D-Link DWR-M920 Command Injection Vulnerability

A command injection vulnerability has been identified in the D-Link DWR-M920 router, specifically in versions up to 1.1.50. The issue arises in the function sub_4155B4 within the file /boafrm/formLtefotaUpgradeFibocom. The vulnerability is triggered by manipulating the fota_url parameter, which is passed to the sprintf function without proper length validation. This oversight allows for a stack-based buffer overflow, which can then be exploited to inject and execute arbitrary commands via the system function. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to the /boafrm/formLtefotaUpgradeFibocom endpoint with a crafted fota_url parameter. The first proof-of-concept (poc1) demonstrates the stack overflow exploitation by including an excessively long URL. The second proof-of-concept (poc2) shows the command injection capability by using the fota_url parameter to execute a command that lists directory contents and redirects the output to a file.