Wednesday, May 12, 2021

MikroTik RouterOS Memory Corruption

advisory vulnerabilities vulnerability In: , , 
Advisory: four vulnerabilities found in MikroTik's RouterOS


Details
=======

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: only CVE-2020-20227 is fixed
CVE: CVE-2020-20220, CVE-2020-20227, CVE-2020-20245, CVE-2020-20246
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==================

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==========================
These vulnerabilities were reported to the vendor almost one year ago. And
the vendor confirmed these vulnerabilities.

1. CVE-2020-20220
The bfd process suffers from a memory corruption vulnerability. By sending
a crafted packet, an authenticated remote user can crash the bfd process
due to invalid memory access.

Against stable 6.46.5, the poc resulted in the following crash dump.

    # cat /rw/logs/backtrace.log
    2020.06.19-18:36:13.88@0:
    2020.06.19-18:36:13.88@0:
    2020.06.19-18:36:13.88@0: /ram/pckg/routing/nova/bin/bfd
    2020.06.19-18:36:13.88@0: --- signal=11
--------------------------------------------
    2020.06.19-18:36:13.88@0:
    2020.06.19-18:36:13.88@0: eip=0x0804b175 eflags=0x00010202
    2020.06.19-18:36:13.88@0: edi=0x08054a90 esi=0x08054298 ebp=0x7f9d3e88
esp=0x7f9d3e70
    2020.06.19-18:36:13.88@0: eax=0x08050634 ebx=0x77777af0 ecx=0x08051274
edx=0x00000001
    2020.06.19-18:36:13.88@0:
    2020.06.19-18:36:13.88@0: maps:
    2020.06.19-18:36:13.88@0: 08048000-08050000 r-xp 00000000 00:1b 16
    /ram/pckg/routing/nova/bin/bfd
    2020.06.19-18:36:13.88@0: 7759a000-7759c000 r-xp 00000000 00:0c 959
   /lib/libdl-0.9.33.2.so
    2020.06.19-18:36:13.88@0: 7759e000-775d3000 r-xp 00000000 00:0c 964
   /lib/libuClibc-0.9.33.2.so
    2020.06.19-18:36:13.88@0: 775d7000-775f1000 r-xp 00000000 00:0c 960
   /lib/libgcc_s.so.1
    2020.06.19-18:36:13.88@0: 775f2000-77601000 r-xp 00000000 00:0c 944
   /lib/libuc++.so
    2020.06.19-18:36:13.88@0: 77602000-7775f000 r-xp 00000000 00:0c 954
   /lib/libcrypto.so.1.0.0
    2020.06.19-18:36:13.88@0: 7776f000-77777000 r-xp 00000000 00:0c 950
   /lib/libubox.so
    2020.06.19-18:36:13.88@0: 77778000-777c4000 r-xp 00000000 00:0c 946
   /lib/libumsg.so
    2020.06.19-18:36:13.88@0: 777ca000-777d1000 r-xp 00000000 00:0c 958
   /lib/ld-uClibc-0.9.33.2.so
    2020.06.19-18:36:13.88@0:
    2020.06.19-18:36:13.88@0: stack: 0x7f9d4000 - 0x7f9d3e70
    2020.06.19-18:36:13.88@0: 34 06 05 08 d0 e6 04 08 d8 3e 9d 7f 90 4a 05
08 98 42 05 08 d8 3e 9d 7f f8 3e 9d 7f 6d 39 77 77
    2020.06.19-18:36:13.88@0: 90 4a 05 08 28 40 9d 7f 05 00 00 00 00 43 05
08 00 00 00 00 28 90 7c 77 01 00 00 00 0c 00 00 00
    2020.06.19-18:36:13.88@0:
    2020.06.19-18:36:13.88@0: code: 0x804b175
    2020.06.19-18:36:13.88@0: ff 05 00 00 00 00 83 c4 10 c9 c3 55 89 e5 53
83

This vulnerability was initially found in long-term 6.44.6, and it seems
that the latest stable version 6.48.2 still suffer from this vulnerability.

2. CVE-2020-20227
The diskd process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the diskd
process due to invalid memory access.

Against stable 6.47, the poc resulted in the following crash dump.

    # cat /rw/logs/backtrace.log
    2020.06.05-15:00:38.33@0:
    2020.06.05-15:00:38.33@0:
    2020.06.05-15:00:38.33@0: /nova/bin/diskd
    2020.06.05-15:00:38.33@0: --- signal=11
--------------------------------------------
    2020.06.05-15:00:38.33@0:
    2020.06.05-15:00:38.33@0: eip=0x7775a1e3 eflags=0x00010202
    2020.06.05-15:00:38.33@0: edi=0x7f9dd024 esi=0x0000000a ebp=0x7f9dceb8
esp=0x7f9dceac
    2020.06.05-15:00:38.33@0: eax=0x0000000a ebx=0x777624ec ecx=0x08054600
edx=0x08056e18
    2020.06.05-15:00:38.33@0:
    2020.06.05-15:00:38.33@0: maps:
    2020.06.05-15:00:38.33@0: 08048000-08052000 r-xp 00000000 00:0c 1049
    /nova/bin/diskd
    2020.06.05-15:00:38.33@0: 776ff000-77734000 r-xp 00000000 00:0c 966
   /lib/libuClibc-0.9.33.2.so
    2020.06.05-15:00:38.33@0: 77738000-77752000 r-xp 00000000 00:0c 962
   /lib/libgcc_s.so.1
    2020.06.05-15:00:38.33@0: 77753000-77762000 r-xp 00000000 00:0c 945
   /lib/libuc++.so
    2020.06.05-15:00:38.33@0: 77763000-7776b000 r-xp 00000000 00:0c 951
   /lib/libubox.so
    2020.06.05-15:00:38.33@0: 7776c000-777b8000 r-xp 00000000 00:0c 947
   /lib/libumsg.so
    2020.06.05-15:00:38.33@0: 777be000-777c5000 r-xp 00000000 00:0c 960
   /lib/ld-uClibc-0.9.33.2.so
    2020.06.05-15:00:38.33@0:
    2020.06.05-15:00:38.33@0: stack: 0x7f9de000 - 0x7f9dceac
    2020.06.05-15:00:38.33@0: f4 8a 7b 77 0a 00 00 00 f4 8a 7b 77 e8 ce 9d
7f 92 be 78 77 f8 45 05 08 0a 00 00 00 18 6e 05 08
    2020.06.05-15:00:38.33@0: 18 6e 05 08 e4 ce 9d 7f 24 d0 9d 7f 7c 18 76
77 24 d0 9d 7f 18 69 05 08 40 cf 9d 7f a8 cf 9d 7f
    2020.06.05-15:00:38.34@0:
    2020.06.05-15:00:38.34@0: code: 0x7775a1e3
    2020.06.05-15:00:38.34@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff
75

This vulnerability was initially found in stable 6.47, and it was fixed at
least in stable 6.48.1.

3. CVE-2020-20245
The log process suffers from a memory corruption vulnerability. By sending
a crafted packet, an authenticated remote user can crash the log process
due to invalid memory access.

Against stable 6.47, the poc resulted in the following crash dump.

    # cat /rw/logs/backtrace.log
    2020.06.22-20:13:36.29@0:
    2020.06.22-20:13:36.29@0:
    2020.06.22-20:13:36.62@0: /nova/bin/log
    2020.06.22-20:13:36.62@0: --- signal=11
--------------------------------------------
    2020.06.22-20:13:36.62@0:
    2020.06.22-20:13:36.62@0: eip=0x77709d2e eflags=0x00010202
    2020.06.22-20:13:36.62@0: edi=0x0000004b esi=0x77718f00 ebp=0x7fec6858
esp=0x7fec6818
    2020.06.22-20:13:36.62@0: eax=0x00000031 ebx=0x77717000 ecx=0x777171e8
edx=0x00000006
    2020.06.22-20:13:36.62@0:
    2020.06.22-20:13:36.62@0: maps:
    2020.06.22-20:13:36.62@0: 08048000-08058000 r-xp 00000000 00:0c 1005
    /nova/bin/log
    2020.06.22-20:13:36.62@0: 776e1000-77716000 r-xp 00000000 00:0c 966
   /lib/libuClibc-0.9.33.2.so
    2020.06.22-20:13:36.62@0: 7771a000-77734000 r-xp 00000000 00:0c 962
   /lib/libgcc_s.so.1
    2020.06.22-20:13:36.62@0: 77735000-77744000 r-xp 00000000 00:0c 945
   /lib/libuc++.so
    2020.06.22-20:13:36.62@0: 77745000-77791000 r-xp 00000000 00:0c 947
   /lib/libumsg.so
    2020.06.22-20:13:36.62@0: 77797000-7779e000 r-xp 00000000 00:0c 960
   /lib/ld-uClibc-0.9.33.2.so
    2020.06.22-20:13:36.62@0:
    2020.06.22-20:13:36.62@0: stack: 0x7fec7000 - 0x7fec6818
    2020.06.22-20:13:36.62@0: 48 68 ec 7f 7b ce 73 77 00 00 00 00 10 00 00
00 00 00 00 00 00 00 00 00 68 68 ec 7f 21 ac 70 77
    2020.06.22-20:13:36.62@0: 40 00 00 00 1b fb 70 77 e8 71 71 77 c0 28 06
08 88 68 ec 7f ec 44 74 77 e4 29 06 08 40 69 ec 7f
    2020.06.22-20:13:36.62@0:
    2020.06.22-20:13:36.62@0: code: 0x77709d2e
    2020.06.22-20:13:36.62@0: 8b 48 08 89 4c 96 04 e9 93 05 00 00 81 7d e0
ff

This vulnerability was initially found in stable 6.46.3, and it seems that
the latest stable version 6.48.2 still suffers from this vulnerability.

4. CVE-2020-20246
The mactel process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the mactel
process due to NULL pointer dereference.

Against stable 6.47, the poc resulted in the following crash dump.

    # cat /rw/logs/backtrace.log
    2020.06.22-20:25:36.17@0:
    2020.06.22-20:25:36.17@0:
    2020.06.22-20:25:36.17@0: /nova/bin/mactel
    2020.06.22-20:25:36.17@0: --- signal=11
--------------------------------------------
    2020.06.22-20:25:36.17@0:
    2020.06.22-20:25:36.17@0: eip=0x0804ddc7 eflags=0x00010202
    2020.06.22-20:25:36.17@0: edi=0x08055740 esi=0x7fe78144 ebp=0x7fe780c8
esp=0x7fe78090
    2020.06.22-20:25:36.17@0: eax=0x00000000 ebx=0x776b9b40 ecx=0x0000000b
edx=0xffffffff
    2020.06.22-20:25:36.17@0:
    2020.06.22-20:25:36.17@0: maps:
    2020.06.22-20:25:36.17@0: 08048000-08051000 r-xp 00000000 00:0c 1041
    /nova/bin/mactel
    2020.06.22-20:25:36.17@0: 7762c000-77661000 r-xp 00000000 00:0c 966
   /lib/libuClibc-0.9.33.2.so
    2020.06.22-20:25:36.17@0: 77665000-7767f000 r-xp 00000000 00:0c 962
   /lib/libgcc_s.so.1
    2020.06.22-20:25:36.17@0: 77680000-7768f000 r-xp 00000000 00:0c 945
   /lib/libuc++.so
    2020.06.22-20:25:36.17@0: 77690000-776ad000 r-xp 00000000 00:0c 948
   /lib/libucrypto.so
    2020.06.22-20:25:36.17@0: 776ae000-776af000 r-xp 00000000 00:0c 967
   /lib/libutil-0.9.33.2.so
    2020.06.22-20:25:36.17@0: 776b1000-776b9000 r-xp 00000000 00:0c 951
   /lib/libubox.so
    2020.06.22-20:25:36.17@0: 776ba000-77706000 r-xp 00000000 00:0c 947
   /lib/libumsg.so
    2020.06.22-20:25:36.17@0: 7770c000-77713000 r-xp 00000000 00:0c 960
   /lib/ld-uClibc-0.9.33.2.so
    2020.06.22-20:25:36.17@0:
    2020.06.22-20:25:36.17@0: stack: 0x7fe79000 - 0x7fe78090
    2020.06.22-20:25:36.17@0: 44 81 e7 7f 01 00 00 00 ff ff ff ff 1f d0 04
08 58 57 05 08 28 b0 70 77 01 00 00 00 00 00 00 00
    2020.06.22-20:25:36.17@0: 1c 85 e7 7f 04 1d 05 08 02 db 70 77 40 9b 6b
77 40 57 05 08 44 81 e7 7f f8 80 e7 7f 7c 4a 6b 77
    2020.06.22-20:25:36.17@0:
    2020.06.22-20:25:36.17@0: code: 0x804ddc7
    2020.06.22-20:25:36.17@0: 8b 50 2f 89 55 da 66 8b 40 33 66 89 45 de 83
c4

This vulnerability was initially found in stable 6.46.3, and it seems that
the latest stable version 6.48.2 still suffers from this vulnerability.


Solution
========

As to CVE-2020-20227, upgrade to the corresponding latest RouterOS tree
version. For others, no upgrade firmware available yet


References
==========

[1] https://mikrotik.com/download/changelogs/stable-release-tree


 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore