How did I find Command Injection in MVP-5150 (CVE-2019-11224)

This article shows how did I find the CVE-2019-11224 and also introduces three ways to bypass “space” character in Linux OS.

OS Command Injection is that the software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralise or incorrectly neutralises special elements that could modify the intended OS command when it is sent to a downstream component.

This article describes that how did I find CVE-2019-11224 and three ways for bypassing “space” character while OS Command Injection.

An AMX MVP-5150 device with the latest firmware (v2.87.13).

AMX MVP-5150 device has multiple internet interfaces. This means that it is not only able to connect to the internet line cable, but also able to connect to the Wi-Fi network. (In some cases, Wi-Fi password is stored in Linux system without encryption. This means that read the Wi-Fi configure file, we will be able to get the Wi-Fi password)

After connecting to the MVP-5150 via the Telnet server, I executed ? to check the command list. Luckily, there was a command called ping.

AMX MVP-5150 ping Command
AMX MVP-5150 ping Command

Then, I executed the following payload to test if it was vulnerable command injection issue.

1
ping 127.0.0.1;ls
AMX MVP-5150 Command Injection
AMX MVP-5150 Command Injection

Obviously, there was a command injection issue.

However, MVP-5150 did not support “space” character. For example, if I executed ping 127.0.0.1;ls -ls, it would execute ping 127.0.0.1;ls.

We need to create a payload which will exactly equal “space”, but does not include any “space”.

In the Linux system, there are some global variables, such as $HOME, $USERNAME etc.

There was a special global variable called $IFS, it can be used to bypass “space”.

IFS Bypass Space
IFS Bypass Space

However, in this case, it did not work. Since the device would get all input, and then converted it to lower cases. This means that $IFS would be converted to $ifs.

In some of Linux systems, there was a special way to execute command without “space” character, which was using { }.

Linux Feature Bypass Space
Linux Feature Bypass Space

However, in this case, it did not work as well.

Albeit we cannot use $IFS, we can create our own $IFS and use it to bypass the space character. For example:

1
HZ=$'\n';ls$HZ-a$HZ/

As I mentioned before, the device would convert all input to lower cases. So, we just need to change our $HZ to $hz, it works!

MVP-5150 Command Injection Bpass Space Character
MVP-5150 Command Injection Bpass Space Character

AMX devices are widely used in multiple places, if a malicious user gain access to the device, the user can use it as a jump-box to perform further attacks.

The CVE detail can be found in this link. The CVE advisory can be found in this link.