D-Link DIR-823X Command Injection Vulnerability

A command injection vulnerability has been identified in the D-Link DIR-823X router, specifically in versions 240126, 240802, and 250416. The issue arises in the environment variable handler within the file '/usr/sbin/goahead', particularly in the function 'sub_412E7C'. The vulnerability allows remote attackers to execute arbitrary commands on the device by manipulating the 'terminal_addr', 'server_ip', and 'server_port' parameters. Exploitation of this vulnerability is straightforward, and a public proof-of-concept is available.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected device.

Reproduction

To reproduce this vulnerability, log into the router and send a POST request to the '/goform/set_server_settings' endpoint. Include the 'terminal_addr', 'server_ip', and 'server_port' parameters in the request. The 'terminal_addr' and 'server_ip' parameters can be used to inject commands, which will be executed on the router's operating system.