FastNetMon Juniper Plugin OS Command Injection Vulnerability

A command injection vulnerability has been identified in the FastNetMon Community Edition router integration plugin for Juniper devices, affecting versions through 1.2.9. The vulnerability arises in the logging function of the Juniper plugin, where unsanitized data from command-line arguments is directly concatenated into shell commands executed by the PHP 'exec()' function. This flaw allows for arbitrary command execution, as shell metacharacters in the injected data can be used to manipulate the command execution process. The issue is particularly concerning because the plugin can be invoked in ways that bypass FastNetMon's usual input sanitization, potentially leading to exploitation in future versions or through direct script invocation.

Impact

Exploitation of this vulnerability allows for OS command injection, with the executed commands running in the context of the user executing the PHP script. In production environments, this is often the FastNetMon process user, which may have elevated privileges, especially when the Juniper plugin is used to manage router configurations.

Reproduction

To reproduce this vulnerability, invoke the FastNetMon Juniper integration plugin script 'fastnetmon_juniper.php' directly from the command line or through an orchestration system. The script should be called with command-line arguments that include shell metacharacters, such as backticks or semicolons, in the IP address parameter. This can be done by manually crafting an argument that exploits the command injection flaw, such as by including a command like 'id' within backticks in the IP attack argument. Once the script is executed, the injected command will be executed in the shell, demonstrating the OS command injection vulnerability.

Remediation

The vulnerability can be fixed by replacing the 'exec()' function with 'file_put_contents()' to write logs directly to a file without involving the shell. If 'exec()' must be used, it's essential to sanitize all input parameters with 'escapeshellarg()' to neutralize any shell metacharacters.