| タイトル | D-Link DWR-M920 1.1.50 Command Injection and Stack Buffer Overflow |
|---|
| 説明 | The /boafrm/formIMEISetup handler in the boa web server contains five independent OS command injection vulnerabilities and one stack buffer overflow, all reachable through the IMEI_value POST parameter. The parameter is read from the HTTP request and passed directly into sprintf() with an AT command format string, then executed via system() — without any sanitization, filtering, or length validation.
Each injection path is gated by a MIB module/lookup ID pair (sub_412DA0), which identifies the installed modem module (Quectel, Fibocom, Gosuncn, etc.). On a device with a supported modem, the matching path activates and the attacker-supplied IMEI_value flows into the shell. |
|---|
| ソース | ⚠️ https://github.com/7u7777/Dlink/blob/DWR-M920/formIMEISetup.md |
|---|
| ユーザー | kkff33 (UID 62638) |
|---|
| 送信 | 2026年05月18日 18:45 (19 日 ago) |
|---|
| モデレーション | 2026年06月05日 10:19 (18 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 368882 [D-Link DWR-M920 迄 1.1.50 /boafrm/formIMEISetup sub_412DA0 IMEI_value 特権昇格] |
|---|
| ポイント | 20 |
|---|