D-Link DIR-823X Command Injection Vulnerability in UPnP Settings

A command injection vulnerability has been identified in the D-Link DIR-823X router, specifically in the 250416 firmware version. The issue arises in the '/goform/set_upnp' endpoint, within the 'sub_420618' function. This vulnerability allows authenticated attackers to inject arbitrary operating system commands by manipulating the 'upnp_enable' parameter. The injection is possible because the application fails to properly sanitize newline characters, enabling attackers to terminate the intended command and execute malicious instructions with root privileges.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the affected device, with the injected commands being executed as the root user.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the '/goform/set_upnp' endpoint with a payload that includes a newline character. The injected command can be any valid shell command, which will be executed with root privileges on the router.