D-Link DIR-832X Command Injection Vulnerability Allowing Arbitrary Code Execution

A command injection vulnerability has been identified in the D-Link DIR-832X router, specifically in firmware version 240802. This vulnerability allows remote, unauthenticated attackers to execute arbitrary commands with root privileges. The issue arises in the router's web interface, where the 'macaddr' key value can be manipulated to inject commands. The vulnerability was discovered during an analysis of the device's web server functionality.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, with root privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/set_prohibiting' endpoint. This request must include a 'macaddr' parameter with a value that injects a command, such as a command to create a file on the device. Before this, a login request must be sent to authenticate the session.