D-Link DIR-823X Command Injection Vulnerability in Wi-Fi Dog Settings

A command injection vulnerability has been identified in the D-Link DIR-823X router running firmware version 250416. The issue arises in the function 'sub_412E7C' within the file '/goform/set_wifidog_settings'. By manipulating the 'wd_enable' argument, an attacker can execute arbitrary commands on the device. This vulnerability can be exploited remotely without authentication, potentially leading to unauthorized access to the device's shell.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected router, with the possibility of gaining shell access.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/set_wifidog_settings' endpoint. The 'wd_enable' parameter must be included in the request, containing a crafted command that exploits the injection flaw. Once the request is sent, the injected command will be executed on the router's operating system.