# Patch Analysis for CVE-2026-32833 Variant Stage

## Tested Artifacts

- Vulnerable firmware: Cudy LT300 V3 `2.4.5-20250519-131314`
  - Firmware zip SHA-256: `c414fd3e6310ebcfed27b6fc7eed11c406e2a468c58f2574f4884690b2c7d868`
  - `usr/lib/lua/luci/model/cbi/system/systime.lua` SHA-256: `e612c63df27863a3d9d9e3b74c7121303cf90c9a195d6cfe0e1aca791ebe17b6`
  - `usr/lib/lua/luci/apprpc/system.lua` SHA-256: `be95057875c53cef67a25012154087257c1365d44c2d2bd83a176ebba1a682b1`
- Fixed firmware: Cudy LT300 V3 `2.5.12-20260518-234632`
  - Firmware zip SHA-256: `8d0e515a0e68cefc3658e66d38ca84f69fe1591a5fa8e3abcb9880d170cfaebf`
  - `usr/lib/lua/luci/model/cbi/system/systime.lua` SHA-256: `1df92be6e9e39fdb93039c7aad4db6d8ccf7568cb73dd0e65adead2e957bfcb5`
  - `usr/lib/lua/luci/apprpc/system.lua` SHA-256: `09d0b41b65506b3a037d8e9a259d23502f5c874819d214d532cf294ad041fb31`

No public source commit was referenced in the ticket, so this analysis compares vendor firmware images and bytecode/string/runtime behavior.

## What the Fix Changes

The parent reproduction showed the original CBI web form handler at:

- `usr/lib/lua/luci/model/cbi/system/systime.lua`
- HTTP entrypoint: `POST /cgi-bin/luci/admin/system/systime`
- Attacker-controlled field: `cbid.system.ntp.current`
- Sink marker: `date -s '%s'` followed by `fork_exec`

The variant analysis found a second time-setting API at:

- `usr/lib/lua/luci/apprpc/system.lua`
- HTTP entrypoint: `POST /cgi-bin/luci/rpc/app`
- JSON-RPC method: `system.setclock`
- Attacker-controlled field: JSON `params[0]`
- Sink marker: `date -s '%s'` followed by `fork_exec`

The fixed 2.5.12 firmware adds a `gsub` marker in both the CBI handler and the JSON-RPC application RPC handler. Runtime behavior confirms that the fixed RPC method rejects the malicious quote-breakout payload with an `Invalid Parameter` response and does not create the proof file.

## Fix Assumptions

The fix assumes that preventing single-quote breakouts (and/or rejecting invalid time strings) is sufficient to stop command injection into the `date -s '%s'` shell command. This matches the reproduced exploit pattern, which depends on closing the single-quoted shell argument:

```text
2025-01-01 12:00:00'; echo MARKER > /root/proof; #
```

The fix does not remove shell invocation entirely. The string marker `date -s '%s'` remains in fixed firmware, so correctness depends on all callers consistently sanitizing or validating untrusted time values before shell execution.

## Covered Code Paths / Inputs

The fixed firmware covers the two time-setting paths found in this run:

1. CBI form path:
   - `/cgi-bin/luci/admin/system/systime`
   - `usr/lib/lua/luci/model/cbi/system/systime.lua`
   - Form field `cbid.system.ntp.current`
   - Fixed markers include `date -s '%s'`, `gsub`, `fork_exec`.

2. JSON-RPC application path:
   - `/cgi-bin/luci/rpc/app`
   - `luci.controller.rpc` → `luci.jsonrpc` → `luci.app` → `luci.apprpc.system.setclock`
   - JSON `params[0]`
   - Fixed markers include `date -s '%s'`, `gsub`, `fork_exec`.
   - Runtime result: vulnerable 2.4.5 creates `VULN_RPC_SETCLOCK_VARIANT_EXECUTED`; fixed 2.5.12 returns `Invalid Parameter` and creates no proof file.

## Code Paths / Inputs Not Covered or Not Proven Covered

- The fix was not proven to remove all possible shell metacharacter risk because shell command construction remains.
- The analysis did not identify another reachable `date -s '%s'` administrative API beyond the CBI and JSON-RPC paths.
- Other unrelated shell invocations exist in the firmware, but they are not variants of this specific root cause unless they accept attacker-controlled administrative time-setting input and reach the same `date -s` sink.
- TR-069 scripts and other utilities contain shell calls, but this run did not claim them as variants because they represent different surfaces/sinks and would require separate trust-boundary analysis.

## Behavior Before and After the Fix

### Vulnerable 2.4.5

- `systime.lua`: no `gsub` marker near `date -s '%s'`.
- `apprpc/system.lua`: no `gsub` marker near `date -s '%s'`.
- Runtime JSON-RPC payload creates `/root/vuln_rpc_variant_proof` containing `VULN_RPC_SETCLOCK_VARIANT_EXECUTED`.

### Fixed 2.5.12

- `systime.lua`: includes `gsub` marker in the time-setting handler.
- `apprpc/system.lua`: includes `gsub` marker in the RPC time-setting handler.
- Runtime JSON-RPC payload does not create `/root/fixed_rpc_variant_proof`.
- Runtime response body includes `Invalid Parameter` for the malicious JSON value.

## Threat Model / Scope Notes

No `SECURITY.md` or detailed threat-model file was present in the extracted firmware root filesystems. A public Cudy “Report Vulnerability” page exists, but the extracted page did not provide exclusions that would make this administrative-interface command injection out of scope. This variant crosses the same trust boundary as the parent claim: a remote HTTP client with administrative-session access supplies data to the router web/RPC interface, which then reaches a firmware shell command.

## Completeness Assessment

The 2.5.12 fix appears complete for the specific root cause and reachable time-setting paths found in this run. The JSON-RPC variant proves that the vulnerable firmware exposed the same sink through a materially different entrypoint, but side-by-side fixed-version testing shows that the vendor also patched that entrypoint. The recommended hardening is to replace shell string interpolation with strict date parsing and non-shell execution, and to add regression tests for every administrative/API time-setting path.
