D-Link DIR-823X Command Injection Vulnerability via Password Change Form

A command injection vulnerability has been identified in the D-Link DIR-823X router, specifically in the 250416 firmware version. The issue arises in the '/goform/set_password' endpoint, where the 'http_passwd' parameter is not properly sanitized. This flaw allows authenticated attackers who know the current admin password to inject arbitrary shell commands. These commands are executed with root privileges when the UCI configuration is saved and processed by the system shell.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected router, with commands being executed as the root user.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the '/goform/set_password' endpoint. The 'http_passwd' parameter should be crafted to include the desired shell command, taking advantage of the lack of newline character filtering in the input sanitization. The 'old_passwd' parameter must be set to the current admin password to bypass authentication checks. Once the request is processed, the injected command will be executed with root privileges on the router.