D-Link Routers Command Injection Vulnerability in the Debug Diagnostic Run Function

A command injection vulnerability has been identified in multiple D-Link router models, including the DWR-M920, DWR-M921, DIR-822K, and DIR-825M, all running firmware version 1.1.5. The vulnerability arises in the '/boafrm/formDebugDiagnosticRun' endpoint, where the 'host' parameter is manipulated, leading to unauthorized execution of system commands. This exploitation occurs remotely and has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device with system privileges. This could lead to a complete compromise of the router, including unauthorized access to network traffic, data theft, or using the router as a launch point for attacks on other devices within the network.

Reproduction

The vulnerability can be reproduced by authenticating to the router and sending a POST request to the '/boafrm/formDebugDiagnosticRun' endpoint. The 'host' parameter must be crafted to include shell metacharacters that will be interpreted by the system shell, such as semicolons or ampersands, to inject and execute arbitrary commands.