lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 4 May 2021 16:44:53 +0800
From: Q C <cq674350529@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Three vulnerabilities found in MikroTik's RouterOS

[update 2021/05/04] Three CVEs have been assigned to these vulnerabilities.

CVE-2020-20215: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a
memory corruption vulnerability in the /nova/bin/diskd process. An
authenticated remote attacker can cause a Denial of Service due to invalid
memory access.

CVE-2020-20216: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a
memory corruption vulnerability in the /nova/bin/graphing process. An
authenticated remote attacker can cause a Denial of Service (NULL pointer
dereference)

CVE-2020-20213: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from an
stack exhaustion vulnerability in the /nova/bin/net process. An
authenticated remote attacker can cause a Denial of Service due to
overloading the systems CPU



Q C <cq674350529@...il.com> 于2020年7月22日周三 下午8:11写道:

> Advisory: three vulnerabilities found in MikroTik's RouterOS
>
>
> Details
> =======
>
> Product: MikroTik's RouterOS
> Vendor URL: https://mikrotik.com/
> Vendor Status: fixed version released
> CVE: -
> Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
>
>
> Product Description
> ==================
>
> RouterOS is the operating system used on the MikroTik's devices, such as
> switch, router and access point.
>
>
> Description of vulnerabilities
> ==========================
>
> 1. Memory corruption vulnerability
> The diskd process suffers from a memory corruption vulnerability. By
> sending a crafted packet, an authenticated remote user can crash the diskd
> process due to invalid memory access.
>
> Against stable 6.44.3, the poc resulted in the following crash dump.
>
>     # cat /rw/logs/backtrace.log
>     2020.06.04-14:18:22.55@0:
>     2020.06.04-14:18:22.55@0:
>     2020.06.04-14:18:22.55@0: /nova/bin/diskd
>     2020.06.04-14:18:22.55@0: --- signal=11
> --------------------------------------------
>     2020.06.04-14:18:22.55@0:
>     2020.06.04-14:18:22.55@0: eip=0x776cd1db eflags=0x00010202
>     2020.06.04-14:18:22.55@0: edi=0x08056760 esi=0x08056790
> ebp=0x7fd40b78 esp=0x7fd40b6c
>     2020.06.04-14:18:22.55@0: eax=0x0000001b ebx=0x776d54ec
> ecx=0x776d54ec edx=0x20fe0010
>     2020.06.04-14:18:22.55@0:
>     2020.06.04-14:18:22.55@0: maps:
>     2020.06.04-14:18:22.55@0: 08048000-08052000 r-xp 00000000 00:0c 1131
>       /nova/bin/diskd
>     2020.06.04-14:18:22.55@0: 77672000-776a7000 r-xp 00000000 00:0c 996
>      /lib/libuClibc-0.9.33.2.so
>     2020.06.04-14:18:22.55@0: 776ab000-776c5000 r-xp 00000000 00:0c 992
>      /lib/libgcc_s.so.1
>     2020.06.04-14:18:22.55@0: 776c6000-776d5000 r-xp 00000000 00:0c 976
>      /lib/libuc++.so
>     2020.06.04-14:18:22.55@0: 776d6000-776de000 r-xp 00000000 00:0c 982
>      /lib/libubox.so
>     2020.06.04-14:18:22.55@0: 776df000-7772b000 r-xp 00000000 00:0c 978
>      /lib/libumsg.so
>     2020.06.04-14:18:22.55@0: 77731000-77738000 r-xp 00000000 00:0c 990
>      /lib/ld-uClibc-0.9.33.2.so
>     2020.06.04-14:18:22.55@0:
>     2020.06.04-14:18:22.55@0: stack: 0x7fd41000 - 0x7fd40b6c
>     2020.06.04-14:18:22.55@0: ec 54 6d 77 1b 00 00 00 88 67 05 08 98 0b
> d4 7f c6 c6 04 08 88 67 05 08 1b 00 00 00 10 00 fe 20
>     2020.06.04-14:18:22.55@0: 10 00 fe 20 ec 54 6d 77 f0 ea 6d 77 08 0c
> d4 7f 6d a9 6d 77 88 67 05 08 1b 00 00 00 05 00 00 00
>     2020.06.04-14:18:22.55@0:
>     2020.06.04-14:18:22.55@0: code: 0x776cd1db
>     2020.06.04-14:18:22.55@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50
> ff 75
>
> This vulnerability was initially found in long-term 6.44.5, and has been
> fixed in stable 6.47.
>
> 2. NULL pointer dereference vulnerability
> The graphing process suffers from a memory corruption vulnerability. By
> sending a crafted packet, an authenticated remote user can crash the
> graphing process due to NULL
> pointer dereference.
>
> Against stable 6.46.5, the poc resulted in the following crash dump.
>
>     # cat /rw/logs/backtrace.log
>     2020.06.04-15:12:41.47@0:
>     2020.06.04-15:12:41.47@0:
>     2020.06.04-15:12:41.47@0: /nova/bin/graphing
>     2020.06.04-15:12:41.47@0: --- signal=11
> --------------------------------------------
>     2020.06.04-15:12:41.47@0:
>     2020.06.04-15:12:41.47@0: eip=0x080521e2 eflags=0x00010202
>     2020.06.04-15:12:41.47@0: edi=0x080610a0 esi=0x08061cb8
> ebp=0x7fa8acd8 esp=0x7fa8acb0
>     2020.06.04-15:12:41.47@0: eax=0x08061db8 ebx=0x7fa8ad0c
> ecx=0x00000000 edx=0x08061ce8
>     2020.06.04-15:12:41.47@0:
>     2020.06.04-15:12:41.47@0: maps:
>     2020.06.04-15:12:41.47@0: 08048000-0805c000 r-xp 00000000 00:0c 1038
>       /nova/bin/graphing
>     2020.06.04-15:12:41.47@0: 77651000-77686000 r-xp 00000000 00:0c 964
>      /lib/libuClibc-0.9.33.2.so
>     2020.06.04-15:12:41.47@0: 7768a000-776a4000 r-xp 00000000 00:0c 960
>      /lib/libgcc_s.so.1
>     2020.06.04-15:12:41.47@0: 776a5000-776b4000 r-xp 00000000 00:0c 944
>      /lib/libuc++.so
>     2020.06.04-15:12:41.47@0: 776b5000-776bd000 r-xp 00000000 00:0c 950
>      /lib/libubox.so
>     2020.06.04-15:12:41.47@0: 776be000-7770a000 r-xp 00000000 00:0c 946
>      /lib/libumsg.so
>     2020.06.04-15:12:41.47@0: 7770d000-77717000 r-xp 00000000 00:0c 961
>      /lib/libm-0.9.33.2.so
>     2020.06.04-15:12:41.47@0: 7771c000-77723000 r-xp 00000000 00:0c 958
>      /lib/ld-uClibc-0.9.33.2.so
>     2020.06.04-15:12:41.47@0:
>     2020.06.04-15:12:41.47@0: stack: 0x7fa8b000 - 0x7fa8acb0
>     2020.06.04-15:12:41.47@0: e8 1c 06 08 b8 1d 06 08 00 00 00 00 01 00
> 00 00 0c ad a8 7f 5b 00 00 00 b8 98 05 08 b8 98 05 08
>     2020.06.04-15:12:41.47@0: f0 da 6b 77 0c ad a8 7f 28 ad a8 7f 3a bc
> 6b 77 b8 1c 06 08 0c ad a8 7f 05 00 00 00 a0 10 06 08
>     2020.06.04-15:12:41.47@0:
>     2020.06.04-15:12:41.47@0: code: 0x80521e2
>     2020.06.04-15:12:41.47@0: ff 51 04 83 c4 18 6a 5c 53 e8 a0 9c ff ff
> 8b 56
>
> This vulnerability was initially found in long-term 6.44.6, and has been
> fixed in stable 6.47.
>
> 3. Stack exhaustion vulnerability
> The net process suffers from a stack exhaustion vulnerability. By sending
> a crafted packet to the net process, an authenticated remote user can
> trigger a stack exhaustion vulnerability via recursive function calls.
>
> When testing the proof of concept on an x86 RouterOS VM, this
> vulnerability didn't just crash net process but caused the whole system to
> reboot.
>
> Against stable 6.46.5, the poc resulted in the following crash dump.
>
>     # cat /rw/logs/backtrace.log
>     2020.06.08-11:19:45.40@0:
>     2020.06.08-11:19:45.40@0:
>     2020.06.08-11:19:45.40@0: /nova/bin/net
>     2020.06.08-11:19:45.40@0: --- signal=11
> --------------------------------------------
>     2020.06.08-11:19:45.40@0:
>     2020.06.08-11:19:45.40@0: eip=0x0809ec65 eflags=0x00010206
>     2020.06.08-11:19:45.40@0: edi=0x7fb0fe4c esi=0x7fb0ff48
> ebp=0x7f311018 esp=0x7f310fe0
>     2020.06.08-11:19:45.40@0: eax=0x00fe0008 ebx=0x7772cae4
> ecx=0x7772cae4 edx=0x08122630
>     2020.06.08-11:19:45.40@0:
>     2020.06.08-11:19:45.40@0: maps:
>     2020.06.08-11:19:45.40@0: 08048000-08121000 r-xp 00000000 00:0c 1004
>       /nova/bin/net
>     2020.06.08-11:19:45.40@0: 77654000-77689000 r-xp 00000000 00:0c 964
>      /lib/libuClibc-0.9.33.2.so
>     2020.06.08-11:19:45.40@0: 7768d000-776a7000 r-xp 00000000 00:0c 960
>      /lib/libgcc_s.so.1
>     2020.06.08-11:19:45.40@0: 776a8000-776b7000 r-xp 00000000 00:0c 944
>      /lib/libuc++.so
>     2020.06.08-11:19:45.40@0: 776b8000-776c6000 r-xp 00000000 00:0c 945
>      /lib/libz.so
>     2020.06.08-11:19:45.40@0: 776c7000-776d1000 r-xp 00000000 00:0c 961
>      /lib/libm-0.9.33.2.so
>     2020.06.08-11:19:45.40@0: 776d3000-776db000 r-xp 00000000 00:0c 950
>      /lib/libubox.so
>     2020.06.08-11:19:45.40@0: 776dc000-776df000 r-xp 00000000 00:0c 948
>      /lib/libuxml++.so
>     2020.06.08-11:19:45.40@0: 776e0000-7772c000 r-xp 00000000 00:0c 946
>      /lib/libumsg.so
>     2020.06.08-11:19:45.40@0: 7772f000-7774c000 r-xp 00000000 00:0c 947
>      /lib/libucrypto.so
>     2020.06.08-11:19:45.40@0: 77750000-77757000 r-xp 00000000 00:0c 958
>      /lib/ld-uClibc-0.9.33.2.so
>     2020.06.08-11:19:45.40@0:
>     2020.06.08-11:19:45.40@0: stack: 0x7fb10000 - 0x7f310fe0
>
> This vulnerability was initially found in long-term 6.44.5, and has been
> fixed in stable 6.47.
>
>
> Solution
> ========
>
> Upgrade to the corresponding latest RouterOS tree version.
>
>
> References
> ==========
>
> [1] https://mikrotik.com/download/changelogs/stable-release-tree
>
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists