PT-2017-18653 · Hootoo · Hootoo Trip Mate 6

Published

2017-05-17

Updated

2017-05-24

CVE-2017-9026

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions HooToo Trip Mate 6 (TM6) firmware versions 2.000.030 and earlier

Description The issue is a stack buffer overflow in the vshttpd (also known as ioos) component. This allows remote unauthenticated attackers to control the program counter by sending a specially crafted fname parameter in a GET request.

Recommendations For HooToo Trip Mate 6 (TM6) firmware versions 2.000.030 and earlier, avoid using the fname parameter in GET requests until a fix is available. As a temporary workaround, consider restricting access to the vshttpd component to minimize the risk of exploitation.

Exploit

Fix

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-119

Related Identifiers

CVE-2017-9026

Affected Products

Hootoo Trip Mate 6

PT-2017-18653 · Hootoo · Hootoo Trip Mate 6

CVE-2017-9026

Weakness Enumeration

Related Identifiers

Affected Products

References · 3