Submeter #831858: Tomato Tomato Firmware Shibby Tomato MIPS32; image d2e251333c48...; /sbin/rc MD5 a48002cdf3cda9452a5b9712edd179d2 OS Command Injectioninformação

TítuloTomato Tomato Firmware Shibby Tomato MIPS32; image d2e251333c48...; /sbin/rc MD5 a48002cdf3cda9452a5b9712edd179d2 OS Command Injection
DescriçãoAuthenticated web admin can achieve root execution via /sbin/rc start_vpnserver (0x434DFC), two paths: (1) CWE-78: vpn_server%d_proto embedded via fprintf into #!/bin/sh script /etc/openvpn/fw/server%d-fw.sh, newline injection, executed via _eval; (2) CWE-74: vpn_server%d_custom written via fputs into OpenVPN config.ovpn (e.g. script-security 2, up directive). CVSS 3.1: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H = 7.2 HIGH. Dynamic PoC: /tmp/pwned_vpnserver created for chain 1. Advisory: https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/03-start_vpnserver.md Fix: whitelist proto; no shell scripts; block dangerous OpenVPN directives in custom config.
Fonte⚠️ https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/03-start_vpnserver.md
Utilizador
 WH-YHUST (UID 98329)
Submissão17/05/2026 09h23 (há 22 dias)
Moderação04/06/2026 17h32 (18 days later)
EstadoAceite
Entrada VulDB368362 [Shibby Tomato 1.28.0000 Web UI /sbin/rc start_vpnserver Elevação de Privilégios]
Pontos20

VoltarVisão GeralPróximo

Want to stay up to date on a daily basis?

Enable the mail alert feature now!