Shibby Tomato Stack-Based Buffer Overflow Vulnerability in tomatodata.cgi

A stack-based buffer overflow vulnerability has been identified in Shibby Tomato firmware version 1.28. The issue arises in the function get_ups_field within the file tomatodata.cgi, where the argument Date is manipulated, leading to a stack-based buffer overflow. This vulnerability can be exploited remotely and affects products that are no longer supported by the maintainer.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, leading to an out-of-bounds write that can corrupt stack data, potentially overwrite return addresses, and hijack control flow under certain conditions. The vulnerability can also cause a process crash, resulting in a denial-of-service.

Reproduction

The vulnerability can be reproduced by sending a request to a fake UPS server that returns a 512-byte DATE field. The tomatodata.cgi script will process the DATE field without proper bounds checking, allowing the overflow to occur. This can be verified using a debugger to inspect the stack and confirm that the overflowed bytes are present beyond the allocated buffer.