إرسال #831856: Tomato Tomato Firmware Shibby-modified Tomato Firmware (MIPS32 LE). Verified on extracted image labeled d2e251333c486810d9bbce816021bcf1b93dd392 (inter OS Command Injectionالمعلومات

عنوان	Tomato Tomato Firmware Shibby-modified Tomato Firmware (MIPS32 LE). Verified on extracted image labeled d2e251333c486810d9bbce816021bcf1b93dd392 (inter OS Command Injection
الوصف	Authenticated web administrator can achieve root command execution via NVRAM key dhcpc_custom in /sbin/rc function start_dhcpc (0x41CA20). User input is copied without sanitization, embedded in snprintf, and executed as root via _xstart("/bin/sh", "-c", dest) at 0x41CDC0 when DHCP client starts (WAN connect, DHCP renew, exec_service). CWE-78 (primary), CWE-121 (stack overflow in same function). CVSS 3.1: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H = 7.2 HIGH. Dynamic PoC: QEMU MIPS user-mode + firmware rootfs + LD_PRELOAD NVRAM shim; strace shows execve("/bin/sh", "-c", "...;touch /tmp/pwned_dhcpc;#") and proof file created. Advisory: https://gitee.com/你的用户名/tomato-rc-nvram-cve/blob/master/advisories/en/01-start_dhcpc.md Fix: use execve with argv for udhcpc (no shell); whitelist dhcpc_custom; bounded string copies.
المصدر	⚠️ https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/01-start_dhcpc.md
المستخدم	WH-YHUST (UID 98329)
ارسال	17/05/2026 09:15 AM (19 أيام منذ)
الاعتدال	04/06/2026 05:32 PM (18 days later)
الحالة	تمت الموافقة
إدخال VulDB	368360 [Shibby Tomato 1.28.0000 Web UI /sbin/rc start_dhcpc تجاوز الصلاحيات]
النقاط	20

Do you want to use VulDB in your project?

Use the official API to access entries easily!