| Título | D-Link DWR-M920 1.1.50 Command Injection and Stack Buffer Overflow |
|---|
| Descripción | The /boafrm/formIMEISetup handler in the boa web server contains five independent OS command injection vulnerabilities and one stack buffer overflow, all reachable through the IMEI_value POST parameter. The parameter is read from the HTTP request and passed directly into sprintf() with an AT command format string, then executed via system() — without any sanitization, filtering, or length validation.
Each injection path is gated by a MIB module/lookup ID pair (sub_412DA0), which identifies the installed modem module (Quectel, Fibocom, Gosuncn, etc.). On a device with a supported modem, the matching path activates and the attacker-supplied IMEI_value flows into the shell. |
|---|
| Fuente | ⚠️ https://github.com/7u7777/Dlink/blob/DWR-M920/formIMEISetup.md |
|---|
| Usuario | kkff33 (UID 62638) |
|---|
| Sumisión | 2026-05-18 18:45 (hace 20 días) |
|---|
| Moderación | 2026-06-05 10:19 (18 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 368882 [D-Link DWR-M920 hasta 1.1.50 /boafrm/formIMEISetup sub_412DA0 IMEI_value escalada de privilegios] |
|---|
| Puntos | 20 |
|---|