| शीर्षक | Tomato by Shibby Tomato Firmware 1.28 Stack-based Buffer Overflow |
|---|
| विवरण | tomatoups.cgi queries a UPS service over TCP port 3551 and parses text protocol fields through sub_9068(host, field, buf, len).
Inside sub_9068, two unsafe write paths exist:
0x914c: sscanf("%*s %*s %s", a3) with no width limit for the destination buffer
0x90ec: byte-by-byte copy until '\n' without enforcing the caller-supplied length limit
The verified runtime path in this case is the upstemp handler:
0x97f8: sub_9068(a1, "upstemp", v2, 0x40)
Here, v2 is a 64-byte stack buffer local to sub_97E0. When the attacker-controlled UPS response provides an ITEMP value of 64 bytes, the %s conversion fills the entire local buffer with attacker data and then writes the terminating NUL byte as the 65th byte, immediately corrupting saved stack data placed after the buffer.
This is not just a theoretical condition. The path has been dynamically verified under QEMU with GDB, including:
the exact sub_97E0(..., 0x40) call site
attacker-controlled ITEMP input entering the %s sink
the byte directly past the 64-byte buffer changing on the stack
a subsequent target-side SIGSEGV |
|---|
| स्रोत | ⚠️ https://gitee.com/Fengyi-Wang/CVE/issues/IJK7BD |
|---|
| उपयोगकर्ता | Cormac315 (UID 97273) |
|---|
| सबमिशन | 02/05/2026 04:13 PM (1 महीना पहले) |
|---|
| संयम | 29/05/2026 10:32 AM (27 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 367152 [Shibby Tomato तक 1.28 UPS Service tomatoups.cgi sub_9068 बफ़र ओवरफ़्लो] |
|---|
| अंक | 20 |
|---|