D-Link DCS-932L OS Command Injection Vulnerability

A critical OS command injection vulnerability has been identified in the D-Link DCS-932L camera, running firmware version 2.18.01. The issue arises in the 'setSystemWizard' and 'setSystemControl' functions, where the 'AdminID' parameter is not properly validated, allowing remote attackers to execute arbitrary OS commands. This vulnerability affects products that are no longer supported by the manufacturer.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to the '/setSystemWizard' endpoint with a crafted 'AdminID' value that includes the desired OS command, such as ';telnetd;#'. After the command is injected, visit the '/setSystemAdmin' endpoint to execute the injected command. The response will indicate successful execution, such as gaining a shell access.