{
  "stage": "vuln_variant",
  "verdict": "alternate_trigger_confirmed_not_bypass",
  "confirmed_distinct_variant_or_bypass": false,
  "confirmed_alternate_trigger_on_vulnerable_version": true,
  "confirmed_bypass_on_fixed_version": false,
  "tested_vulnerable_target": {
    "target_kind": "firmware_release",
    "version": "LT300V3-R100-2.4.5-20250519-131314",
    "rom_version": "2.4.5-20250519-131314",
    "firmware_sha256": "c414fd3e6310ebcfed27b6fc7eed11c406e2a468c58f2574f4884690b2c7d868"
  },
  "tested_fixed_target": {
    "target_kind": "firmware_release",
    "version": "LT300V3-R100-2.5.12-20260518-234632",
    "rom_version": "2.5.12-20260518-234632",
    "firmware_sha256": "8d0e515a0e68cefc3658e66d38ca84f69fe1591a5fa8e3abcb9880d170cfaebf"
  },
  "entrypoint": {
    "kind": "endpoint",
    "detail": "HTTP POST /cgi-bin/luci/rpc/app, JSON-RPC method system.setclock",
    "attacker_controlled_input": "JSON-RPC params[0] time string"
  },
  "root_cause": "Unsanitized single-quoted shell interpolation into date -s '%s' in vulnerable luci.apprpc.system.setclock; fixed firmware adds validation/quote handling and rejects the malicious parameter.",
  "observed_vulnerable_behavior": {
    "target_reached": true,
    "command_execution_observed": true,
    "proof_marker": "VULN_RPC_SETCLOCK_VARIANT_EXECUTED",
    "proof_artifact": "bundle/logs/vuln_variant/product/proof_summary.txt"
  },
  "observed_fixed_behavior": {
    "target_reached": true,
    "command_execution_observed": false,
    "response_contains": "Invalid Parameter",
    "proof_file_created": false,
    "blocking_mitigation": "Fixed luci.apprpc.system.lua validates or strips quote injection before shell execution"
  },
  "script_exit_semantics": {
    "bundle/vuln_variant/reproduction_steps.sh": "Exit 1 is expected because the variant reproduces only on vulnerable 2.4.5 and not on fixed 2.5.12. Exit 0 would indicate a fixed-version bypass."
  },
  "evidence": [
    "bundle/logs/vuln_variant/reproduction_steps.log",
    "bundle/logs/vuln_variant/product/proof_summary.txt",
    "bundle/logs/vuln_variant/http/vuln_rpc_request.json",
    "bundle/logs/vuln_variant/http/vuln_rpc_response_body.txt",
    "bundle/logs/vuln_variant/http/fixed_rpc_request.json",
    "bundle/logs/vuln_variant/http/fixed_rpc_response_body.txt",
    "bundle/logs/vuln_variant/product/code_identity.txt",
    "bundle/vuln_variant/runtime_manifest.json"
  ],
  "notes": "This is a material alternate entrypoint for the same vulnerable sink on affected firmware, but it is not a bypass of the vendor's fixed firmware."
}
