op5config/welcome in system-op5config before 2.0.3 in op5 Monitor and op5 Appliance before 5.5.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the password parameter.
Remote code execution is possible in vulnerable op5 Monitor and op5 Appliance systems due to improper handling of user-supplied input in the op5config/welcome component. Attackers can leverage this flaw to execute arbitrary commands on the target system, potentially leading to complete system compromise and data exfiltration.
Step 1: Target Identification: The attacker identifies a vulnerable op5 Monitor or op5 Appliance instance, likely through port scanning or other reconnaissance techniques.
Step 2: Payload Delivery: The attacker crafts a malicious HTTP request to the op5config/welcome endpoint, including a specially crafted password parameter containing shell metacharacters and a command to be executed (e.g., password=; id;).
Step 3: Command Injection: The vulnerable script receives the malicious input. Due to the lack of input validation, the shell metacharacters are not filtered or escaped.
Step 4: Command Execution: The script passes the unsanitized password parameter, including the injected command, to a shell command. The shell interprets the metacharacters and executes the attacker's command.
Step 5: Result Retrieval (Optional): The attacker may include commands to exfiltrate data or establish persistence, depending on the attacker's objectives.
The vulnerability stems from insufficient input validation within the op5config/welcome script when processing the password parameter. Specifically, the script fails to properly sanitize user-provided input before passing it to a shell command. This allows an attacker to inject shell metacharacters (e.g., ;, |, &&) into the password field, effectively constructing and executing arbitrary commands on the server. The root cause is a lack of proper input sanitization and command injection vulnerability.