FastNetMon Community Edition MikroTik Plugin OS Command Injection Vulnerability

A command injection vulnerability has been identified in the FastNetMon Community Edition MikroTik router integration plugin, affecting versions through 1.2.9. The vulnerability arises from the `_log()` function in `fastnetmon_mikrotik.php`, where shell commands are constructed by directly concatenating unsanitized input from command-line arguments into `exec()` calls. This allows an attacker to inject arbitrary shell commands. Additionally, the plugin contains hardcoded MikroTik API credentials, which can be exploited if the router's API port is accessible.

Impact

Exploitation of this vulnerability allows for OS command injection, where an attacker can execute arbitrary commands on the server running FastNetMon. Furthermore, the presence of hardcoded MikroTik API credentials in the exploited plugin could lead to unauthorized changes in the router's configuration, such as adding or removing blackhole routes, modifying firewall rules, or creating new users with full privileges.

Reproduction

The vulnerability can be reproduced by influencing the `$msg` parameter with unsanitized command-line argument data. This can be done by sending a crafted argument that includes the desired shell command injection payload. The injected command will be executed on the server via the `exec()` function, demonstrating the OS command injection flaw.

Remediation

Users are advised to update the FastNetMon MikroTik plugin to a version that removes the command injection vulnerability and the hardcoded credentials. The plugin should be modified to externalize credentials into a secure configuration file, and the `exec()` function should be replaced with `file_put_contents()` to prevent command injection.