D-Link DWR-M961 Command Injection Vulnerability
Vulnerability
A command injection vulnerability has been identified in the D-Link DWR-M961 router, specifically in firmware version 1.1.47. The issue arises in the function 'sub_419920' within the '/boafrm/formLtefotaUpgradeQuectel' endpoint. The vulnerability allows authenticated attackers to execute arbitrary commands with root privileges. This is possible because the function improperly sanitizes the 'fota_url' parameter before using it to construct a command that is executed via the 'system()' function.
Impact
Exploitation of this vulnerability allows for command injection, where an authenticated attacker can execute arbitrary commands on the router with root privileges.
Reproduction
To reproduce this vulnerability, first authenticate with the router using the '/boafrm/formLoginKey' endpoint to retrieve the encryption key. After logging in, send a POST request to the '/boafrm/formLtefotaUpgradeQuectel' endpoint with a crafted 'fota_url' parameter that includes a command injection payload. The unsanitized input will be executed as a system command, demonstrating the command injection vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.