BDCOM Behavior Management and Auditing System OS Command Injection Vulnerability

A critical OS command injection vulnerability has been identified in the BDCOM Behavior Management and Auditing System, affecting versions prior to 20250210. The issue arises in the 'log_operate_clear' function within the '/webui/modules/log/operate.mds' file. The vulnerability allows remote attackers to execute arbitrary system commands by manipulating the 'start_code' parameter, exploiting inadequate input validation. This exploitation can lead to unauthorized access and control over the server, with potential impacts on core business data and operations.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, leading to complete control over the system. This could include accessing or modifying sensitive data, disrupting services, and potentially moving laterally within an internal network to compromise other systems.

Reproduction

To reproduce this vulnerability, send a POST request to the '/webui/' endpoint with the 'g' parameter set to 'log_operate_clear'. Include a crafted 'start_code' parameter that exploits the input validation flaw, such as one that includes command injection characters like semicolons or pipes. The injected command will be executed on the server, and the output can be redirected to a file that can be accessed via the web.

Remediation

BDCOM has been contacted about this vulnerability but has not responded. Users are advised to monitor for any official patches or updates from the vendor.