D-Link DIR-823X Vulnerability Overview Vulnerability Title Title: D-Link DIR-823X Post-Authentication Command Injection via set_server_settings Endpoint Affected Versions D-Link DIR-823X (firmware version 250416) Vulnerability Description The D-Link DIR-823X router is vulnerable to a Remote Command Injection flaw via the endpoint. The issue stems from an incomplete sanitization engine that fails to filter newline characters (\n or 0x0A). An authenticated attacker can inject arbitrary shell commands through parameters such as , , or . Vulnerability Classification Remote Command Injection vulnerability via server configuration parameter processing. The vulnerability exploits the lack of filtering for 0x0A (newline) characters, allowing execution of arbitrary shell commands with root privileges. Vulnerability Details 1. Parameter Extraction (Source) - The vulnerability resides in the function, which retrieves user input for server settings. 2. Ineffective Sanitization (Bypass) - Input is filtered using a blacklist (checking for characters like , , ), but does not validate or block 0x0A newline characters. Attackers can construct string sequences that include newlines to bypass sanitization and inject commands. 3. Command Injection & Execution (Sink) - Unsanitized data is passed to the subsystem, which constructs system commands and passes them to the UCI configuration system, allowing 0x0A newline characters to structure and execute arbitrary commands. Vulnerability Demonstration (POC) Python PoC code requires explicit additional parameters and runtime environment to confirm the vulnerability: Run: Recommended Fixes 1. Strict Whitelisting: Apply strict whitelisting for parameters, allowing only valid IP address formats (digits and dots). 2. Sanitize Control Characters: Explicitly reject any control characters, especially 0x0A (LF) and 0x0D (CR). 3. Use Parameterized APIs: Replace direct shell command execution with native APIs or configuration management tools to avoid shell injection risks. 4. Secure Shell Scripting: If shell scripts are used, ensure inputs are properly escaped and enclosed in double quotes to prevent dangerous behavior.