Jump to content
H4CK

Mikrotik RouterOS内存损坏/空指针删除Vulnerness

Recommended Posts

Advisory: three vulnerabilities found in MikroTik's RouterOS
 
 
Details
=======
MikroTik RouterOS Memory Corruption / NULL Pointer Dereference Vulnerbilities
 
Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team
 
 
Product Description
==================
 
RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.
 
 
Description of vulnerabilities
==========================
 
1. NULL pointer dereference
The dot1x process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the dot1x
process due to NULL pointer dereference.
 
Against stable 6.46.5, the poc resulted in the following crash dump.
 
    # cat /rw/logs/backtrace.log
    2020.06.04-14:51:[email protected]:
    2020.06.04-14:51:[email protected]:
    2020.06.04-14:51:[email protected]: /nova/bin/dot1x
    2020.06.04-14:51:[email protected]: --- signal=11
--------------------------------------------
    2020.06.04-14:51:[email protected]:
    2020.06.04-14:51:[email protected]: eip=0x776a51e5 eflags=0x00010202
    2020.06.04-14:51:[email protected]: edi=0x7fc51064 esi=0x08062ed0 ebp=0x7fc50f78
esp=0x7fc50f6c
    2020.06.04-14:51:[email protected]: eax=0x00000000 ebx=0x776ad4ec ecx=0x00000000
edx=0x08062e28
    2020.06.04-14:51:[email protected]:
    2020.06.04-14:51:[email protected]: maps:
    2020.06.04-14:51:[email protected]: 08048000-0805f000 r-xp 00000000 00:0c 1064
    /nova/bin/dot1x
    2020.06.04-14:51:[email protected]: 7764a000-7767f000 r-xp 00000000 00:0c 964
   /lib/libuClibc-0.9.33.2.so
    2020.06.04-14:51:[email protected]: 77683000-7769d000 r-xp 00000000 00:0c 960
   /lib/libgcc_s.so.1
    2020.06.04-14:51:[email protected]: 7769e000-776ad000 r-xp 00000000 00:0c 944
   /lib/libuc++.so
    2020.06.04-14:51:[email protected]: 776ae000-776b4000 r-xp 00000000 00:0c 951
   /lib/liburadius.so
    2020.06.04-14:51:[email protected]: 776b5000-776bd000 r-xp 00000000 00:0c 950
   /lib/libubox.so
    2020.06.04-14:51:[email protected]: 776be000-776db000 r-xp 00000000 00:0c 947
   /lib/libucrypto.so
    2020.06.04-14:51:[email protected]: 776dc000-77728000 r-xp 00000000 00:0c 946
   /lib/libumsg.so
    2020.06.04-14:51:[email protected]: 7772e000-77735000 r-xp 00000000 00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
    2020.06.04-14:51:[email protected]:
    2020.06.04-14:51:[email protected]: stack: 0x7fc52000 - 0x7fc50f6c
    2020.06.04-14:51:[email protected]: 00 00 00 00 90 27 06 08 e4 8a 72 77 a8 0f c5
7f 2e be 6f 77 90 27 06 08 d0 2e 06 08 28 2e 06 08
    2020.06.04-14:51:[email protected]: 28 2e 06 08 a4 0f c5 7f f0 da 6b 77 05 00 00
00 f0 da 6b 77 e0 2d 06 08 64 10 c5 7f e8 0f c5 7f
    2020.06.04-14:51:[email protected]:
    2020.06.04-14:51:[email protected]: code: 0x776a51e5
    2020.06.04-14:51:[email protected]: 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff 75 08
e8
 
This vulnerability was initially found in stable 6.46.3, and was fixed in
stable 6.47.
 
2. division by zero
The netwatch process suffers from a division-by-zero vulnerability. By
sending a crafted packet, an authenticated remote user can crash the
netwatch process due to arithmetic exception.
 
Against stable 6.46.5, the poc resulted in the following crash dump.
 
    # cat /rw/logs/backtrace.log
    2020.06.04-16:25:[email protected]:
    2020.06.04-16:25:[email protected]:
    2020.06.04-16:25:[email protected]: /ram/pckg/advanced-tools/nova/bin/netwatch
    2020.06.04-16:25:[email protected]: --- signal=8
--------------------------------------------
    2020.06.04-16:25:[email protected]:
    2020.06.04-16:25:[email protected]: eip=0x0804c6d7 eflags=0x00010246
    2020.06.04-16:25:[email protected]: edi=0x5ed9208c esi=0x00000000 ebp=0x7ffff3f8
esp=0x7ffff3b0
    2020.06.04-16:25:[email protected]: eax=0x00000000 ebx=0x08051020 ecx=0x00000000
edx=0x00000000
    2020.06.04-16:25:[email protected]:
    2020.06.04-16:25:[email protected]: maps:
    2020.06.04-16:25:[email protected]: 08048000-0804d000 r-xp 00000000 00:1a 14
    /ram/pckg/advanced-tools/nova/bin/netwatch
    2020.06.04-16:25:[email protected]: 77f41000-77f76000 r-xp 00000000 00:0c 964
   /lib/libuClibc-0.9.33.2.so
    2020.06.04-16:25:[email protected]: 77f7a000-77f94000 r-xp 00000000 00:0c 960
   /lib/libgcc_s.so.1
    2020.06.04-16:25:[email protected]: 77f95000-77fa4000 r-xp 00000000 00:0c 944
   /lib/libuc++.so
    2020.06.04-16:25:[email protected]: 77fa5000-77ff1000 r-xp 00000000 00:0c 946
   /lib/libumsg.so
    2020.06.04-16:25:[email protected]: 77ff7000-77ffe000 r-xp 00000000 00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
    2020.06.04-16:25:[email protected]:
    2020.06.04-16:25:[email protected]: stack: 0x80000000 - 0x7ffff3b0
    2020.06.04-16:25:[email protected]: d8 f4 ff 7f 80 f6 ff 7f 06 00 00 00 d0 f3 ff
7f 84 e5 04 08 0b 00 ff 08 e8 f3 ff 7f 06 00 00 00
    2020.06.04-16:25:[email protected]: 20 10 05 08 e4 1a ff 77 f8 f3 ff 7f 22 2c fc
77 d8 f4 ff 7f 0b 00 ff 08 08 f4 ff 7f e4 1a ff 77
    2020.06.04-16:25:[email protected]:
    2020.06.04-16:25:[email protected]: code: 0x804c6d7
    2020.06.04-16:25:[email protected]: f7 f6 8b 53 30 39 c2 73 6e 42 89 53 30 83 ec
0c
 
This vulnerability was initially found in stable 6.46.2, and was fixed in
stable 6.47.
 
3. memory corruption
The wireless process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the
wireless process due to invalid memory access.
 
Against stable 6.46.5, the poc resulted in the following crash dump.
 
    # cat /rw/logs/backtrace.log
    2020.06.04-18:12:[email protected]:
    2020.06.04-18:12:[email protected]: /ram/pckg/wireless/nova/bin/wireless
    2020.06.04-18:12:[email protected]: --- signal=11
--------------------------------------------
    2020.06.04-18:12:[email protected]:
    2020.06.04-18:12:[email protected]: eip=0x08070dbe eflags=0x00010202
    2020.06.04-18:12:[email protected]: edi=0x7fc6e084 esi=0x08130a58 ebp=0x7fc6e008
esp=0x7fc6dfd0
    2020.06.04-18:12:[email protected]: eax=0x081164c4 ebx=0x776fcaf0 ecx=0x0811814c
edx=0x00000001
    2020.06.04-18:12:[email protected]:
    2020.06.04-18:12:[email protected]: maps:
    2020.06.04-18:12:[email protected]: 08048000-08115000 r-xp 00000000 00:19 99
    /ram/pckg/wireless/nova/bin/wireless
    2020.06.04-18:12:[email protected]: 7749f000-774a1000 r-xp 00000000 00:0c 959
   /lib/libdl-0.9.33.2.so
    2020.06.04-18:12:[email protected]: 774a3000-774d8000 r-xp 00000000 00:0c 964
   /lib/libuClibc-0.9.33.2.so
    2020.06.04-18:12:[email protected]: 774dc000-774f6000 r-xp 00000000 00:0c 960
   /lib/libgcc_s.so.1
    2020.06.04-18:12:[email protected]: 774f7000-77506000 r-xp 00000000 00:0c 944
   /lib/libuc++.so
    2020.06.04-18:12:[email protected]: 77507000-77664000 r-xp 00000000 00:0c 954
   /lib/libcrypto.so.1.0.0
    2020.06.04-18:12:[email protected]: 77674000-776bf000 r-xp 00000000 00:0c 956
   /lib/libssl.so.1.0.0
    2020.06.04-18:12:[email protected]: 776c3000-776cd000 r-xp 00000000 00:0c 961
   /lib/libm-0.9.33.2.so
    2020.06.04-18:12:[email protected]: 776cf000-776ec000 r-xp 00000000 00:0c 947
   /lib/libucrypto.so
    2020.06.04-18:12:[email protected]: 776ed000-776f3000 r-xp 00000000 00:0c 951
   /lib/liburadius.so
    2020.06.04-18:12:[email protected]: 776f4000-776fc000 r-xp 00000000 00:0c 950
   /lib/libubox.so
    2020.06.04-18:12:[email protected]: 776fd000-77749000 r-xp 00000000 00:0c 946
   /lib/libumsg.so
    2020.06.04-18:12:[email protected]: 7774f000-77756000 r-xp 00000000 00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
    2020.06.04-18:12:[email protected]:
    2020.06.04-18:12:[email protected]: stack: 0x7fc6f000 - 0x7fc6dfd0
    2020.06.04-18:12:[email protected]: c4 64 11 08 07 c8 0f 08 f0 f0 10 08 f0 f0 10
08 28 fe 12 08 84 e0 c6 7f 08 e0 c6 7f 63 3d 06 08
    2020.06.04-18:12:[email protected]: 0c 00 00 00 00 00 00 00 18 e0 c6 7f f0 ca 6f
77 58 0a 13 08 84 e0 c6 7f 38 e0 c6 7f 7c 7a 6f 77
    2020.06.04-18:12:[email protected]:
    2020.06.04-18:12:[email protected]: code: 0x8070dbe
    2020.06.04-18:12:[email protected]: ff 05 00 00 00 00 83 c4 10 53 8b 46 08 0f b6
40
 
This vulnerability was initially found in stable 6.46.3, and was fixed in
stable 6.47.
 
 
Solution
========
 
Upgrade to the corresponding latest RouterOS tree version.
 
 
References
==========
 
[1] https://mikrotik.com/download/changelogs/stable-release-tree

 

Link to post
Share on other sites

Follow: 世界中文黑客论坛由CNHACKTEAM[CHT]创建,汇集国内外技术人员,这是一群研究网安黑客攻防技术领域的专家.

法务要求丨Legal丨закон丨القانون

请在学习期间遵守所在国家相关法律,否则后果自负!

Пожалуйста, соблюдайте законы страны, в которой вы находитесь, во время обучения, или будут последствия!

勉強期間中に該当する国の法律を守ってください。そうでなければ結果は自己責任です。

Please abide by the relevant laws of your country during your study, or you will be responsible for the consequences!

官方旗下项目丨About our project

声明:为净化国内外网络安全请勿发布违反国家国定的文章,团队不参与任何涉及黑色产业/攻击/渗透各国正规网站活动,只做网络安全研究,研究网络攻防技术。

世界中文黑客论坛由CNHACKTEAM(CHT)创建,汇集国内外技术人员,这是一群研究网络安全、黑客攻防技术领域的专家,你也可以加入我们!

黑客攻防  技术问答  0day  Hack News  CHT Team  使用指南  商城/Mall  商城订单查询  捐赠/donations  在线用户  X  联系邮箱email:[email protected]

友情链接丨Link丨Связь дружбы

CNHACKTEAM   CHT team official website     www.hac-ker.com     hacked.com.cn     www.77169.net     www.ddosi.com

申请或请未补上链接者联系我们的邮箱,谢谢!

×
×
  • Create New...

Important Information

Please use your computer to visit our website; Please agree to our website rules!Guidelines