D-Link DWR-M961 Command Injection Vulnerability in SMS Management Component

A command injection vulnerability has been identified in the D-Link DWR-M961 4G LTE router, specifically in the SMS management feature. This issue arises in the router's firmware version 1.1.47. The vulnerability is triggered when the '/boafrm/formSmsManage' endpoint receives a request with the 'action_id' parameter set to 'delete'. The 'action_value' parameter, which is supposed to represent SMS message IDs, is not properly sanitized before being used to construct a system command. This flaw allows authenticated attackers to inject arbitrary commands that are executed on the system.

Impact

Exploitation of this vulnerability allows for command injection, where an authenticated user can execute arbitrary commands on the router's operating system. This could lead to unauthorized access, modification of system files, or disruption of services. Additionally, the vulnerability could be exploited to cause a stack-based buffer overflow, potentially crashing the router or corrupting its memory.

Reproduction

To reproduce this vulnerability, log into the D-Link DWR-M961 router and navigate to the SMS management page. Once there, send a POST request to the '/boafrm/formSmsManage' endpoint with the 'action_id' parameter set to 'delete' and the 'action_value' parameter containing the injected command. The injected command will be executed on the router's system.