Vps-Inventory-Monitoring Code Injection Vulnerability Leading to Authenticated Remote Code Execution

A code injection vulnerability has been identified in Vps-Inventory-Monitoring versions prior to commit 98c00b370668c96ae75e91c15548d9ea113652d9. This vulnerability resides in the VpsTest Console component, specifically within the eval function of the file app/index/command/VpsTest.php. The issue allows authenticated users to manipulate the 'vf' argument, leading to arbitrary code execution on the server. The vulnerability can be exploited remotely, and the exploit has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the server, with the executed code running under the privileges of the user account that scheduled the task or manually invoked it. This could lead to a full compromise of the application and its database, deployment of a web shell for persistent access, and potential pivoting into the host operating system and connected infrastructure.

Reproduction

To reproduce this vulnerability, an authenticated user must submit a monitoring entry through the 'validation function' field on the monitor-edit page. The entry should include a payload that exploits the vulnerability, such as code that writes a web shell to the server. Once the entry is saved, the 'php think VpsTest' command can be executed, either manually or through a scheduled task, which will trigger the execution of the injected code.

Remediation

It is recommended to remove the use of 'eval()' entirely and replace the 'validation function' feature with a safer alternative. If executing user-provided code is necessary, it should be done in a controlled, sandboxed environment. Additionally, requiring administrator authorization for monitoring entry modifications and logging changes to the 'vf' field can enhance security.