D-Link DIR-823G Command Injection Vulnerability

A command injection vulnerability has been identified in the D-Link DIR-823G router, specifically in the firmware version DIR823G_V1.0.2B05_20181207.bin. The issue arises in the timelycheck and sysconf binaries, which handle the /var/system/linux_vlan_reinit file. The vulnerability is due to insufficient validation of the file's content, which is only partially checked for a prefix before being formatted with vsnprintf() and executed via system(). This flaw allows an attacker with write access to the linux_vlan_reinit file to execute arbitrary commands on the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected router.

Reproduction

To reproduce this vulnerability, write a malicious configuration into the /var/system/linux_vlan_reinit file. The injected content should include commands separated by semicolons. Once the file is processed by the vulnerable binaries, the commands will be executed on the device, demonstrating the command injection flaw.