Ruijie RG-UAC Application Management Gateway Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in the Ruijie RG-UAC Application Management Gateway, specifically through the 'nmc_sync.php' interface. This vulnerability allows unauthenticated attackers to inject shell commands via crafted request data, which the application then executes on the host. Exploitation of this vulnerability can result in full control over the application process and may lead to system-level access, depending on the privileges of the service. The Rondo botnet has been observed targeting this vulnerability.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host, potentially leading to full control over the application process and system-level access, depending on service privileges.

Reproduction

The vulnerability can be reproduced by sending a GET request to the 'nmc_sync.php' endpoint with a crafted 'template_path' parameter that includes the desired shell command. After the command is executed, the results can be retrieved by accessing the 'test.txt' file via a separate GET request.