| Titre | Tomato by Shibby Tomato Firmware 1.28 Stack-based Buffer Overflow |
|---|
| Description | tomatoups.cgi queries a UPS service over TCP port 3551 and parses text protocol fields through sub_9068(host, field, buf, len).
Inside sub_9068, two unsafe write paths exist:
0x914c: sscanf("%*s %*s %s", a3) with no width limit for the destination buffer
0x90ec: byte-by-byte copy until '\n' without enforcing the caller-supplied length limit
The verified runtime path in this case is the upstemp handler:
0x97f8: sub_9068(a1, "upstemp", v2, 0x40)
Here, v2 is a 64-byte stack buffer local to sub_97E0. When the attacker-controlled UPS response provides an ITEMP value of 64 bytes, the %s conversion fills the entire local buffer with attacker data and then writes the terminating NUL byte as the 65th byte, immediately corrupting saved stack data placed after the buffer.
This is not just a theoretical condition. The path has been dynamically verified under QEMU with GDB, including:
the exact sub_97E0(..., 0x40) call site
attacker-controlled ITEMP input entering the %s sink
the byte directly past the 64-byte buffer changing on the stack
a subsequent target-side SIGSEGV |
|---|
| La source | ⚠️ https://gitee.com/Fengyi-Wang/CVE/issues/IJK7BD |
|---|
| Utilisateur | Cormac315 (UID 97273) |
|---|
| Soumission | 02/05/2026 16:13 (il y a 1 mois) |
|---|
| Modérer | 29/05/2026 10:32 (27 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 367152 [Shibby Tomato jusqu’à 1.28 UPS Service tomatoups.cgi sub_9068 buffer overflow] |
|---|
| Points | 20 |
|---|