Gửi #855115: Tomato by Shibby Tomato Firmware Tomato v1.28.0000 -120 K26ARM USB AIO-64K OS Command Injectionthông tin

tiêu đềTomato by Shibby Tomato Firmware Tomato v1.28.0000 -120 K26ARM USB AIO-64K OS Command Injection
Mô tảThe start_jffs2 function (sub_2D568) in sbin/rc retrieves the NVRAM key jffs2_exec and passes its value directly to the system() C library function. No sanitization, character filtering, escaping, or quoting is applied. An attacker who can write to NVRAM (e.g., via authenticated Web UI access or another vulnerability) can inject arbitrary shell commands that execute as root during the JFFS2 startup sequence. v10 = nvram_get("jffs2_exec"); // 0x2D738 v11 = v10; if (v10 && *v10) { chdir("/jffs"); system(v11); // 0x2D75C — direct execution chdir("/"); } The system() function invokes /bin/sh -c <command>, so all shell metacharacters (;, &&, ||, `, $(), pipes) are interpreted.
Nguồn⚠️ https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5O
Người dùng
 Anonymous User
Đệ trình10/06/2026 15:57 (cách đây 1 tháng)
Kiểm duyệt12/07/2026 23:01 (1 month later)
Trạng tháiđược chấp nhận
Mục VulDB377896 [Shibby Tomato đến 1.28.0000 start_jffs2 sub_2D568 jffs2_exec nâng cao đặc quyền]
điểm20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!