Submit #855125: Tomato by Shibby Tomato Firmware Tomato PL ND 1.28 beta Stack-based Buffer Overflowinfo

TitleTomato by Shibby Tomato Firmware Tomato PL ND 1.28 beta Stack-based Buffer Overflow
Descriptionsub_42537C builds a cru a ... scheduler command in a fixed 64-byte stack buffer. The scheduler name argument a1 is inserted into the formatted string twice and is then executed through system(). char cmd[64]; cfg = nvram_get(a1); sscanf(cfg, "%d,%d,%d", &enabled, &time, &days); sprintf(cmd, "cru a %s \"%d %d * * %s sched %s\"", a1, minute, hour, days, a1); system(cmd); Two alternate scheduling formats use the same pattern and also place a1 into cmd twice. If a1 is sufficiently long, the formatted command can overflow the 64-byte stack buffer and overwrite saved registers, including the saved return address in the demonstrated layout.
Source⚠️ https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5U
User
 Cormac315 (UID 97273)
Submission06/10/2026 16:24 (1 month ago)
Moderation07/17/2026 16:14 (1 month later)
StatusAccepted
VulDB entry379801 [Shibby Tomato 1.28 Scheduler Name sub_42537C a1 stack-based overflow]
Points20

Interested in the pricing of exploits?

See the underground prices here!