Login Sign Up

CVE-2017-9026

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

A stack buffer overflow vulnerability in the vshttpd web server (also called ioos) on HooToo Trip Mate 6 travel routers allows remote unauthenticated attackers to execute arbitrary code by sending a specially crafted GET request. This affects Trip Mate 6 devices running firmware version 2.000.030 and earlier. Attackers can control the program counter and potentially take full control of the device.

💻 Affected Systems

Products:
  • HooToo Trip Mate 6 (TM6)
Versions: Firmware 2.000.030 and earlier
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: The vshttpd web server runs by default on port 80. No authentication is required to exploit this vulnerability.

📦 What is this software?

Trip Mate 6 Firmware by Hootoo

View all CVEs affecting Trip Mate 6 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, allowing attackers to install persistent malware, pivot to internal networks, or use the device for botnet activities.

🟠

Likely Case

Remote code execution resulting in device takeover, enabling attackers to modify device settings, intercept network traffic, or use the device as a foothold for further attacks.

🟢

If Mitigated

If properly segmented and monitored, impact limited to the device itself without lateral movement to other systems.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is well-documented with proof-of-concept code available. Exploitation requires sending a specially crafted HTTP GET request with a malicious fname parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware newer than 2.000.030

Vendor Advisory: Not publicly available

Restart Required: Yes

Instructions:

1. Check current firmware version via web interface. 2. Download latest firmware from HooToo support site. 3. Upload firmware via web interface. 4. Reboot device after update completes.

🔧 Temporary Workarounds

Disable vshttpd service

linux

Stop the vulnerable web server to prevent exploitation

killall vshttpd
systemctl stop vshttpd

Block external access

linux

Use firewall rules to block inbound access to port 80

iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

  • Segment the device on an isolated network VLAN
  • Implement strict firewall rules to limit inbound connections to the device

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface at http://device-ip/status.cgi or via SSH if enabled: cat /etc/version

Check Version:

cat /etc/version

Verify Fix Applied:

Verify firmware version is newer than 2.000.030 and test that the exploit no longer works

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP GET requests with long fname parameters
  • vshttpd crash logs
  • Multiple failed exploit attempts

Network Indicators:

  • HTTP requests with unusually long fname parameters (>1000 characters)
  • Traffic patterns indicating exploit attempts

SIEM Query:

source="device_logs" AND (http_method="GET" AND url CONTAINS "fname=" AND url_length>1000)

📊 Metadata

CVE ID: CVE-2017-9026
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: May 17, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-9026, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)