Sangfor Operation and Maintenance Security Management System Command Injection Vulnerability Allowing Remote Code Execution

A critical remote code execution vulnerability has been identified in Sangfor Operation and Maintenance Security Management System (OSM) versions through 3.0.12. The issue resides in the 'getInformation' function of the 'FortEquipmentNodeController' class, within the HTTP POST Request Handler component. The vulnerability arises because the application does not properly validate the 'fortEquipmentIp' parameter in requests to '/equipment/get_Information'. This lack of sanitation allows authenticated (or potentially unauthenticated) attackers to inject malicious commands into the system shell by exploiting command separators. The injected commands are executed with the same privileges as the web application user.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with the executed commands' output returned in the response.

Reproduction

To reproduce this vulnerability, send a POST request to '/equipment/get_Information' with a crafted 'fortEquipmentIp' parameter. The parameter should include a valid IP address followed by a command injection payload, such as a command terminated with a semicolon. If the injection is successful, the response will include the output of the executed command, indicating that the injection was executed successfully.