D-Link DIR-823X OS Command Injection Vulnerability

A command injection vulnerability has been identified in the D-Link DIR-823X router, specifically in the 250416 firmware version. The issue arises in the '/goform/set_qos' endpoint, within the 'sub_420688' function. This vulnerability allows authenticated attackers to inject arbitrary operating system commands by exploiting inadequate input validation of newline characters in QoS-related parameters. The injected commands are executed with root privileges, potentially leading to unauthorized access or control over the device.

Impact

Exploitation of this vulnerability allows for remote command execution on the affected device, with the injected commands being executed as the root user.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/goform/set_qos' endpoint with a payload that includes a newline character injection in one of the QoS parameters. The 'qqos_max_download' parameter is commonly used for this injection. Once the payload is sent, the injected command will be executed on the router's operating system.