D-Link DIR-823X OS Command Injection Vulnerability

A command injection vulnerability has been identified in the D-Link DIR-823X router, specifically in the 250416 version. This vulnerability resides in the '/goform/set_server_settings' endpoint, within the Configuration Parameter Handler component. The issue arises from inadequate input sanitization, which fails to properly filter newline characters. As a result, an authenticated attacker can inject arbitrary operating system commands through the 'terminal_addr', 'server_ip', or 'server_port' parameters. Once the injected command is processed, it is executed with root privileges via the system shell.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the affected device, with the executed commands running as the root user.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/goform/set_server_settings' endpoint with a payload that includes a newline character in one of the vulnerable parameters. The injected command can be crafted to execute arbitrary commands on the device.

Remediation

No specific mitigation measures are known for this vulnerability.