CVE-2019-19585
Description
An issue was discovered in rConfig 3.9.3. The install script updates the /etc/sudoers file for rconfig specific tasks. After an "rConfig specific Apache configuration" update, apache has high privileges for some binaries. This can be exploited by an attacker to bypass local security restrictions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
rConfig 3.9.3 grants Apache the ability to run privileged commands via sudo without a password, allowing local privilege escalation for an attacker with web shell access.
Vulnerability
An insecure sudoers entry is created during the post-installation of rConfig version 3.9.3, as shown in the centos7_install.sh script [1][2]. The script appends an rConfig specific Apache configuration line to /etc/sudoers that grants the apache user the ability to execute /usr/bin/crontab, /usr/bin/zip, /bin/chmod, /bin/chown, /usr/bin/whoami, /usr/bin/wc, /usr/bin/tail, and /bin/rm as any user (ALL = (ALL) NOPASSWD:) [1][2]. The directive Defaults:apache !requiretty is also set, enabling non-interactive use [1].
Exploitation
An attacker who has already obtained a low-privilege shell (e.g., via a web application compromise or remote code execution under the apache user) can leverage any of the granted sudo privileges to escalate their account. For example, sudo /bin/chmod 4755 /bin/bash makes the local bash setuid-root, allowing any local user to gain a root shell by running bash -p [1][2]. Similar techniques using sudo /bin/chown to change file ownership or sudo /usr/bin/zip with a symlink trick can achieve the same effect [1].
Impact
Successful exploitation allows the attacker to elevate privileges from the apache user to full root access on the affected CentOS 7 system [1]. This grants complete control over the server, including the ability to read, modify, or delete any file, install malware, and pivot to other network resources.
Mitigation
No official patch has been released; rConfig 3.9.3 and earlier are affected [1]. Users should manually edit /etc/sudoers to remove the dangerous apache entries (the lines starting with ### rConfig specific and apache ALL = ...) and restrict the commands that Apache may run. If the system is no longer supported, migration to an alternative configuration management tool is recommended.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- rConfig/rConfigdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The rConfig install script grants the Apache user passwordless sudo access to multiple privileged binaries, enabling privilege escalation."
Attack vector
An attacker who has already achieved a low-privilege shell (e.g., a web shell or RCE as the Apache user) can leverage the overly permissive sudoers entries installed by rConfig's setup script [ref_id=1]. Because Apache is granted `NOPASSWD` access to binaries such as `/bin/chmod`, `/bin/chown`, and `/bin/rm`, the attacker can run these commands as root without a password. For example, the attacker could use `sudo chmod` to change permissions on sensitive files, `sudo chown` to take ownership of system binaries, or `sudo /bin/rm` to delete critical files, thereby escalating privileges to root [ref_id=1].
Affected code
The install script `centos7_install.sh` (and likely `centos6_install.sh`) adds Apache to the sudoers file with broad privileges. Specifically, lines 131-148 of the install script execute `echo 'apache ALL = (ALL) NOPASSWD: /usr/bin/crontab, /usr/bin/zip, /bin/chmod, /bin/chown, /usr/bin/whoami, /usr/bin/wc, /usr/bin/tail, /bin/rm' >> /etc/sudoers` [ref_id=1]. This grants the Apache user passwordless sudo access to multiple binaries.
What the fix does
The advisory does not provide a patch or official fix [ref_id=1]. The remediation is to manually remove or restrict the overly broad sudoers entries added by the rConfig install script. Specifically, the line granting Apache `NOPASSWD` access to `/usr/bin/crontab, /usr/bin/zip, /bin/chmod, /bin/chown, /usr/bin/whoami, /usr/bin/wc, /usr/bin/tail, /bin/rm` should be removed from `/etc/sudoers`, and Apache should only be granted the minimum necessary privileges [ref_id=1].
Preconditions
- configrConfig 3.9.3 must have been installed using the official install script, which adds the vulnerable sudoers entries
- authAttacker must already have a shell or command execution as the Apache user (e.g., via a web application RCE)
- inputThe attacker must be able to execute sudo commands on the target system
Reproduction
The reference write-up includes an exploit script at `https://raw.githubusercontent.com/v1k1ngfr/exploits/master/rconfig_lpe.sh` [ref_id=1]. The exploit author notes that after gaining a web RCE or Apache shell, privilege escalation can be performed using the sudoers misconfiguration. The example command shown is: `python3 rconfig_CVE-2019-19509.py https://192.168.43.34 admin root 192.168.43.245` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.htmlmitrex_refsource_MISC
- github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_lpe.shmitrex_refsource_MISC
- raw.githubusercontent.com/v1k1ngfr/exploits/master/rconfig_lpe.shmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.