How I Discovered Command Injection in MVP-5150 (CVE-2019-11224)

This article explores my discovery of the CVE-2019-11224 vulnerability in the MVP-5150 device and introduces methods to bypass the space character limitation in Linux OS command injections.

OS Command Injection is a vulnerability where software constructs an OS command with external input that can modify the intended command. This article details my discovery of CVE-2019-11224 and explores methods for bypassing space character restrictions during command injection.

The environment included an AMX MVP-5150 device with firmware version v2.87.13. Notably, this device supports multiple internet interfaces, including cable and Wi-Fi, with some Wi-Fi configurations stored unencrypted.

While connected to the MVP-5150 via its Telnet server, I explored available commands and discovered a ping command.

AMX MVP-5150 Ping Command
AMX MVP-5150 Ping Command

To test for a command injection vulnerability, I executed:

Bash

ping 127.0.0.1;ls

AMX MVP-5150 Command Injection
AMX MVP-5150 Command Injection

The results confirmed the vulnerability.

The MVP-5150 firmware does not support the “space” character directly. For instance, the command ping 127.0.0.1;ls -ls fails to recognize spaces.

Linux systems typically have global variables like $HOME, $USERNAME, and $IFS, with $IFS potentially useful for bypassing space limitations:

IFS Bypass Space
IFS Bypass Space

However, on this device, input is converted to lowercase, rendering $IFS ineffective as $ifs.

Some Linux systems allow command execution without spaces using {}:

Linux Feature Bypass Space
Linux Feature Bypass Space

This approach also failed in this environment.

Creating a custom $IFS proved successful. For example, on the device, converting to lowercase meant using $hz instead:

Bash

HZ=$'\n';ls$HZ-a$HZ/

MVP-5150 Command Injection Bypass Space Character
MVP-5150 Command Injection Bypass Space Character

AMX devices, prevalent in various settings, could serve as potential entry points for further attacks if compromised.

Further details about CVE-2019-11224 are available on the NVD website, and my full advisory can be found here.