Shibby Tomato Stack-Based Buffer Overflow Vulnerability in UPS Service Component

A stack-based buffer overflow vulnerability has been identified in Shibby Tomato firmware versions prior to 1.28. The issue arises in the UPS Service component, specifically within the 'tomatoups.cgi' file, where the 'sub_9068' function improperly handles input from a queried UPS service. This vulnerability allows for remote exploitation by manipulating the response to include an 'ITEMP' value that exceeds the buffer limit, leading to stack corruption and potential process crashes.

Impact

Exploitation of this vulnerability causes stack corruption in the firmware's CGI process, resulting in a process crash and a segmentation fault. The stack corruption can also overwrite saved register data, potentially allowing for control-flow exploitation under certain conditions.

Reproduction

The vulnerability can be reproduced by sending a crafted UPS response containing a 64-byte 'ITEMP' value to a device running the affected Shibby Tomato firmware. This response should be directed to the 'tomatoups.cgi' component, which will process the input and trigger the buffer overflow by overwriting adjacent stack data. The process can be automated with a Python script that simulates the UPS response.