D-Link DWR-M921 Command Injection Vulnerability

A command injection vulnerability has been identified in the D-Link DWR-M921 router running firmware version 1.1.50. The issue resides in the function 'sub_419920' of the file '/boafrm/formLtefotaUpgradeQuectel'. The vulnerability arises because the 'fota_url' parameter is not properly sanitized before being used to construct a command that is executed with root privileges. This flaw can be exploited remotely by authenticated users.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the device with root privileges.

Reproduction

To reproduce this vulnerability, authenticate with the router and send a POST request to the '/boafrm/formLtefotaUpgradeQuectel' endpoint. Include a 'fota_url' parameter that contains a command injection payload, such as 'http://; ls', which exploits the vulnerability by injecting a command that is executed on the router's operating system.