D-Link DIR-823X Command Injection Vulnerability

A command injection vulnerability has been identified in the D-Link DIR-823X router, specifically in the 250416 firmware version. The issue arises in the '/goform/set_device_name' file, where the 'mac' parameter is not properly validated. This lack of validation allows attackers to inject malicious strings that could be executed as commands on the device. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, log into the router's web interface and navigate to the '/goform/set_device_name' endpoint. The 'mac' parameter can be manipulated by sending a crafted request that includes a malicious payload. Once the payload is executed, the injected command's output can be redirected to a file, confirming the successful exploitation of the vulnerability.