Submeter #855125: Tomato by Shibby Tomato Firmware Tomato PL ND 1.28 beta Stack-based Buffer Overflowinformação

TítuloTomato by Shibby Tomato Firmware Tomato PL ND 1.28 beta Stack-based Buffer Overflow
Descriçãosub_42537C builds a cru a ... scheduler command in a fixed 64-byte stack buffer. The scheduler name argument a1 is inserted into the formatted string twice and is then executed through system(). char cmd[64]; cfg = nvram_get(a1); sscanf(cfg, "%d,%d,%d", &enabled, &time, &days); sprintf(cmd, "cru a %s \"%d %d * * %s sched %s\"", a1, minute, hour, days, a1); system(cmd); Two alternate scheduling formats use the same pattern and also place a1 into cmd twice. If a1 is sufficiently long, the formatted command can overflow the 64-byte stack buffer and overwrite saved registers, including the saved return address in the demonstrated layout.
Fonte⚠️ https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5U
Utilizador
 Cormac315 (UID 97273)
Submissão10/06/2026 16h24 (há 1 mês)
Moderação17/07/2026 16h14 (1 month later)
EstadoAceite
Entrada VulDB379801 [Shibby Tomato 1.28 Scheduler Name sub_42537C a1 Excesso de tampão]
Pontos20

Want to know what is going to be exploited?

We predict KEV entries!