{
  "equivalence": "same_root_cause_alternate_entrypoint",
  "confidence": 0.95,
  "parent": {
    "entrypoint": "HTTP POST /cgi-bin/luci/admin/system/systime",
    "handler": "usr/lib/lua/luci/model/cbi/system/systime.lua",
    "attacker_input": "form field cbid.system.ntp.current",
    "sink": "date -s '%s' through luci.sys.call/fork_exec"
  },
  "variant": {
    "entrypoint": "HTTP POST /cgi-bin/luci/rpc/app",
    "handler": "usr/lib/lua/luci/apprpc/system.lua:setclock via luci.app JSON-RPC dispatch",
    "attacker_input": "JSON-RPC params[0]",
    "sink": "date -s '%s' through luci.sys.call/fork_exec"
  },
  "shared_properties": [
    "Remote authenticated administrative HTTP trust boundary",
    "Attacker controls a time string",
    "Time string is placed inside single quotes in a shell command",
    "Single quote plus shell separator breaks out in vulnerable firmware",
    "Fixed firmware adds quote handling/validation before the shell sink"
  ],
  "differences": [
    "Parent uses CBI form submission and field cbid.system.ntp.current",
    "Variant uses JSON-RPC application API and method system.setclock",
    "Fixed 2.5.12 blocks both paths"
  ],
  "evidence": {
    "vulnerable_rpc_proof": "bundle/logs/vuln_variant/product/proof_summary.txt",
    "fixed_rpc_negative_control": "bundle/logs/vuln_variant/http/fixed_rpc_response_body.txt",
    "code_identity": "bundle/logs/vuln_variant/product/code_identity.txt"
  }
}
