How did I find Command Injection in MVP-5150 (CVE-2019-11224)

Introduction

OS Command Injection is that the software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

This article describes that how did I find CVE-2019-11224 and three ways for bypassing “space” character while OS Command Injection.

Environment

An AMX MVP-5150 device with the latest firmware (v2.87.13).

AMX MVP-5150 device has multiple internet interfaces. This means that it is not only able to connect to the internet line cable, but also able to connect to the WIFI network. (In some cases, WIFI password is stored in linux system without encryption. This means that read the WIFI configure file, we will able to get the WIFI password)

Find OS Command Injection

After connecting to the MVP-5150 via the Telnet server, I inputed “?” to check the command list. Luckily, there was a command called “ping”.

Then, I inputed following payload to test if it was vulnerable command injection issue.

ping 127.0.0.1;ls

Obviously, there was a command injection issue.

Bypass Space Character

However, MVP-5150 did not support “space” character. For example, if I inputed ping 127.0.0.1;ls -ls, it would execute ping 127.0.0.1;ls.

I think that the design is: if we find that user input the second “space” (The first space is ping[space]127.0.0.1), this means that the command is done, we do not take any input after the second “space”.

This means that we need to create a payload which will exactly equal “space”, but does not include any “space”.

1. Global Variable

In the Linux system, there are some global variables, such as $HOME, $USERNAME and etc.

There was a special global variable called $IFS, it can be use to bypass “space”.

However, in this case, it did not work. Because the device would get all input, and then converted it to lower cases. This means that $IFS would be convert to $ifs.

2. Linux Feature

In some of Linux systems, there was a special way to execute command without “space” character, which was using “{ }”.

However, in this case, it did not work.

3. Special $IFS

Albeit we cannot use $IFS, we can create our own $IFS and use it to bypass the space character. For example:

HZ=$'\n';ls$HZ-a$HZ/

As I mentioned before, the device would convert all input to lower cases. So, we just need to change our $HZ to $hz, it would work.

Summary

AMX devices are widely used in multiple places, if a malicious user gain access to the device, the user can use it as a jump-box to perform further attacks.

The CVE detail can be find in this link. The CVE advisory can be find in this link.