exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MikroTik RouterOS Memory Corruption / Reachable Assertion Failure

MikroTik RouterOS Memory Corruption / Reachable Assertion Failure
Posted Sep 11, 2020
Authored by Qian Chen

MikroTik RouterOS suffers from memory corruption and reachable assertion failure vulnerabilities.

tags | advisory, vulnerability
SHA-256 | 55015f99b97a602f7b921cc66a0bad419e61030ea1560cd3d297e3259fc64e59

MikroTik RouterOS Memory Corruption / Reachable Assertion Failure

Change Mirror Download
Advisory: two vulnerabilities found in MikroTik's RouterOS


Details
=======

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==================

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==========================

1. memory corruption
The resolver process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the
resolver process due to invalid memory access.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.18-14:38:03.27@0:
2020.06.18-14:38:03.27@0:
2020.06.18-14:38:03.28@0: /nova/bin/resolver
2020.06.18-14:38:03.28@0: --- signal=11
--------------------------------------------
2020.06.18-14:38:03.28@0:
2020.06.18-14:38:03.28@0: eip=0x080508f6 eflags=0x00010206
2020.06.18-14:38:03.28@0: edi=0x08060620 esi=0x08062018 ebp=0x7fe5fd08
esp=0x7fe5fcc0
2020.06.18-14:38:03.28@0: eax=0x0000000c ebx=0x08061c98 ecx=0x77676f00
edx=0x00000005
2020.06.18-14:38:03.28@0:
2020.06.18-14:38:03.28@0: maps:
2020.06.18-14:38:03.28@0: 08048000-0805c000 r-xp 00000000 00:0c 995
/nova/bin/resolver
2020.06.18-14:38:03.28@0: 7763f000-77674000 r-xp 00000000 00:0c 964
/lib/libuClibc-0.9.33.2.so
2020.06.18-14:38:03.28@0: 77678000-77692000 r-xp 00000000 00:0c 960
/lib/libgcc_s.so.1
2020.06.18-14:38:03.28@0: 77693000-776a2000 r-xp 00000000 00:0c 944
/lib/libuc++.so
2020.06.18-14:38:03.28@0: 776a3000-776ab000 r-xp 00000000 00:0c 950
/lib/libubox.so
2020.06.18-14:38:03.28@0: 776ac000-776f8000 r-xp 00000000 00:0c 946
/lib/libumsg.so
2020.06.18-14:38:03.28@0: 776fe000-77705000 r-xp 00000000 00:0c 958
/lib/ld-uClibc-0.9.33.2.so
2020.06.18-14:38:03.28@0:
2020.06.18-14:38:03.28@0: stack: 0x7fe60000 - 0x7fe5fcc0
2020.06.18-14:38:03.28@0: 03 00 00 00 e4 8a 6f 77 38 fd e5 7f e4 fc e5
7f c0 dc 05 08 5c 03 e6 7f 08 fd e5 7f 1f e7 04 08
2020.06.18-14:38:03.28@0: 58 21 06 08 48 06 06 08 f8 1f 06 08 c0 0c 00
00 1c fd e5 7f 28 c7 05 08 02 fb 6f 77 98 1c 06 08
2020.06.18-14:38:03.28@0:
2020.06.18-14:38:03.28@0: code: 0x80508f6
2020.06.18-14:38:03.28@0: 88 10 8b 43 14 40 89 43 14 8b 55 dc 8d 72 04
8b

This vulnerability was initially found in long-term 6.44.6, and was fixed
in stable 6.47.

2. reachable assertion failure
The user process suffers from an assertion failure vulnerability. There is
a reachable assertion in the user process. By sending a crafted packet, an
authenticated remote user can crash the user process due to assertion
failure.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0: /nova/bin/user
2020.06.04-17:56:52.31@0: --- signal=6
--------------------------------------------
2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0: eip=0x7765a55b eflags=0x00000246
2020.06.04-17:56:52.31@0: edi=0x00fe0001 esi=0x77662200 ebp=0x7fee3790
esp=0x7fee3788
2020.06.04-17:56:52.31@0: eax=0x00000000 ebx=0x000000b4 ecx=0x000000b4
edx=0x00000006
2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0: maps:
2020.06.04-17:56:52.31@0: 08048000-08059000 r-xp 00000000 00:0c 1002
/nova/bin/user
2020.06.04-17:56:52.31@0: 7762c000-77661000 r-xp 00000000 00:0c 964
/lib/libuClibc-0.9.33.2.so
2020.06.04-17:56:52.31@0: 77665000-7767f000 r-xp 00000000 00:0c 960
/lib/libgcc_s.so.1
2020.06.04-17:56:52.31@0: 77680000-7768f000 r-xp 00000000 00:0c 944
/lib/libuc++.so
2020.06.04-17:56:52.31@0: 77690000-776ad000 r-xp 00000000 00:0c 947
/lib/libucrypto.so
2020.06.04-17:56:52.31@0: 776ae000-776b4000 r-xp 00000000 00:0c 951
/lib/liburadius.so
2020.06.04-17:56:52.31@0: 776b5000-776bd000 r-xp 00000000 00:0c 950
/lib/libubox.so
2020.06.04-17:56:52.31@0: 776be000-776c1000 r-xp 00000000 00:0c 948
/lib/libuxml++.so
2020.06.04-17:56:52.31@0: 776c2000-7770e000 r-xp 00000000 00:0c 946
/lib/libumsg.so
2020.06.04-17:56:52.31@0: 77714000-7771b000 r-xp 00000000 00:0c 958
/lib/ld-uClibc-0.9.33.2.so
2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0: stack: 0x7fee4000 - 0x7fee3788
2020.06.04-17:56:52.31@0: 00 20 66 77 00 20 66 77 c8 37 ee 7f 77 60 65
77 06 00 00 00 00 22 66 77 20 00 00 00 00 00 00 00
2020.06.04-17:56:52.31@0: 15 00 00 00 28 38 ee 7f c4 37 ee 7f e4 ea 70
77 01 00 00 00 e4 ea 70 77 15 00 00 00 01 00 fe 00
2020.06.04-17:56:52.31@0:
2020.06.04-17:56:52.31@0: code: 0x7765a55b
2020.06.04-17:56:52.31@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7
d8

This vulnerability was initially found in long-term 6.44.6, and was fixed
in stable 6.47.


Solution
========

Upgrade to the corresponding latest RouterOS tree version.


References
==========

[1] https://mikrotik.com/download/changelogs/stable-release-tree


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close