D-Link DIR-832X Command Injection Vulnerability Allowing Arbitrary Code Execution

A command injection vulnerability has been identified in the D-Link DIR-832X router, specifically in the firmware version 240802. This vulnerability allows remote, unauthenticated attackers to execute arbitrary commands with root privileges. The issue arises in the function located at offset 0x41DDA8, where user-supplied input from the 'year' field can be injected to execute commands on the system.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected device, with the executed commands running as the root user.

Reproduction

To reproduce this vulnerability, log into the router's web interface and navigate to the NTP settings page. The command injection can be triggered by entering a payload in the 'year' field, while ensuring that the 'ntp_zone_val', 'ntp_zone_name', and 'ntp_client' fields are properly set. Once the payload is submitted, the injected command will be executed on the router's operating system.