D-Link DWR-M921 Command Injection Vulnerability in USSD Configuration Endpoint

A command injection vulnerability has been identified in the D-Link DWR-M921 router running firmware version 1.1.50. The issue resides in the USSD configuration endpoint '/boafrm/formUSSDSetup', specifically within the 'sub_419F20' function. This vulnerability allows authenticated attackers to manipulate the 'ussdValue' parameter, injecting arbitrary commands that are executed with root privileges. The exploitation is facilitated by the use of 'sprintf' for command construction, which fails to properly sanitize user input before it is passed to the 'system()' function.

Impact

Exploitation of this vulnerability provides authenticated attackers with root access on the router, allowing them to execute arbitrary commands, modify system configurations, access sensitive files, and potentially disrupt services or open backdoors.

Reproduction

The vulnerability can be reproduced by logging into the router and sending a POST request to the '/boafrm/formUSSDSetup' endpoint. The 'ussdValue' parameter must be crafted to include a command injection payload, such as '1'; {command}; ', which exploits the lack of input sanitization by closing the existing quote and injecting a new command.