Try   HackMD

ip-com-2

vendor:IP-COM

product:M50

version:V15.11.0.33(10768)

type:Remote Command Injection

author:Yifeng Li, Wolin Zhuang;

Vulnerability description

We found an Command Injection vulnerability in IP-COM Technology IP-COM’s M50 routers with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted GET request.

Remote Command Injection vulnerability

In formSetDebugCfg function, the parameter “pEnable”,"pLevel"and "pModule" is not filter the string delivered by the user, so we can control the pEnable such as “-h%0aping%20x.x.x.x%20-w%2-5%0a ” to attack the OS, and so on, we also can control the pLevel or pModule to attack it.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

PoC

Remote Command Injection

We set the value of “pEnable”,"pLevel" or "pModule" as aaa;ping x.x.x.x; and the router will excute ping command.

example.com/action/setDebugCfg?enable=-h ping x.x.x.x -w%2-5

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Last changed by 
Wolin Zhuang
0
3461
Published on HackMD