license.php in system-portal before 1.6.2 in op5 Monitor and op5 Appliance before 5.5.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the timestamp parameter for an install action.
Remote attackers can achieve arbitrary command execution on vulnerable op5 Monitor and op5 Appliance systems by exploiting a command injection vulnerability in the license.php script. This flaw allows attackers to inject malicious commands through the timestamp parameter, leading to complete system compromise and potential data breaches.
Step 1: Payload Delivery: The attacker crafts a malicious HTTP request to license.php on the vulnerable op5 Monitor or op5 Appliance server. This request includes a specially crafted timestamp parameter containing shell metacharacters (e.g., ;, |, &&, ||).
Step 2: Command Injection: The license.php script processes the request and, without proper sanitization, incorporates the attacker-controlled timestamp value into a system command.
Step 3: Command Execution: The shell metacharacters in the timestamp parameter are interpreted by the operating system's command interpreter, allowing the attacker to execute arbitrary commands on the server.
Step 4: System Compromise: The attacker's injected commands are executed, potentially leading to data exfiltration, system takeover, or further exploitation of the network.
The vulnerability stems from insufficient input validation and sanitization of the timestamp parameter within the license.php script. Specifically, the script fails to properly escape or filter shell metacharacters before incorporating the timestamp value into a system command executed using a function like system(), exec(), or shell_exec(). This allows an attacker to inject arbitrary shell commands, effectively executing them with the privileges of the web server user. The root cause is a lack of secure coding practices, failing to properly sanitize user-supplied input before passing it to the operating system's command interpreter. This is a classic example of a command injection vulnerability.