Advisory: Injection dangerous command into HARMAN AMX MVP5150 (CVE-2019–11224)

Injection dangerous command into HARMAN AMX
=====================================
Affected Vendor: AMX — https://www.amx.com/
Affected Software: MVP5150 Firmware
Affected Version: Tested on V2.87.13
Issue type: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Release Date: 07/05/2019
Discovered by: Harold Zang, Hivint
CVE Identifier: CVE-2019–11224
Issue status: Publish

Summary
=======================================
AMX (www.amx.com) is part of the HARMAN Professional Division, and the leading brand for the business, education, and government markets for the company.

Description
=======================================
HARMAN AMX MVP5150 v2.87.13 devices are vulnerable to OS Command Injection.

Impact
=======================================
An attacker who is able to login to the AMX MVP5150 via Telnet service is able to inject and execute malicious OS commands.

Proof of concept
=======================================
1. Login to the device via Telnet.
2. Using the following command, perform a command injection:
ping 127.0.0.1;ls
3. Using the following command, observe it possible to bypass the disallowed space characte:
ping 127.0.0.1;HZ=$’\n’;ls$hz/bin/

Solution
=======================================
The vendor has informed that this product is obsolete and at this stage there is no product development expected around this product. However if there is any specific customer request for development then it can be considered based on the priority/ requirement.

Response timeline
=======================================
09/03/2019 — Found the issue.
09/03/2019 — Tried to notify vendor
03/04/2019 — Vendor notified.
07/05/2019 — Publish