| タイトル | Tomato by Shibby Tomato Firmware 1.28 Stack-based Buffer Overflow |
|---|
| 説明 | tomatoups.cgi queries a UPS service over TCP port 3551 and parses text protocol fields through sub_9068(host, field, buf, len).
Inside sub_9068, two unsafe write paths exist:
0x914c: sscanf("%*s %*s %s", a3) with no width limit for the destination buffer
0x90ec: byte-by-byte copy until '\n' without enforcing the caller-supplied length limit
The verified runtime path in this case is the upstemp handler:
0x97f8: sub_9068(a1, "upstemp", v2, 0x40)
Here, v2 is a 64-byte stack buffer local to sub_97E0. When the attacker-controlled UPS response provides an ITEMP value of 64 bytes, the %s conversion fills the entire local buffer with attacker data and then writes the terminating NUL byte as the 65th byte, immediately corrupting saved stack data placed after the buffer.
This is not just a theoretical condition. The path has been dynamically verified under QEMU with GDB, including:
the exact sub_97E0(..., 0x40) call site
attacker-controlled ITEMP input entering the %s sink
the byte directly past the 64-byte buffer changing on the stack
a subsequent target-side SIGSEGV |
|---|
| ソース | ⚠️ https://gitee.com/Fengyi-Wang/CVE/issues/IJK7BD |
|---|
| ユーザー | Cormac315 (UID 97273) |
|---|
| 送信 | 2026年05月02日 16:13 (1 月 ago) |
|---|
| モデレーション | 2026年05月29日 10:32 (27 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 367152 [Shibby Tomato 迄 1.28 UPS Service tomatoups.cgi sub_9068 メモリ破損] |
|---|
| ポイント | 20 |
|---|