| 제목 | Tomato Tomato by Shibby 1.28.0000 MIPSR2-124 K26 USB Big-VPN command injection |
|---|
| 설명 | `rstats` reads administrator-writable NVRAM `rstats_path`, passes it to `sub_4014AC` → `sub_4012E4`, which runs `sprintf("gzip -dc %s > /var/tmp/rstats-uncomp", path)` and `system(s)`. No shell metacharacter filtering (only `strlcpy` to 64 bytes).
Web UI **Admin → Bandwidth Monitoring** (`admin-bwm.asp`): custom path field `f_user` (max 48 chars); `v_path()` only requires a leading `/` — payloads such as `/tmp/x;touch /tmp/pwned;#` are accepted. |
|---|
| 사용자 | WH-YHUST (UID 98329) |
|---|
| 제출 | 2026. 05. 17. AM 10:13 (23 날 ago) |
|---|
| 모더레이션 | 2026. 06. 04. PM 05:32 (18 days later) |
|---|
| 상태 | 중복 |
|---|
| VulDB 항목 | 368363 [Shibby Tomato 1.28.0000 Web UI /bin/rstats rstats_path 권한 상승] |
|---|
| 포인트들 | 0 |
|---|