| عنوان | Tomato Tomato Firmware Shibby Tomato MIPS32; image d2e251333c48...; /sbin/rc MD5 a48002cdf3cda9452a5b9712edd179d2 OS Command Injection |
|---|
| الوصف | Authenticated web admin can execute arbitrary commands as root via NVRAM ipv6_6rd_borderrelay (or wan_6rd 4th field) in /sbin/rc start_6rd_tunnel (0x41b7f8). Value is passed to sprintf("ping -q -c 2 %s | grep packet", ...) then popen() at 0x41ba14 (/bin/sh -c). Requires IPv6 6rd or 6rd-pd enabled.
CWE-78. CVSS 3.1: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H = 7.2 HIGH.
Dynamic PoC: borderrelay=x.x.x.x;touch /tmp/pwned_6rd;# — /tmp/pwned_6rd created.
Advisory: https://gitee.com/你的用户名/tomato-rc-nvram-cve/blob/master/advisories/en/02-start_6rd_tunnel.md
Fix: execve ping with argv; validate IPv4 before execution. |
|---|
| المصدر | ⚠️ https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/02-start_6rd_tunnel.md |
|---|
| المستخدم | WH-YHUST (UID 98329) |
|---|
| ارسال | 17/05/2026 09:19 AM (20 أيام منذ) |
|---|
| الاعتدال | 04/06/2026 05:32 PM (18 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 368361 [Shibby Tomato 1.28.0000 Web UI /sbin/rc start_6rd_tunnel ipv6_6rd_borderrelay تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|