Advisory: two vulnerabilities found in MikroTik's RouterOS


Details
=======

Product: MikroTik's RouterOS
Affected Versions: before 6.44.5 (Long-term release tree),
                   before 6.45.1 (Stable release tree)
Fixed Versions: 6.44.5 (Long-term release tree),
                6.45.1 (Stable release tree)
Vendor URL: https://mikrotik.com/download/changelogs/long-term-release-tree
Vendor Status: fixed version released
CVE: CVE-2019-13954, CVE-2019-13955
Credit: Qian Chen(@cq674350529) of the Qihoo 360 Nirvan Team


Product Description
==================

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Details of vulnerabilities
==========================

These two vulnerabilities were tested only against the MikroTik RouterOS
6.42.11 and 6.43.16 (Long-term release tree) when found.


1. CVE-2019-13954: memory exhaustion via a crafted POST request
This vulnerability is similiar to the CVE-2018-1157. An authenticated user
can cause the www binary to consume all memory via a crafted POST request
to /jsproxy/upload. It's because of the incomplete fix for the
CVE-2018-1157.

Based on the poc for cve_2018_1157 provided by the @Jacob Baines (really
appreciate!), crafting a filename ending with many '\x00' can bypass the
original fix to trigger the vulnerability.


2. CVE-2019-13955: stack exhaustion via recuring parsing of JSON
This vulnerability is similar to the CVE-2018-1158. An authenticated user
communicating with the www binary can trigger a stack exhaustion
vulnerability via recursive parsing of JSON containing message type M.

Based on the poc for cve_2018_1158 provided by the @Jacob Baines (really
appreciate!), crafting an JSON message with type M can trigger the
vulnerability. A simple python script to generate the crafted message is as
follows.

    msg = "{M01:[M01:[]]}"
    for _ in xrange(2000):
        msg = msg.replace('[]', "[M01:[]]")


Solution
========

Upgrade to RouterOS versions 6.44.5 (Long-term release tree), 6.45.1
(Stable release tree).


References
==========

[1] https://mikrotik.com/download/changelogs/long-term-release-tree
[2] https://github.com/tenable/routeros