| Titel | Tomato Tomato Firmware Shibby Tomato MIPS32; image d2e251333c48...; /sbin/rc MD5 a48002cdf3cda9452a5b9712edd179d2 OS Command Injection |
|---|
| Beschreibung | Authenticated web admin can execute arbitrary commands as root via NVRAM ipv6_6rd_borderrelay (or wan_6rd 4th field) in /sbin/rc start_6rd_tunnel (0x41b7f8). Value is passed to sprintf("ping -q -c 2 %s | grep packet", ...) then popen() at 0x41ba14 (/bin/sh -c). Requires IPv6 6rd or 6rd-pd enabled.
CWE-78. CVSS 3.1: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H = 7.2 HIGH.
Dynamic PoC: borderrelay=x.x.x.x;touch /tmp/pwned_6rd;# — /tmp/pwned_6rd created.
Advisory: https://gitee.com/你的用户名/tomato-rc-nvram-cve/blob/master/advisories/en/02-start_6rd_tunnel.md
Fix: execve ping with argv; validate IPv4 before execution. |
|---|
| Quelle | ⚠️ https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/02-start_6rd_tunnel.md |
|---|
| Benutzer | WH-YHUST (UID 98329) |
|---|
| Einreichung | 17.05.2026 09:19 (vor 21 Tagen) |
|---|
| Moderieren | 04.06.2026 17:32 (18 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 368361 [Shibby Tomato 1.28.0000 Web UI /sbin/rc start_6rd_tunnel ipv6_6rd_borderrelay erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|