what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MikroTik RouterOS Memory Corruption / NULL Pointer Dereference / Division By Zero

MikroTik RouterOS Memory Corruption / NULL Pointer Dereference / Division By Zero
Posted Aug 30, 2020
Authored by Qian Chen

MikroTik RouterOS suffers from NULL pointer dereference, memory corruption and division by zero vulnerabilities.

tags | advisory, vulnerability
SHA-256 | 093cf827a466522125a9a60ebaa8035bdab73e9adbf53421b45d078526ed91b9

MikroTik RouterOS Memory Corruption / NULL Pointer Dereference / Division By Zero

Change Mirror Download
Advisory: three vulnerabilities found in MikroTik's RouterOS


Details
=======

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==================

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==========================

1. NULL pointer dereference
The dot1x process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the dot1x
process due to NULL pointer dereference.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-14:51:29.47@0:
2020.06.04-14:51:29.47@0:
2020.06.04-14:51:29.81@0: /nova/bin/dot1x
2020.06.04-14:51:29.81@0: --- signal=11
--------------------------------------------
2020.06.04-14:51:29.81@0:
2020.06.04-14:51:29.81@0: eip=0x776a51e5 eflags=0x00010202
2020.06.04-14:51:29.81@0: edi=0x7fc51064 esi=0x08062ed0 ebp=0x7fc50f78
esp=0x7fc50f6c
2020.06.04-14:51:29.81@0: eax=0x00000000 ebx=0x776ad4ec ecx=0x00000000
edx=0x08062e28
2020.06.04-14:51:29.81@0:
2020.06.04-14:51:29.81@0: maps:
2020.06.04-14:51:29.81@0: 08048000-0805f000 r-xp 00000000 00:0c 1064
/nova/bin/dot1x
2020.06.04-14:51:29.81@0: 7764a000-7767f000 r-xp 00000000 00:0c 964
/lib/libuClibc-0.9.33.2.so
2020.06.04-14:51:29.81@0: 77683000-7769d000 r-xp 00000000 00:0c 960
/lib/libgcc_s.so.1
2020.06.04-14:51:29.81@0: 7769e000-776ad000 r-xp 00000000 00:0c 944
/lib/libuc++.so
2020.06.04-14:51:29.81@0: 776ae000-776b4000 r-xp 00000000 00:0c 951
/lib/liburadius.so
2020.06.04-14:51:29.81@0: 776b5000-776bd000 r-xp 00000000 00:0c 950
/lib/libubox.so
2020.06.04-14:51:29.81@0: 776be000-776db000 r-xp 00000000 00:0c 947
/lib/libucrypto.so
2020.06.04-14:51:29.81@0: 776dc000-77728000 r-xp 00000000 00:0c 946
/lib/libumsg.so
2020.06.04-14:51:29.81@0: 7772e000-77735000 r-xp 00000000 00:0c 958
/lib/ld-uClibc-0.9.33.2.so
2020.06.04-14:51:29.81@0:
2020.06.04-14:51:29.81@0: stack: 0x7fc52000 - 0x7fc50f6c
2020.06.04-14:51:29.81@0: 00 00 00 00 90 27 06 08 e4 8a 72 77 a8 0f c5
7f 2e be 6f 77 90 27 06 08 d0 2e 06 08 28 2e 06 08
2020.06.04-14:51:29.81@0: 28 2e 06 08 a4 0f c5 7f f0 da 6b 77 05 00 00
00 f0 da 6b 77 e0 2d 06 08 64 10 c5 7f e8 0f c5 7f
2020.06.04-14:51:29.81@0:
2020.06.04-14:51:29.81@0: code: 0x776a51e5
2020.06.04-14:51:29.81@0: 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff 75 08
e8

This vulnerability was initially found in stable 6.46.3, and was fixed in
stable 6.47.

2. division by zero
The netwatch process suffers from a division-by-zero vulnerability. By
sending a crafted packet, an authenticated remote user can crash the
netwatch process due to arithmetic exception.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-16:25:57.65@0:
2020.06.04-16:25:57.65@0:
2020.06.04-16:25:57.65@0: /ram/pckg/advanced-tools/nova/bin/netwatch
2020.06.04-16:25:57.65@0: --- signal=8
--------------------------------------------
2020.06.04-16:25:57.65@0:
2020.06.04-16:25:57.65@0: eip=0x0804c6d7 eflags=0x00010246
2020.06.04-16:25:57.65@0: edi=0x5ed9208c esi=0x00000000 ebp=0x7ffff3f8
esp=0x7ffff3b0
2020.06.04-16:25:57.65@0: eax=0x00000000 ebx=0x08051020 ecx=0x00000000
edx=0x00000000
2020.06.04-16:25:57.65@0:
2020.06.04-16:25:57.65@0: maps:
2020.06.04-16:25:57.65@0: 08048000-0804d000 r-xp 00000000 00:1a 14
/ram/pckg/advanced-tools/nova/bin/netwatch
2020.06.04-16:25:57.65@0: 77f41000-77f76000 r-xp 00000000 00:0c 964
/lib/libuClibc-0.9.33.2.so
2020.06.04-16:25:57.65@0: 77f7a000-77f94000 r-xp 00000000 00:0c 960
/lib/libgcc_s.so.1
2020.06.04-16:25:57.65@0: 77f95000-77fa4000 r-xp 00000000 00:0c 944
/lib/libuc++.so
2020.06.04-16:25:57.65@0: 77fa5000-77ff1000 r-xp 00000000 00:0c 946
/lib/libumsg.so
2020.06.04-16:25:57.65@0: 77ff7000-77ffe000 r-xp 00000000 00:0c 958
/lib/ld-uClibc-0.9.33.2.so
2020.06.04-16:25:57.65@0:
2020.06.04-16:25:57.65@0: stack: 0x80000000 - 0x7ffff3b0
2020.06.04-16:25:57.65@0: d8 f4 ff 7f 80 f6 ff 7f 06 00 00 00 d0 f3 ff
7f 84 e5 04 08 0b 00 ff 08 e8 f3 ff 7f 06 00 00 00
2020.06.04-16:25:57.65@0: 20 10 05 08 e4 1a ff 77 f8 f3 ff 7f 22 2c fc
77 d8 f4 ff 7f 0b 00 ff 08 08 f4 ff 7f e4 1a ff 77
2020.06.04-16:25:57.65@0:
2020.06.04-16:25:57.65@0: code: 0x804c6d7
2020.06.04-16:25:57.65@0: f7 f6 8b 53 30 39 c2 73 6e 42 89 53 30 83 ec
0c

This vulnerability was initially found in stable 6.46.2, and was fixed in
stable 6.47.

3. memory corruption
The wireless process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the
wireless process due to invalid memory access.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-18:12:52.69@0:
2020.06.04-18:12:52.69@0: /ram/pckg/wireless/nova/bin/wireless
2020.06.04-18:12:52.69@0: --- signal=11
--------------------------------------------
2020.06.04-18:12:52.69@0:
2020.06.04-18:12:52.69@0: eip=0x08070dbe eflags=0x00010202
2020.06.04-18:12:52.69@0: edi=0x7fc6e084 esi=0x08130a58 ebp=0x7fc6e008
esp=0x7fc6dfd0
2020.06.04-18:12:52.69@0: eax=0x081164c4 ebx=0x776fcaf0 ecx=0x0811814c
edx=0x00000001
2020.06.04-18:12:52.69@0:
2020.06.04-18:12:52.69@0: maps:
2020.06.04-18:12:52.69@0: 08048000-08115000 r-xp 00000000 00:19 99
/ram/pckg/wireless/nova/bin/wireless
2020.06.04-18:12:52.69@0: 7749f000-774a1000 r-xp 00000000 00:0c 959
/lib/libdl-0.9.33.2.so
2020.06.04-18:12:52.69@0: 774a3000-774d8000 r-xp 00000000 00:0c 964
/lib/libuClibc-0.9.33.2.so
2020.06.04-18:12:52.69@0: 774dc000-774f6000 r-xp 00000000 00:0c 960
/lib/libgcc_s.so.1
2020.06.04-18:12:52.69@0: 774f7000-77506000 r-xp 00000000 00:0c 944
/lib/libuc++.so
2020.06.04-18:12:52.69@0: 77507000-77664000 r-xp 00000000 00:0c 954
/lib/libcrypto.so.1.0.0
2020.06.04-18:12:52.69@0: 77674000-776bf000 r-xp 00000000 00:0c 956
/lib/libssl.so.1.0.0
2020.06.04-18:12:52.69@0: 776c3000-776cd000 r-xp 00000000 00:0c 961
/lib/libm-0.9.33.2.so
2020.06.04-18:12:52.69@0: 776cf000-776ec000 r-xp 00000000 00:0c 947
/lib/libucrypto.so
2020.06.04-18:12:52.69@0: 776ed000-776f3000 r-xp 00000000 00:0c 951
/lib/liburadius.so
2020.06.04-18:12:52.69@0: 776f4000-776fc000 r-xp 00000000 00:0c 950
/lib/libubox.so
2020.06.04-18:12:52.69@0: 776fd000-77749000 r-xp 00000000 00:0c 946
/lib/libumsg.so
2020.06.04-18:12:52.69@0: 7774f000-77756000 r-xp 00000000 00:0c 958
/lib/ld-uClibc-0.9.33.2.so
2020.06.04-18:12:52.69@0:
2020.06.04-18:12:52.69@0: stack: 0x7fc6f000 - 0x7fc6dfd0
2020.06.04-18:12:52.69@0: c4 64 11 08 07 c8 0f 08 f0 f0 10 08 f0 f0 10
08 28 fe 12 08 84 e0 c6 7f 08 e0 c6 7f 63 3d 06 08
2020.06.04-18:12:52.69@0: 0c 00 00 00 00 00 00 00 18 e0 c6 7f f0 ca 6f
77 58 0a 13 08 84 e0 c6 7f 38 e0 c6 7f 7c 7a 6f 77
2020.06.04-18:12:52.69@0:
2020.06.04-18:12:52.69@0: code: 0x8070dbe
2020.06.04-18:12:52.69@0: ff 05 00 00 00 00 83 c4 10 53 8b 46 08 0f b6
40

This vulnerability was initially found in stable 6.46.3, and was fixed in
stable 6.47.


Solution
========

Upgrade to the corresponding latest RouterOS tree version.


References
==========

[1] https://mikrotik.com/download/changelogs/stable-release-tree


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close