Advisory: three vulnerabilities found in MikroTik's RouterOS Details ======= Product: MikroTik's RouterOS Vendor URL: https://mikrotik.com/ Vendor Status: fixed version released CVE: - Credit: Qian Chen(@cq674350529) from Codesafe Team of Legendsec at Qi'anxin Group Product Description ================== RouterOS is the operating system used on MikroTik's devices, such as switch, router and access point. Description of vulnerabilities ========================== 1. reachable assertion failure The netwatch process suffers from an assertion failure vulnerability. There is a reachable assertion in the netwatch process. By sending a crafted packet, an authenticated remote user can crash the netwatch process due to assertion failure. Against stable 6.47, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.29-14:27:25.52@0: 2020.06.29-14:27:25.52@0: 2020.06.29-14:27:25.52@0: /ram/pckg/advanced-tools/nova/bin/netwatch 2020.06.29-14:27:25.52@0: --- signal=6 -------------------------------------------- 2020.06.29-14:27:25.52@0: 2020.06.29-14:27:25.52@0: eip=0x776b855b eflags=0x00000246 2020.06.29-14:27:25.52@0: edi=0xffffffff esi=0x776c0200 ebp=0x7feea6a0 esp=0x7feea698 2020.06.29-14:27:25.52@0: eax=0x00000000 ebx=0x000000b8 ecx=0x000000b8 edx=0x00000006 2020.06.29-14:27:25.52@0: 2020.06.29-14:27:25.52@0: maps: 2020.06.29-14:27:25.52@0: 08048000-0804d000 r-xp 00000000 00:10 14 /ram/pckg/advanced-tools/nova/bin/netwatch 2020.06.29-14:27:25.52@0: 7768a000-776bf000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.29-14:27:25.52@0: 776c3000-776dd000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2020.06.29-14:27:25.52@0: 776de000-776ed000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2020.06.29-14:27:25.52@0: 776ee000-7773a000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2020.06.29-14:27:25.52@0: 77740000-77747000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.29-14:27:25.52@0: 2020.06.29-14:27:25.52@0: stack: 0x7feeb000 - 0x7feea698 2020.06.29-14:27:25.52@0: 00 00 6c 77 00 00 6c 77 d8 a6 ee 7f 77 40 6b 77 06 00 00 00 00 02 6c 77 20 00 00 00 00 00 00 00 2020.06.29-14:27:25.52@0: bc b0 ee 7f 38 a7 ee 7f d4 a6 ee 7f f4 aa 73 77 b8 a6 ee 7f f4 aa 73 77 bc b0 ee 7f ff ff ff ff 2020.06.29-14:27:25.52@0: 2020.06.29-14:27:25.52@0: code: 0x776b855b 2020.06.29-14:27:25.52@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7 d8 This vulnerability was initially found in stable 6.46.2, and it seems that the latest stable version 6.48.3 still suffers from this vulnerability. 2. NULL pointer dereference The tr069-client process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the tr069-client process due to NULL pointer dereference. Against stable 6.47, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.10-17:04:17.63@0: 2020.06.10-17:04:17.63@0: 2020.06.10-17:04:17.63@0: /ram/pckg/tr069-client/nova/bin/tr069-client 2020.06.10-17:04:17.63@0: --- signal=11 -------------------------------------------- 2020.06.10-17:04:17.63@0: 2020.06.10-17:04:17.63@0: eip=0x0805a185 eflags=0x00010206 2020.06.10-17:04:17.63@0: edi=0x7ff74a04 esi=0x7ff74a04 ebp=0x7ff74988 esp=0x7ff7497c 2020.06.10-17:04:17.63@0: eax=0x00000000 ebx=0x080a9290 ecx=0x776924ec edx=0x7769187c 2020.06.10-17:04:17.63@0: 2020.06.10-17:04:17.63@0: maps: 2020.06.10-17:04:17.63@0: 08048000-08096000 r-xp 00000000 00:10 13 /ram/pckg/tr069-client/nova/bin/tr069-client 2020.06.10-17:04:17.63@0: 7762f000-77664000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.10-17:04:17.63@0: 77668000-77682000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2020.06.10-17:04:17.63@0: 77683000-77692000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2020.06.10-17:04:17.63@0: 77693000-7769d000 r-xp 00000000 00:0c 963 /lib/libm-0.9.33.2.so 2020.06.10-17:04:17.63@0: 7769f000-776bc000 r-xp 00000000 00:0c 948 /lib/libucrypto.so 2020.06.10-17:04:17.63@0: 776bd000-776c0000 r-xp 00000000 00:0c 954 /lib/libxml.so 2020.06.10-17:04:17.63@0: 776c1000-7770d000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2020.06.10-17:04:17.63@0: 77710000-7771b000 r-xp 00000000 00:0c 955 /lib/libuhttp.so 2020.06.10-17:04:17.63@0: 7771c000-77724000 r-xp 00000000 00:0c 951 /lib/libubox.so 2020.06.10-17:04:17.63@0: 77728000-7772f000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.10-17:04:17.63@0: 2020.06.10-17:04:17.63@0: stack: 0x7ff75000 - 0x7ff7497c 2020.06.10-17:04:17.63@0: 10 a0 08 08 40 4b 72 77 90 92 0a 08 b8 49 f7 7f 7c fa 71 77 90 92 0a 08 04 4a f7 7f 05 00 00 00 2020.06.10-17:04:17.63@0: 28 4a f7 7f b4 49 f7 7f 40 4b 72 77 88 5b 09 08 40 4b 72 77 80 4d f7 7f 04 4a f7 7f 28 4a f7 7f 2020.06.10-17:04:17.63@0: 2020.06.10-17:04:17.63@0: code: 0x805a185 2020.06.10-17:04:17.63@0: ff 30 6a 01 56 e8 81 49 ff ff 83 c4 0c ff 73 24 This vulnerability was initially found in stable 6.47, and was fixed in stable 6.48.2. 3. NULL pointer dereference The ptp process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the ptp process due to NULL pointer dereference. Against stable 6.48.1, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2021.02.08-12:13:09.33@0: 2021.02.08-12:13:09.33@0: /nova/bin/ptp 2021.02.08-12:13:09.33@0: --- signal=11 -------------------------------------------- 2021.02.08-12:13:09.33@0: 2021.02.08-12:13:09.33@0: eip=0x08050abb eflags=0x00010202 2021.02.08-12:13:09.33@0: edi=0x7fd5ee94 esi=0x0805be48 ebp=0x7fd5ee18 esp=0x7fd5ee18 2021.02.08-12:13:09.33@0: eax=0x00000000 ebx=0x776f5b40 ecx=0x0805c6a8 edx=0x00000001 2021.02.08-12:13:09.33@0: 2021.02.08-12:13:09.33@0: maps: 2021.02.08-12:13:09.33@0: 08048000-08058000 r-xp 00000000 00:0c 1067 /nova/bin/ptp 2021.02.08-12:13:09.33@0: 7767d000-776b2000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2021.02.08-12:13:09.33@0: 776b6000-776d0000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2021.02.08-12:13:09.33@0: 776d1000-776e0000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2021.02.08-12:13:09.33@0: 776e1000-776eb000 r-xp 00000000 00:0c 963 /lib/libm-0.9.33.2.so 2021.02.08-12:13:09.33@0: 776ed000-776f5000 r-xp 00000000 00:0c 951 /lib/libubox.so 2021.02.08-12:13:09.33@0: 776f6000-77742000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2021.02.08-12:13:09.33@0: 77748000-7774f000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2021.02.08-12:13:09.33@0: 2021.02.08-12:13:09.33@0: stack: 0x7fd5f000 - 0x7fd5ee18 2021.02.08-12:13:09.33@0: 48 ee d5 7f 7c 0a 6f 77 48 be 05 08 94 ee d5 7f 05 00 00 00 86 3c 71 77 f8 ef d5 7f 0c 00 fe 08 2021.02.08-12:13:09.33@0: 58 ee d5 7f 40 5b 6f 77 a0 f1 d5 7f 94 ee d5 7f b8 ee d5 7f 16 41 6f 77 94 ee d5 7f a0 f1 d5 7f 2021.02.08-12:13:09.33@0: 2021.02.08-12:13:09.33@0: code: 0x8050abb 2021.02.08-12:13:09.33@0: 8b 10 89 45 08 8b 42 18 5d ff e0 55 89 e5 31 c0 This vulnerability was initially found in stable 6.48.1, and was fixed in stable 6.48.2. Solution ======== Upgrade to the corresponding latest RouterOS tree version. References ========== [1] https://mikrotik.com/download/changelogs/stable-release-tree