### Key Information Summary #### Vulnerability Overview - **CVE**: Unauthenticated Remote Command Execution (RCE) in Sangfor OSM via getHis Interface - **Product**: Sangfor (深信服) - **Product Name**: Operation and Maintenance Management System (OSM) - **Affected Versions**: 3.0.8 (and possibly earlier versions) #### Vulnerability Type - **Type**: OS Command Injection #### Description - A critical Remote Command Execution (RCE) vulnerability exists in Sangfor OSM version 3.0.8, located at the `/isomp-protocol/protocol/getHis` endpoint. The application fails to properly sanitize the `sessionPath` parameter in HTTP POST requests. #### Asset Mapping - **FOFA** Query: - body="/fort/login" && product="SANGFOR-运维安全管理系统" #### Vulnerability Details and Root Cause - **Unsafe Input Handling**: The `/isomp-protocol/protocol/getHis` endpoint accepts the `sessionPath` parameter. - **Insufficient Input Sanitization**: Although a regular expression check exists, it can be bypassed or is insufficient to block command delimiters. - **Command Injection**: The application constructs commands using string concatenation: [Command] + [User Input]. - **Execution**: The ShellExecutor class executes the tainted string directly via the system shell. #### Proof of Concept (PoC) 1. Send a malicious request injecting command execution `whoami`, writing the output to a publicly accessible static directory (`/usr/local/tomcat/webapps/fort/trust/js/`). 2. Verify execution result via browser. #### Remediation Recommendations 1. **Input Validation**: Implement strict whitelist validation for the `sessionPath` parameter, allowing only valid file path characters, and rejecting any shell metacharacters. 2. **Secure Coding**: Replace `Runtime.exec()` or shell string concatenation with Java's `ProcessBuilder`, passing parameters as a list to prevent shell interpretation.