D-Link DIR-832X Command Injection Vulnerability Allowing Arbitrary Code Execution

A command injection vulnerability has been identified in the D-Link DIR-832X router, specifically in the 240802 firmware version. This vulnerability allows remote, unauthenticated attackers to execute arbitrary commands with root privileges. The issue arises in the 'diag_traceroute' function, where the 'target_addr' parameter can be manipulated to inject commands.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the device, with root privileges.

Reproduction

To reproduce this vulnerability, log into the router's web interface and navigate to the 'diag_traceroute' function. Inject a command through the 'target_addr' parameter, ensuring that the input bypasses validation checks. Once the command is executed, a file named 'hack_diag_traceroute.txt' will be created, indicating successful exploitation.