| 标题 | Tomato Tomato Firmware Shibby Tomato MIPS32; image d2e251333c48...; /sbin/rc MD5 a48002cdf3cda9452a5b9712edd179d2 OS Command Injection |
|---|
| 描述 | Authenticated web admin can execute arbitrary commands as root via NVRAM ipv6_6rd_borderrelay (or wan_6rd 4th field) in /sbin/rc start_6rd_tunnel (0x41b7f8). Value is passed to sprintf("ping -q -c 2 %s | grep packet", ...) then popen() at 0x41ba14 (/bin/sh -c). Requires IPv6 6rd or 6rd-pd enabled.
CWE-78. CVSS 3.1: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H = 7.2 HIGH.
Dynamic PoC: borderrelay=x.x.x.x;touch /tmp/pwned_6rd;# — /tmp/pwned_6rd created.
Advisory: https://gitee.com/你的用户名/tomato-rc-nvram-cve/blob/master/advisories/en/02-start_6rd_tunnel.md
Fix: execve ping with argv; validate IPv4 before execution. |
|---|
| 来源 | ⚠️ https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/02-start_6rd_tunnel.md |
|---|
| 用户 | WH-YHUST (UID 98329) |
|---|
| 提交 | 2026-05-17 09時19分 (20 日前) |
|---|
| 管理 | 2026-06-04 17時32分 (18 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 368361 [Shibby Tomato 1.28.0000 Web UI /sbin/rc start_6rd_tunnel ipv6_6rd_borderrelay 权限提升] |
|---|
| 积分 | 20 |
|---|