How did I find Command Injection in MVP-5150 (CVE-2019-11224)
This article shows how did I find the CVE-2019-11224 and also introduces three ways to bypass “space” character in Linux OS.
OS Command Injection is that the software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralise or incorrectly neutralises special elements that could modify the intended OS command when it is sent to a downstream component.
This article describes that how did I find CVE-2019-11224 and three ways for bypassing “space” character while OS Command Injection.
An AMX MVP-5150 device with the latest firmware (v2.87.13).
AMX MVP-5150 device has multiple internet interfaces. This means that it is not only able to connect to the internet line cable, but also able to connect to the Wi-Fi network. (In some cases, Wi-Fi password is stored in Linux system without encryption. This means that read the Wi-Fi configure file, we will be able to get the Wi-Fi password)
After connecting to the MVP-5150 via the Telnet server, I executed
? to check the command list. Luckily, there was a command called
Then, I executed the following payload to test if it was vulnerable command injection issue.
Obviously, there was a command injection issue.
However, MVP-5150 did not support “space” character. For example, if I executed
ping 127.0.0.1;ls -ls, it would execute ping
We need to create a payload which will exactly equal “space”, but does not include any “space”.
In the Linux system, there are some global variables, such as
There was a special global variable called
$IFS, it can be used to bypass “space”.
However, in this case, it did not work. Since the device would get all input, and then converted it to lower cases. This means that
$IFS would be converted to
In some of Linux systems, there was a special way to execute command without “space” character, which was using
However, in this case, it did not work as well.
Albeit we cannot use $IFS, we can create our own $IFS and use it to bypass the space character. For example:
As I mentioned before, the device would convert all input to lower cases. So, we just need to change our $HZ to $hz, it works!
AMX devices are widely used in multiple places, if a malicious user gain access to the device, the user can use it as a jump-box to perform further attacks.