CVE-2018-12483

Vulnerability

In OCS Inventory version 2.4.1, the runCommand function in the OCSReports component concatenates user-supplied input from the ipdiscover_analyser GET parameter directly into a string that is passed to the PHP exec() function [1]. The command executed is a Perl script (ipdiscover-util.pl) with various fixed parameters, but the attacker-controlled parameter is appended without sanitization. The affected code path is reachable when the ipdiscover_analyser parameter is present in the HTTP request. Authentication is required to access this functionality.

Exploitation

An attacker must first authenticate to the OCS Inventory web interface. Then, by crafting a GET request to the vulnerable endpoint with a malicious value in the ipdiscover_analyser parameter, the attacker can inject arbitrary shell commands. The injected payload is passed as part of the argument to exec(), allowing execution of system commands. The attacker does not need any special privileges beyond a valid user account.

Impact

Successful exploitation allows the authenticated attacker to execute arbitrary operating system commands on the OCS Inventory server with the privileges of the web server user. Since OCS Inventory can deploy software and execute commands on managed agents, full compromise of the server can lead to remote code execution on all managed machines, resulting in a complete loss of confidentiality, integrity, and availability across the managed network.

Mitigation

The vendor has released OCS Inventory version 2.5 to address this vulnerability [1]. Users should upgrade to version 2.5 or later immediately. If upgrading is not possible, restrict access to the OCS Inventory web interface to trusted users only, and monitor for unusual ipdiscover_analyser parameter values. No other workarounds are documented in the available reference.