提出 #855125: Tomato by Shibby Tomato Firmware Tomato PL ND 1.28 beta Stack-based Buffer Overflow情報

タイトルTomato by Shibby Tomato Firmware Tomato PL ND 1.28 beta Stack-based Buffer Overflow
説明sub_42537C builds a cru a ... scheduler command in a fixed 64-byte stack buffer. The scheduler name argument a1 is inserted into the formatted string twice and is then executed through system(). char cmd[64]; cfg = nvram_get(a1); sscanf(cfg, "%d,%d,%d", &enabled, &time, &days); sprintf(cmd, "cru a %s \"%d %d * * %s sched %s\"", a1, minute, hour, days, a1); system(cmd); Two alternate scheduling formats use the same pattern and also place a1 into cmd twice. If a1 is sufficiently long, the formatted command can overflow the 64-byte stack buffer and overwrite saved registers, including the saved return address in the demonstrated layout.
ソース⚠️ https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5U
ユーザー
 Cormac315 (UID 97273)
送信2026年06月10日 16:24 (1 月 ago)
モデレーション2026年07月17日 16:14 (1 month later)
ステータス承諾済み
VulDBエントリ379801 [Shibby Tomato 1.28 Scheduler Name sub_42537C a1 メモリ破損]
ポイント20

Do you know our Splunk app?

Download it now for free!