D-Link DIR-823X OS Command Injection Vulnerability

A command injection vulnerability has been identified in the D-Link DIR-823X router, specifically in the 250416 firmware version. The issue arises in the '/goform/set_ac_status' endpoint, where the 'ac_ipaddr', 'ac_ipstatus', and 'ap_randtime' parameters are not properly sanitized. This allows authenticated attackers to inject arbitrary operating system commands, which are executed with root privileges when the configuration is saved and the relevant service is restarted.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the router with root privileges.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/goform/set_ac_status' endpoint with a payload that includes a newline character in the 'ac_ipaddr', 'ac_ipstatus', or 'ap_randtime' parameters. The injected command can be crafted to execute any desired operation on the router's operating system.