Source: cve@mitre.org
license.php in system-portal before 1.6.2 in op5 Monitor and op5 Appliance before 5.5.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the timestamp parameter for an install action.
Remote code execution (RCE) is possible on vulnerable op5 Monitor and op5 Appliance systems due to a command injection vulnerability in the license.php script. Attackers can leverage this flaw to execute arbitrary commands on the server, potentially leading to complete system compromise and data exfiltration.
Step 1: Payload Delivery: The attacker crafts a malicious HTTP request to license.php on the target system. This request includes the install action and a specially crafted timestamp parameter containing shell metacharacters (e.g., ;, |, &&).
Step 2: Command Injection: The license.php script processes the request and incorporates the attacker-controlled timestamp value into a system command (e.g., a call to system() or exec()).
Step 3: Command Execution: The shell metacharacters in the timestamp parameter are interpreted by the operating system's shell, allowing the attacker to execute arbitrary commands on the server.
Step 4: Post-Exploitation: The attacker can use the executed commands to achieve various objectives, such as gaining a reverse shell, uploading malware, or exfiltrating sensitive data.
The vulnerability stems from insufficient input validation and sanitization of the timestamp parameter within the license.php script when handling the install action. The script fails to properly escape shell metacharacters, allowing an attacker to inject malicious commands. Specifically, the script likely uses the timestamp parameter in a command-line call without proper sanitization, leading to command injection. The root cause is a lack of secure coding practices, specifically the failure to validate and sanitize user-supplied input before using it in a system command. This allows an attacker to control the execution flow of the underlying operating system.
While no specific APT groups are definitively linked to this CVE, the ease of exploitation makes it attractive to a wide range of attackers, including those seeking initial access. The vulnerability could be used as part of a larger attack chain. CISA KEV status: Not Listed.
Network Intrusion Detection Systems (NIDS) can be configured to detect malicious HTTP requests containing shell metacharacters in the timestamp parameter of requests to license.php.
Web Application Firewalls (WAFs) can be deployed to filter out malicious requests based on signatures or behavioral analysis.
Review web server access logs for suspicious activity, such as unusual HTTP requests to license.php with long or complex timestamp parameters.
Monitor system logs for unexpected processes or command executions that originate from the web server user.
Implement file integrity monitoring to detect unauthorized changes to critical system files.
Upgrade to op5 Monitor version 1.6.2 or later and op5 Appliance version 5.5.3 or later.
Implement input validation and sanitization on the timestamp parameter to ensure that it only contains expected characters and values.
Escape all user-supplied input before using it in system commands.
Use parameterized queries or prepared statements to prevent command injection vulnerabilities.
Apply the principle of least privilege to the web server user account.
Regularly scan the system for vulnerabilities and apply security patches promptly.
Implement a Web Application Firewall (WAF) to filter malicious traffic.