D-Link DIR-823X OS Command Injection Vulnerability

A command injection vulnerability has been identified in the D-Link DIR-823X router, specifically in the 250416 version. The issue arises in the Configuration Handler component, within the function sub_4208A0 of the file /goform/set_dmz. This vulnerability allows authenticated attackers to execute arbitrary operating system commands with root privileges. The flaw is exploited by manipulating the dmz_host or dmz_enable parameters, taking advantage of inadequate input validation that fails to properly filter newline characters. As a result, attackers can truncate the original UCI configuration command and inject their own commands, which are then executed with elevated privileges.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the affected device, with root privileges.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the /goform/set_dmz endpoint with a crafted payload in the dmz_host or dmz_enable parameters. The payload should include a newline character to disrupt the command processing and append an arbitrary command. Once the payload is sent, the injected command will be executed with root privileges.