CVE-2019–18396 — Command Injection in Technicolor router

Joao Teles
Oct 28 · 2 min read

Introduction —

This is my first CVE and I’m very excited because my first CVE is about a critical flaw. To be honest, I wasn’t looking for this vulnerability, at least not to get a CVE, I was looking for access to networked computers from a switch or router. This same command injection vulnerability is present in an older firmware version (CVE-2017–14127) and I found it very strange that they were present after several updates because the updates are for bug fixes, right? Let’s go to the technical details.

Technical details —

This vulnerability is a simple command injection (dvwa feelings) in mnt_ping.cgi and is present on the Technicolor TD5130v2 router in OI_Fw_V20 firmware. This vulnerability occurs because of the lack of data validation on input and to mitigate it is relatively easy to handle data entry.

Proof Of Concept —

First Step —

Login in the panel of router, (admin:admin):

Second Step —

Go to Ping:

Third Step —

Try escape to system:

Fourth Step —

Oh shit! We can’t escape like POST, let’s try the GET method:

http://192.168.1.1/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=;ls%20/&send=Send

Fifth Step —

Yeah, successful!! Let’s try reading /etc/passwd:

Seventh Step —

Yeah, successful again!! Now let’s try to make this POC a little prettier with python, see:

Video —

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade