Tomato by Shibby Stack-Based Buffer Overflow Vulnerability in Multimon.cgi

A stack-based buffer overflow vulnerability has been identified in the Shibby Tomato firmware version 1.28, specifically within the 'www/apcupsd/multimon.cgi' file. This vulnerability arises in the 'sub_90F0' function, where attacker-controlled data from UPS response fields is copied into fixed-size stack buffers without adequate bounds checking. The issue can be exploited remotely, leading to memory corruption, potential control-flow hijacking, and causing the process to crash.

Impact

Exploitation of this vulnerability causes a process crash, leading to a denial-of-service condition. It also corrupts adjacent stack data, including saved registers or the return address, with the possibility of hijacking control flow under favorable conditions.

Reproduction

The vulnerability can be reproduced by sending a request to 'multimon.cgi', which will trigger the parsing of UPS monitoring data. If an attacker can control or spoof the UPS endpoint, they can send oversized field values that exceed the buffer limits, causing the stack-based overflow. This has been verified using QEMU and GDB, where breakpoints were hit, showing the overflow and subsequent control-flow corruption.