| Title | D-Link DWR-M920 1.1.50 Command Injection and Stack Buffer Overflow |
|---|
| Description | The /boafrm/formIMEISetup handler in the boa web server contains five independent OS command injection vulnerabilities and one stack buffer overflow, all reachable through the IMEI_value POST parameter. The parameter is read from the HTTP request and passed directly into sprintf() with an AT command format string, then executed via system() — without any sanitization, filtering, or length validation.
Each injection path is gated by a MIB module/lookup ID pair (sub_412DA0), which identifies the installed modem module (Quectel, Fibocom, Gosuncn, etc.). On a device with a supported modem, the matching path activates and the attacker-supplied IMEI_value flows into the shell. |
|---|
| Source | ⚠️ https://github.com/7u7777/Dlink/blob/DWR-M920/formIMEISetup.md |
|---|
| User | kkff33 (UID 62638) |
|---|
| Submission | 05/18/2026 18:45 (22 days ago) |
|---|
| Moderation | 06/05/2026 10:19 (18 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 368882 [D-Link DWR-M920 up to 1.1.50 /boafrm/formIMEISetup sub_412DA0 IMEI_value os command injection] |
|---|
| Points | 20 |
|---|