D-Link DIR-823X OS Command Injection Vulnerability in Web Management Interface

A command injection vulnerability has been identified in the D-Link DIR-823X router, specifically in the 250416 version. The issue arises in the web management interface at the '/goform/set_ac_server' endpoint, where improper validation of the 'ac_server' parameter allows authenticated attackers to execute arbitrary operating system commands with root privileges. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the router's operating system, with root privileges.

Reproduction

To reproduce this vulnerability, an authenticated user must send a request to the '/goform/set_ac_server' endpoint with a crafted 'ac_server' parameter that includes a newline character. This bypasses the input validation and injects commands to be executed by the system.

Remediation

It is recommended to expand the input validation to include newline characters and other special characters that could be used to manipulate command execution. Additionally, replace direct system calls with safer, parameterized execution methods.