Tuoshi Dionlink LT15D and LT21B Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in Tuoshi/Dionlink LT15D 4G Wi-Fi devices running firmware M7628NNxlSPv2xUI_v1.0.1802.10.08_P4, and LT21B devices with firmware M7628xUSAxUIv2_v1.0.1481.15.02_P0. This vulnerability allows unauthenticated remote attackers with network access to execute arbitrary operating system commands with root privileges. The issue arises because the /goform/formJsonAjaxReq endpoint does not properly sanitize shell metacharacters in JSON parameters, enabling command injection exploitation.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution with root privileges on the affected device.

Reproduction

The vulnerability can be reproduced by sending a crafted JSON payload containing unsanitized shell metacharacters to the /goform/formJsonAjaxReq endpoint. This can be done remotely without authentication, taking advantage of the command injection flaw to execute arbitrary commands on the device's operating system.