Sangfor Operation and Maintenance Management System OS Command Injection Vulnerability

A critical remote command execution vulnerability has been identified in Sangfor Operation and Maintenance Management System (OSM) versions prior to 3.0.8. The issue resides in the SessionController function within the file '/isomp-protocol/protocol/session'. The vulnerability arises because the application fails to properly sanitize user input in the 'hostname' parameter of an HTTP POST request. This lack of input validation allows an unauthenticated remote attacker to inject commands, which are then executed by the system shell with the privileges of the web service, typically 'root' or 'tomcat'.

Impact

Exploitation of this vulnerability allows for unauthorized remote command execution on the affected system.

Reproduction

To reproduce this vulnerability, send an HTTP POST request to the '/isomp-protocol/protocol/session' endpoint. Include a payload in the 'hostname' parameter that injects a command, such as 'id', and redirects the output to a file in the web server's document root. After the request is processed, the injected command's output can be retrieved from the specified file.

Remediation

It is recommended to implement input validation for the 'hostname' parameter to restrict it to alphanumeric characters, dots, and hyphens. Additionally, refactor the code to use 'java.lang.ProcessBuilder' for executing commands, which allows for safer handling of command-line arguments.