Sangfor Operation and Maintenance Management System Command Injection Vulnerability

A command injection vulnerability has been identified in Sangfor Operation and Maintenance Management System (OSM) versions prior to 3.0.8. The issue resides in the 'uploadCN' function of 'VersionController.java', where the application fails to adequately sanitize the 'filename' parameter in multipart/form-data upload requests. This lack of proper validation allows shell metacharacters to be injected, which are then executed as arbitrary system commands. The vulnerability can be exploited remotely, with the injected commands executed under the application's privileges, typically root or tomcat.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with the commands executed as the application user, which is usually root or tomcat.

Reproduction

To reproduce this vulnerability, send a POST request to the '/system/version/upload_CN' endpoint with a malicious filename that includes command injection payloads, such as 'a.txt;whoami>bc.txt;1.txt'. The filename must be exactly 25 characters long to bypass application checks. Once the request is processed, the injected command's output can be retrieved from the server.

Remediation

It is recommended to implement strict validation for filenames, allowing only alphanumeric characters and dots. Additionally, avoid executing commands through the shell; instead, use Java's native file handling APIs. If shell execution is necessary, utilize 'ProcessBuilder' with a list of arguments to prevent injection.