| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAnPYQ6vR94=-P-f-7e07OeRX-6DWpy2GGcocXnuU2UScGDWRQ@mail.gmail.com> Date: Sat, 8 May 2021 09:55:37 +0200 From: Gynvael Coldwind <gynvael@...dwind.pl> To: Q C <cq674350529@...il.com> Cc: fulldisclosure <fulldisclosure@...lists.org> Subject: Re: [FD] Three vulnerabilities found in MikroTik's RouterOS Got it! Thank you for the explanation! On Sat, May 8, 2021 at 4:53 AM Q C <cq674350529@...il.com> wrote: > Hi, > > In Mikrotik RouterOs, each user is assigned to a user group, which denotes > the rights of this user. A group policy is a combination of individual > policy items, and provides a convenient way to assign different permissions > and access rights to different user classes. (Reference: > https://help.mikrotik.com/docs/display/ROS/User) > > Some common individual policy items are: web, winbox, read, write, reboot > and so on. Among of them, reboot is treated as a separate permission. So an > authenticated user may not have the permission to reboot the device. > > As to these vulnerabilities (or software bugs?), reboot permission is not > required to trigger them. And they may pose an impact on the system > services or even reboot the system. Of course, since authentication is > still necessary to trigger them, they have a low impact. > > Thanks! > > > Gynvael Coldwind <gynvael@...dwind.pl> 于2021年5月8日周六 上午12:09写道: > >> Hi, >> >> I might be missing something, but how are these considered >> vulnerabilities? >> My point is that these require authentication, and an already >> authenticated user already has permissions to reboot the device anyway, >> right? >> >> If the above assumption is correct, then there isn't really a security >> boundary breach, so it would be a software bug, but not a vulnerability. >> Or am I missing something? >> >> Thanks, >> Gynvael >> >> On Fri, May 7, 2021 at 5:51 PM Q C <cq674350529@...il.com> wrote: >> >>> [update 2021/05/04] Three CVEs have been assigned to these >>> vulnerabilities. >>> >>> CVE-2020-20215: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a >>> memory corruption vulnerability in the /nova/bin/diskd process. An >>> authenticated remote attacker can cause a Denial of Service due to >>> invalid >>> memory access. >>> >>> CVE-2020-20216: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a >>> memory corruption vulnerability in the /nova/bin/graphing process. An >>> authenticated remote attacker can cause a Denial of Service (NULL pointer >>> dereference) >>> >>> CVE-2020-20213: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from an >>> stack exhaustion vulnerability in the /nova/bin/net process. An >>> authenticated remote attacker can cause a Denial of Service due to >>> overloading the systems CPU >>> >>> >>> >>> Q C <cq674350529@...il.com> 于2020年7月22日周三 下午8:11写道: >>> >>> > Advisory: three vulnerabilities found in MikroTik's RouterOS >>> > >>> > >>> > Details >>> > ======= >>> > >>> > Product: MikroTik's RouterOS >>> > Vendor URL: https://mikrotik.com/ >>> > Vendor Status: fixed version released >>> > CVE: - >>> > Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team >>> > >>> > >>> > Product Description >>> > ================== >>> > >>> > RouterOS is the operating system used on the MikroTik's devices, such >>> as >>> > switch, router and access point. >>> > >>> > >>> > Description of vulnerabilities >>> > ========================== >>> > >>> > 1. Memory corruption vulnerability >>> > The diskd process suffers from a memory corruption vulnerability. By >>> > sending a crafted packet, an authenticated remote user can crash the >>> diskd >>> > process due to invalid memory access. >>> > >>> > Against stable 6.44.3, the poc resulted in the following crash dump. >>> > >>> > # cat /rw/logs/backtrace.log >>> > 2020.06.04-14:18:22.55@0: >>> > 2020.06.04-14:18:22.55@0: >>> > 2020.06.04-14:18:22.55@0: /nova/bin/diskd >>> > 2020.06.04-14:18:22.55@0: --- signal=11 >>> > -------------------------------------------- >>> > 2020.06.04-14:18:22.55@0: >>> > 2020.06.04-14:18:22.55@0: eip=0x776cd1db eflags=0x00010202 >>> > 2020.06.04-14:18:22.55@0: edi=0x08056760 esi=0x08056790 >>> > ebp=0x7fd40b78 esp=0x7fd40b6c >>> > 2020.06.04-14:18:22.55@0: eax=0x0000001b ebx=0x776d54ec >>> > ecx=0x776d54ec edx=0x20fe0010 >>> > 2020.06.04-14:18:22.55@0: >>> > 2020.06.04-14:18:22.55@0: maps: >>> > 2020.06.04-14:18:22.55@0: 08048000-08052000 r-xp 00000000 00:0c >>> 1131 >>> > /nova/bin/diskd >>> > 2020.06.04-14:18:22.55@0: 77672000-776a7000 r-xp 00000000 00:0c >>> 996 >>> > /lib/libuClibc-0.9.33.2.so >>> > 2020.06.04-14:18:22.55@0: 776ab000-776c5000 r-xp 00000000 00:0c >>> 992 >>> > /lib/libgcc_s.so.1 >>> > 2020.06.04-14:18:22.55@0: 776c6000-776d5000 r-xp 00000000 00:0c >>> 976 >>> > /lib/libuc++.so >>> > 2020.06.04-14:18:22.55@0: 776d6000-776de000 r-xp 00000000 00:0c >>> 982 >>> > /lib/libubox.so >>> > 2020.06.04-14:18:22.55@0: 776df000-7772b000 r-xp 00000000 00:0c >>> 978 >>> > /lib/libumsg.so >>> > 2020.06.04-14:18:22.55@0: 77731000-77738000 r-xp 00000000 00:0c >>> 990 >>> > /lib/ld-uClibc-0.9.33.2.so >>> > 2020.06.04-14:18:22.55@0: >>> > 2020.06.04-14:18:22.55@0: stack: 0x7fd41000 - 0x7fd40b6c >>> > 2020.06.04-14:18:22.55@0: ec 54 6d 77 1b 00 00 00 88 67 05 08 98 >>> 0b >>> > d4 7f c6 c6 04 08 88 67 05 08 1b 00 00 00 10 00 fe 20 >>> > 2020.06.04-14:18:22.55@0: 10 00 fe 20 ec 54 6d 77 f0 ea 6d 77 08 >>> 0c >>> > d4 7f 6d a9 6d 77 88 67 05 08 1b 00 00 00 05 00 00 00 >>> > 2020.06.04-14:18:22.55@0: >>> > 2020.06.04-14:18:22.55@0: code: 0x776cd1db >>> > 2020.06.04-14:18:22.55@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 >>> 50 >>> > ff 75 >>> > >>> > This vulnerability was initially found in long-term 6.44.5, and has >>> been >>> > fixed in stable 6.47. >>> > >>> > 2. NULL pointer dereference vulnerability >>> > The graphing process suffers from a memory corruption vulnerability. By >>> > sending a crafted packet, an authenticated remote user can crash the >>> > graphing process due to NULL >>> > pointer dereference. >>> > >>> > Against stable 6.46.5, the poc resulted in the following crash dump. >>> > >>> > # cat /rw/logs/backtrace.log >>> > 2020.06.04-15:12:41.47@0: >>> > 2020.06.04-15:12:41.47@0: >>> > 2020.06.04-15:12:41.47@0: /nova/bin/graphing >>> > 2020.06.04-15:12:41.47@0: --- signal=11 >>> > -------------------------------------------- >>> > 2020.06.04-15:12:41.47@0: >>> > 2020.06.04-15:12:41.47@0: eip=0x080521e2 eflags=0x00010202 >>> > 2020.06.04-15:12:41.47@0: edi=0x080610a0 esi=0x08061cb8 >>> > ebp=0x7fa8acd8 esp=0x7fa8acb0 >>> > 2020.06.04-15:12:41.47@0: eax=0x08061db8 ebx=0x7fa8ad0c >>> > ecx=0x00000000 edx=0x08061ce8 >>> > 2020.06.04-15:12:41.47@0: >>> > 2020.06.04-15:12:41.47@0: maps: >>> > 2020.06.04-15:12:41.47@0: 08048000-0805c000 r-xp 00000000 00:0c >>> 1038 >>> > /nova/bin/graphing >>> > 2020.06.04-15:12:41.47@0: 77651000-77686000 r-xp 00000000 00:0c >>> 964 >>> > /lib/libuClibc-0.9.33.2.so >>> > 2020.06.04-15:12:41.47@0: 7768a000-776a4000 r-xp 00000000 00:0c >>> 960 >>> > /lib/libgcc_s.so.1 >>> > 2020.06.04-15:12:41.47@0: 776a5000-776b4000 r-xp 00000000 00:0c >>> 944 >>> > /lib/libuc++.so >>> > 2020.06.04-15:12:41.47@0: 776b5000-776bd000 r-xp 00000000 00:0c >>> 950 >>> > /lib/libubox.so >>> > 2020.06.04-15:12:41.47@0: 776be000-7770a000 r-xp 00000000 00:0c >>> 946 >>> > /lib/libumsg.so >>> > 2020.06.04-15:12:41.47@0: 7770d000-77717000 r-xp 00000000 00:0c >>> 961 >>> > /lib/libm-0.9.33.2.so >>> > 2020.06.04-15:12:41.47@0: 7771c000-77723000 r-xp 00000000 00:0c >>> 958 >>> > /lib/ld-uClibc-0.9.33.2.so >>> > 2020.06.04-15:12:41.47@0: >>> > 2020.06.04-15:12:41.47@0: stack: 0x7fa8b000 - 0x7fa8acb0 >>> > 2020.06.04-15:12:41.47@0: e8 1c 06 08 b8 1d 06 08 00 00 00 00 01 >>> 00 >>> > 00 00 0c ad a8 7f 5b 00 00 00 b8 98 05 08 b8 98 05 08 >>> > 2020.06.04-15:12:41.47@0: f0 da 6b 77 0c ad a8 7f 28 ad a8 7f 3a >>> bc >>> > 6b 77 b8 1c 06 08 0c ad a8 7f 05 00 00 00 a0 10 06 08 >>> > 2020.06.04-15:12:41.47@0: >>> > 2020.06.04-15:12:41.47@0: code: 0x80521e2 >>> > 2020.06.04-15:12:41.47@0: ff 51 04 83 c4 18 6a 5c 53 e8 a0 9c ff >>> ff >>> > 8b 56 >>> > >>> > This vulnerability was initially found in long-term 6.44.6, and has >>> been >>> > fixed in stable 6.47. >>> > >>> > 3. Stack exhaustion vulnerability >>> > The net process suffers from a stack exhaustion vulnerability. By >>> sending >>> > a crafted packet to the net process, an authenticated remote user can >>> > trigger a stack exhaustion vulnerability via recursive function calls. >>> > >>> > When testing the proof of concept on an x86 RouterOS VM, this >>> > vulnerability didn't just crash net process but caused the whole >>> system to >>> > reboot. >>> > >>> > Against stable 6.46.5, the poc resulted in the following crash dump. >>> > >>> > # cat /rw/logs/backtrace.log >>> > 2020.06.08-11:19:45.40@0: >>> > 2020.06.08-11:19:45.40@0: >>> > 2020.06.08-11:19:45.40@0: /nova/bin/net >>> > 2020.06.08-11:19:45.40@0: --- signal=11 >>> > -------------------------------------------- >>> > 2020.06.08-11:19:45.40@0: >>> > 2020.06.08-11:19:45.40@0: eip=0x0809ec65 eflags=0x00010206 >>> > 2020.06.08-11:19:45.40@0: edi=0x7fb0fe4c esi=0x7fb0ff48 >>> > ebp=0x7f311018 esp=0x7f310fe0 >>> > 2020.06.08-11:19:45.40@0: eax=0x00fe0008 ebx=0x7772cae4 >>> > ecx=0x7772cae4 edx=0x08122630 >>> > 2020.06.08-11:19:45.40@0: >>> > 2020.06.08-11:19:45.40@0: maps: >>> > 2020.06.08-11:19:45.40@0: 08048000-08121000 r-xp 00000000 00:0c >>> 1004 >>> > /nova/bin/net >>> > 2020.06.08-11:19:45.40@0: 77654000-77689000 r-xp 00000000 00:0c >>> 964 >>> > /lib/libuClibc-0.9.33.2.so >>> > 2020.06.08-11:19:45.40@0: 7768d000-776a7000 r-xp 00000000 00:0c >>> 960 >>> > /lib/libgcc_s.so.1 >>> > 2020.06.08-11:19:45.40@0: 776a8000-776b7000 r-xp 00000000 00:0c >>> 944 >>> > /lib/libuc++.so >>> > 2020.06.08-11:19:45.40@0: 776b8000-776c6000 r-xp 00000000 00:0c >>> 945 >>> > /lib/libz.so >>> > 2020.06.08-11:19:45.40@0: 776c7000-776d1000 r-xp 00000000 00:0c >>> 961 >>> > /lib/libm-0.9.33.2.so >>> > 2020.06.08-11:19:45.40@0: 776d3000-776db000 r-xp 00000000 00:0c >>> 950 >>> > /lib/libubox.so >>> > 2020.06.08-11:19:45.40@0: 776dc000-776df000 r-xp 00000000 00:0c >>> 948 >>> > /lib/libuxml++.so >>> > 2020.06.08-11:19:45.40@0: 776e0000-7772c000 r-xp 00000000 00:0c >>> 946 >>> > /lib/libumsg.so >>> > 2020.06.08-11:19:45.40@0: 7772f000-7774c000 r-xp 00000000 00:0c >>> 947 >>> > /lib/libucrypto.so >>> > 2020.06.08-11:19:45.40@0: 77750000-77757000 r-xp 00000000 00:0c >>> 958 >>> > /lib/ld-uClibc-0.9.33.2.so >>> > 2020.06.08-11:19:45.40@0: >>> > 2020.06.08-11:19:45.40@0: stack: 0x7fb10000 - 0x7f310fe0 >>> > >>> > This vulnerability was initially found in long-term 6.44.5, and has >>> been >>> > fixed in stable 6.47. >>> > >>> > >>> > Solution >>> > ======== >>> > >>> > Upgrade to the corresponding latest RouterOS tree version. >>> > >>> > >>> > References >>> > ========== >>> > >>> > [1] https://mikrotik.com/download/changelogs/stable-release-tree >>> > >>> > >>> >>> _______________________________________________ >>> Sent through the Full Disclosure mailing list >>> https://nmap.org/mailman/listinfo/fulldisclosure >>> Web Archives & RSS: http://seclists.org/fulldisclosure/ >> >> >> >> -- >> Gynvael Coldwind >> > -- Gynvael Coldwind _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists