D-Link DIR-818LW OS Command Injection Vulnerability

A critical OS command injection vulnerability has been identified in the D-Link DIR-818LW router, specifically in versions released prior to December 15, 2019. The issue arises in the 'System Time Page' component, where the 'NTP Server' parameter can be manipulated to inject malicious payloads. This vulnerability can be exploited remotely, allowing for the execution of arbitrary commands on the device.

Impact

Exploitation of this vulnerability allows for OS command injection, where an attacker can execute arbitrary commands on the router's operating system. This could potentially lead to unauthorized access or control over the device.

Reproduction

To reproduce this vulnerability, access the D-Link DIR-818LW router's web interface and navigate to the 'Management' section, then select 'System Time'. In the 'NTP Server' field, inject a payload designed to exploit the command injection vulnerability. Once the payload is executed, it can be used to run arbitrary commands on the router, such as downloading a script to the device and executing it, thereby achieving a reverse shell.