Soumettre #855125: Tomato by Shibby Tomato Firmware Tomato PL ND 1.28 beta Stack-based Buffer Overflowinformation

TitreTomato by Shibby Tomato Firmware Tomato PL ND 1.28 beta Stack-based Buffer Overflow
Descriptionsub_42537C builds a cru a ... scheduler command in a fixed 64-byte stack buffer. The scheduler name argument a1 is inserted into the formatted string twice and is then executed through system(). char cmd[64]; cfg = nvram_get(a1); sscanf(cfg, "%d,%d,%d", &enabled, &time, &days); sprintf(cmd, "cru a %s \"%d %d * * %s sched %s\"", a1, minute, hour, days, a1); system(cmd); Two alternate scheduling formats use the same pattern and also place a1 into cmd twice. If a1 is sufficiently long, the formatted command can overflow the 64-byte stack buffer and overwrite saved registers, including the saved return address in the demonstrated layout.
La source⚠️ https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5U
Utilisateur
 Cormac315 (UID 97273)
Soumission10/06/2026 16:24 (il y a 1 mois)
Modérer17/07/2026 16:14 (1 month later)
StatutAccepté
Entrée VulDB379801 [Shibby Tomato 1.28 Scheduler Name sub_42537C a1 buffer overflow]
Points20

Want to know what is going to be exploited?

We predict KEV entries!