (both standard and privileged) are kept in her database.
what makes this attack even more useful, is that by default rConfig doesn’t encrypt data so this sql injection will grant an attacker the plaintext of every juicy information about network infrastructure monitored by this tool: ip, username, password, eventual privileged ones, full configuration.

since version 3.8.0 it’s possible to encrypt just passwords: <http://help.rconfig.com/settings/mainsettings>
so point 3) is partially solved. in this case, an attacker will try to read files using sql injection, if user has FILE grants, to decrypt passwords and get loot anyway.

plus, the webapp uses PDO which supports stacked queries. public exploits (<https://www.exploit-db.com/exploits/48261>) abuses this to execute INSERT statement adding new administrator, giving the chance to have RCE by chaining this CVE to CVE-2019-19509 (RCE) and LPE to root with CVE-2019-19585.

as a bonus, we could chain this sqli to CVE-2020-10221 to get RCE: even if strong password are enforced (classes/usersession.class.php line 338), users’ passwords are hashed using md5. a bruteforce is not that easy but way easier than against passwords hashed using modern algorithm.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5