إرسال #855117: Tomato by Shibby Tomato Firmware Tomato v1.28.0000 -120 K26ARM USB AIO-64K OS Command Injectionالمعلومات

عنوانTomato by Shibby Tomato Firmware Tomato v1.28.0000 -120 K26ARM USB AIO-64K OS Command Injection
الوصفThe CIFS mount handler (sub_2D048, invoked as mount-cifs -m) in sbin/rc reads the NVRAM key cifs1 (or cifs2), parses it using < as the field delimiter via vstrsep(), and passes the 6th field (the exec command) directly to system() after a successful CIFS mount. No sanitization, filtering, or escaping is applied to any field. // sub_2D048 at 0x2D0D8 - 0x2D310 vstrsep(s, "<", &enable, &unc, &user, &pass, &domain, &command, &servername, &security); // ... after CIFS mount succeeds: if (*command) { chdir(mount_point); system(command); // 0x2D310 — direct execution of field 6 } The NVRAM value format is: enable<unc<user<pass<domain<EXEC_CMD<servername<security An attacker who can modify the cifs1 or cifs2 NVRAM key can inject arbitrary shell commands in the 6th field position that execute as root when the CIFS share is mounted.
المصدر⚠️ https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5P
المستخدم
 Anonymous User
ارسال10/06/2026 03:58 PM (1 شهر منذ)
الاعتدال12/07/2026 11:01 PM (1 month later)
الحالةتمت الموافقة
إدخال VulDB377897 [Shibby Tomato حتى 1.28.0000 CIFS Mount sub_2D048 cifs1/cifs2 تجاوز الصلاحيات]
النقاط20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!