Belkin F9K1122 OS Command Injection Vulnerability

A critical OS command injection vulnerability has been identified in the Belkin F9K1122 router running firmware version 1.00.33. The issue arises in the 'formSetWanStatic' function within the '/goform/formSetWanStatic' file, where user-supplied arguments for IP address, netmask, gateway, and DNS servers are not properly sanitized before being executed as OS commands. This vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a crafted request to the '/goform/formSetWanStatic' endpoint, including malicious payloads in the 'm_wan_ipaddr', 'm_wan_netmask', 'm_wan_gateway', 'm_wan_staticdns1', and 'm_wan_staticdns2' fields. The lack of input validation will result in the execution of the injected commands on the router's operating system.