| タイトル | Tomato by Shibby Tomato Firmware Tomato v1.28.0000 -120 K26ARM USB AIO-64K OS Command Injection |
|---|
| 説明 | The start_jffs2 function (sub_2D568) in sbin/rc retrieves the NVRAM key jffs2_exec and passes its value directly to the system() C library function. No sanitization, character filtering, escaping, or quoting is applied. An attacker who can write to NVRAM (e.g., via authenticated Web UI access or another vulnerability) can inject arbitrary shell commands that execute as root during the JFFS2 startup sequence.
v10 = nvram_get("jffs2_exec"); // 0x2D738
v11 = v10;
if (v10 && *v10) {
chdir("/jffs");
system(v11); // 0x2D75C — direct execution
chdir("/");
}
The system() function invokes /bin/sh -c <command>, so all shell metacharacters (;, &&, ||, `, $(), pipes) are interpreted. |
|---|
| ソース | ⚠️ https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5O |
|---|
| ユーザー | Anonymous User |
|---|
| 送信 | 2026年06月10日 15:57 (1 月 ago) |
|---|
| モデレーション | 2026年07月12日 23:01 (1 month later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 377896 [Shibby Tomato 迄 1.28.0000 start_jffs2 sub_2D568 jffs2_exec 特権昇格] |
|---|
| ポイント | 20 |
|---|