Sangfor Operation and Maintenance Management System Command Injection Vulnerability in SSH Protocol Handler

A critical remote code execution vulnerability has been identified in Sangfor Operation and Maintenance Management System (OSM) versions through 3.0.12. The issue resides in the SSH Protocol Handler, specifically within the SessionController function of the file '/isomp-protocol/protocol/session'. The vulnerability arises from improper input sanitization of the 'keypassword' parameter in HTTP POST requests, allowing for OS command injection. Exploitation is possible by directing the injected command output to a web-accessible file.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with the executed commands' output potentially accessible via the web.

Reproduction

To reproduce this vulnerability, send a POST request to '/isomp-protocol/protocol/session' with the 'protocol' parameter set to 'ssh'. Include a 'keyPath' parameter pointing to a guaranteed existing file that is not a private RSA key, to bypass initial checks. The 'keypassword' parameter should be crafted to inject a command, such as 'id', which will be executed on the server. The command output can be redirected to a file in a web-accessible directory.