D-Link DIR-823X OS Command Injection Vulnerability in DDNS Service

A remote command injection vulnerability has been identified in the D-Link DIR-823X router, specifically in version 250416. The issue arises in the DDNS (Dynamic DNS) service component, within the file '/goform/set_ddns'. The vulnerability allows authenticated attackers to inject arbitrary operating system commands through several parameters, including ddnsType, ddnsDomainName, ddnsUserName, and ddnsPwd. This exploitation is possible due to inadequate input sanitization that fails to remove newline characters, enabling the injection of commands that are executed with root privileges via the system shell.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, with commands being executed as the root user.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/goform/set_ddns' endpoint with a payload that includes a newline character in one of the vulnerable parameters (ddnsType, ddnsDomainName, ddnsUserName, or ddnsPwd). The injected command will be executed when the DDNS service is restarted, using the 'sub_412E7C' function to trigger the command execution.

Remediation

No specific remediation is known for this vulnerability.