An issue found in D-Link DSL-3782 v.1.03 allows remote authenticated users to execute arbitrary code as root via OS command injection in multiple setting pages.

Settings known to be affected by this issues are:

• Subnet mask fields in network configuration
• Remote log server IP field in logging configuration
• Every field in port forwarding configuration
• Every field in static routes configuration

The input provided by the user is insufficiently sanitized by the server, so bypassing the client-checks it is possible to inject arbitrary strings directly into .sh scripts. Depending on the affected field, the maximum payload length allowed will be different. Generally speaking, it is possible to inject between 15 and 50 characters.

To exploit CVE-2023-27216 an attacker with remote access to the web interface of the D-Link DSL-3782 needs to inject a malicious payload into one of the affected fields. An example of working payload is: ; ping example.org #.

I contacted D-Link two times regarding this issue and received no response. The issue has been disclosed 60 days after the first contact with the vendor.

Disclosure timeline

• 11/02/2023 - First contact with vendor
• 23/02/2023 - CVE ID request
• 21/03/2023 - CVE ID reserved
• 21/03/2023 - Second contact with vendor
• 11/04/2023 - Public disclosure