D-Link DIR-823X OS Command Injection Vulnerability

A command injection vulnerability has been identified in the D-Link DIR-823X router, specifically in the 250416 firmware version. The issue arises in the function sub_4175CC within the file /goform/set_static_route_table. This vulnerability allows authenticated attackers to inject arbitrary operating system commands by manipulating the newline character in several parameters, including interface, destip, netmask, gateway, and metric. The injected commands are executed with root privileges, posing a significant security risk.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the router's operating system, with the injected commands executed as the root user.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the /goform/set_static_route_table endpoint with a payload that includes a newline character in the gateway parameter. This newline injection bypasses input validation and command sanitization, allowing the attacker to execute arbitrary commands on the device.