| Titel | D-Link DWR-M920 1.1.50 Command Injection and Stack Buffer Overflow |
|---|
| Beschreibung | The /boafrm/formIMEISetup handler in the boa web server contains five independent OS command injection vulnerabilities and one stack buffer overflow, all reachable through the IMEI_value POST parameter. The parameter is read from the HTTP request and passed directly into sprintf() with an AT command format string, then executed via system() — without any sanitization, filtering, or length validation.
Each injection path is gated by a MIB module/lookup ID pair (sub_412DA0), which identifies the installed modem module (Quectel, Fibocom, Gosuncn, etc.). On a device with a supported modem, the matching path activates and the attacker-supplied IMEI_value flows into the shell. |
|---|
| Quelle | ⚠️ https://github.com/7u7777/Dlink/blob/DWR-M920/formIMEISetup.md |
|---|
| Benutzer | kkff33 (UID 62638) |
|---|
| Einreichung | 18.05.2026 18:45 (vor 20 Tagen) |
|---|
| Moderieren | 05.06.2026 10:19 (18 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 368882 [D-Link DWR-M920 bis 1.1.50 /boafrm/formIMEISetup sub_412DA0 IMEI_value erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|