lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 20 Jul 2019 13:43:43 +0800
From: Q C <cq674350529@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD]  Two vulnerabilities found in MikroTik's RouterOS

Advisory: two vulnerabilities found in MikroTik's RouterOS


Details
=======

Product: MikroTik's RouterOS
Affected Versions: before 6.44.5 (Long-term release tree),
                   before 6.45.1 (Stable release tree)
Fixed Versions: 6.44.5 (Long-term release tree),
                6.45.1 (Stable release tree)
Vendor URL: https://mikrotik.com/download/changelogs/long-term-release-tree
Vendor Status: fixed version released
CVE: CVE-2019-13954, CVE-2019-13955
Credit: Qian Chen(@cq674350529) of the Qihoo 360 Nirvan Team


Product Description
==================

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Details of vulnerabilities
==========================

These two vulnerabilities were tested only against the MikroTik RouterOS
6.42.11 and 6.43.16 (Long-term release tree) when found.


1. CVE-2019-13954: memory exhaustion via a crafted POST request
This vulnerability is similiar to the CVE-2018-1157. An authenticated user
can cause the www binary to consume all memory via a crafted POST request
to /jsproxy/upload. It's because of the incomplete fix for the
CVE-2018-1157.

Based on the poc for cve_2018_1157 provided by the @Jacob Baines (really
appreciate!), crafting a filename ending with many '\x00' can bypass the
original fix to trigger the vulnerability.


2. CVE-2019-13955: stack exhaustion via recuring parsing of JSON
This vulnerability is similar to the CVE-2018-1158. An authenticated user
communicating with the www binary can trigger a stack exhaustion
vulnerability via recursive parsing of JSON containing message type M.

Based on the poc for cve_2018_1158 provided by the @Jacob Baines (really
appreciate!), crafting an JSON message with type M can trigger the
vulnerability. A simple python script to generate the crafted message is as
follows.

    msg = "{M01:[M01:[]]}"
    for _ in xrange(2000):
        msg = msg.replace('[]', "[M01:[]]")


Solution
========

Upgrade to RouterOS versions 6.44.5 (Long-term release tree), 6.45.1
(Stable release tree).


References
==========

[1] https://mikrotik.com/download/changelogs/long-term-release-tree
[2] https://github.com/tenable/routeros

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists