what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MikroTik RouterOS Memory Corruption

MikroTik RouterOS Memory Corruption
Posted May 11, 2021
Authored by Qian Chen

MikroTik's RouterOS suffers from multiple memory corruption vulnerabilities. Various versions are affected.

tags | advisory, vulnerability
advisories | CVE-2020-20220, CVE-2020-20227, CVE-2020-20245, CVE-2020-20246
SHA-256 | db5d7fa65930b9710b80f0c424d888eade1e18945b75c10be7be6d7c0cc4bcf5

MikroTik RouterOS Memory Corruption

Change Mirror Download
Advisory: four vulnerabilities found in MikroTik's RouterOS


Details
=======

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: only CVE-2020-20227 is fixed
CVE: CVE-2020-20220, CVE-2020-20227, CVE-2020-20245, CVE-2020-20246
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team


Product Description
==================

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Description of vulnerabilities
==========================
These vulnerabilities were reported to the vendor almost one year ago. And
the vendor confirmed these vulnerabilities.

1. CVE-2020-20220
The bfd process suffers from a memory corruption vulnerability. By sending
a crafted packet, an authenticated remote user can crash the bfd process
due to invalid memory access.

Against stable 6.46.5, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: /ram/pckg/routing/nova/bin/bfd
2020.06.19-18:36:13.88@0: --- signal=11
--------------------------------------------
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: eip=0x0804b175 eflags=0x00010202
2020.06.19-18:36:13.88@0: edi=0x08054a90 esi=0x08054298 ebp=0x7f9d3e88
esp=0x7f9d3e70
2020.06.19-18:36:13.88@0: eax=0x08050634 ebx=0x77777af0 ecx=0x08051274
edx=0x00000001
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: maps:
2020.06.19-18:36:13.88@0: 08048000-08050000 r-xp 00000000 00:1b 16
/ram/pckg/routing/nova/bin/bfd
2020.06.19-18:36:13.88@0: 7759a000-7759c000 r-xp 00000000 00:0c 959
/lib/libdl-0.9.33.2.so
2020.06.19-18:36:13.88@0: 7759e000-775d3000 r-xp 00000000 00:0c 964
/lib/libuClibc-0.9.33.2.so
2020.06.19-18:36:13.88@0: 775d7000-775f1000 r-xp 00000000 00:0c 960
/lib/libgcc_s.so.1
2020.06.19-18:36:13.88@0: 775f2000-77601000 r-xp 00000000 00:0c 944
/lib/libuc++.so
2020.06.19-18:36:13.88@0: 77602000-7775f000 r-xp 00000000 00:0c 954
/lib/libcrypto.so.1.0.0
2020.06.19-18:36:13.88@0: 7776f000-77777000 r-xp 00000000 00:0c 950
/lib/libubox.so
2020.06.19-18:36:13.88@0: 77778000-777c4000 r-xp 00000000 00:0c 946
/lib/libumsg.so
2020.06.19-18:36:13.88@0: 777ca000-777d1000 r-xp 00000000 00:0c 958
/lib/ld-uClibc-0.9.33.2.so
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: stack: 0x7f9d4000 - 0x7f9d3e70
2020.06.19-18:36:13.88@0: 34 06 05 08 d0 e6 04 08 d8 3e 9d 7f 90 4a 05
08 98 42 05 08 d8 3e 9d 7f f8 3e 9d 7f 6d 39 77 77
2020.06.19-18:36:13.88@0: 90 4a 05 08 28 40 9d 7f 05 00 00 00 00 43 05
08 00 00 00 00 28 90 7c 77 01 00 00 00 0c 00 00 00
2020.06.19-18:36:13.88@0:
2020.06.19-18:36:13.88@0: code: 0x804b175
2020.06.19-18:36:13.88@0: ff 05 00 00 00 00 83 c4 10 c9 c3 55 89 e5 53
83

This vulnerability was initially found in long-term 6.44.6, and it seems
that the latest stable version 6.48.2 still suffer from this vulnerability.

2. CVE-2020-20227
The diskd process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the diskd
process due to invalid memory access.

Against stable 6.47, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0: /nova/bin/diskd
2020.06.05-15:00:38.33@0: --- signal=11
--------------------------------------------
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0: eip=0x7775a1e3 eflags=0x00010202
2020.06.05-15:00:38.33@0: edi=0x7f9dd024 esi=0x0000000a ebp=0x7f9dceb8
esp=0x7f9dceac
2020.06.05-15:00:38.33@0: eax=0x0000000a ebx=0x777624ec ecx=0x08054600
edx=0x08056e18
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0: maps:
2020.06.05-15:00:38.33@0: 08048000-08052000 r-xp 00000000 00:0c 1049
/nova/bin/diskd
2020.06.05-15:00:38.33@0: 776ff000-77734000 r-xp 00000000 00:0c 966
/lib/libuClibc-0.9.33.2.so
2020.06.05-15:00:38.33@0: 77738000-77752000 r-xp 00000000 00:0c 962
/lib/libgcc_s.so.1
2020.06.05-15:00:38.33@0: 77753000-77762000 r-xp 00000000 00:0c 945
/lib/libuc++.so
2020.06.05-15:00:38.33@0: 77763000-7776b000 r-xp 00000000 00:0c 951
/lib/libubox.so
2020.06.05-15:00:38.33@0: 7776c000-777b8000 r-xp 00000000 00:0c 947
/lib/libumsg.so
2020.06.05-15:00:38.33@0: 777be000-777c5000 r-xp 00000000 00:0c 960
/lib/ld-uClibc-0.9.33.2.so
2020.06.05-15:00:38.33@0:
2020.06.05-15:00:38.33@0: stack: 0x7f9de000 - 0x7f9dceac
2020.06.05-15:00:38.33@0: f4 8a 7b 77 0a 00 00 00 f4 8a 7b 77 e8 ce 9d
7f 92 be 78 77 f8 45 05 08 0a 00 00 00 18 6e 05 08
2020.06.05-15:00:38.33@0: 18 6e 05 08 e4 ce 9d 7f 24 d0 9d 7f 7c 18 76
77 24 d0 9d 7f 18 69 05 08 40 cf 9d 7f a8 cf 9d 7f
2020.06.05-15:00:38.34@0:
2020.06.05-15:00:38.34@0: code: 0x7775a1e3
2020.06.05-15:00:38.34@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff
75

This vulnerability was initially found in stable 6.47, and it was fixed at
least in stable 6.48.1.

3. CVE-2020-20245
The log process suffers from a memory corruption vulnerability. By sending
a crafted packet, an authenticated remote user can crash the log process
due to invalid memory access.

Against stable 6.47, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.22-20:13:36.29@0:
2020.06.22-20:13:36.29@0:
2020.06.22-20:13:36.62@0: /nova/bin/log
2020.06.22-20:13:36.62@0: --- signal=11
--------------------------------------------
2020.06.22-20:13:36.62@0:
2020.06.22-20:13:36.62@0: eip=0x77709d2e eflags=0x00010202
2020.06.22-20:13:36.62@0: edi=0x0000004b esi=0x77718f00 ebp=0x7fec6858
esp=0x7fec6818
2020.06.22-20:13:36.62@0: eax=0x00000031 ebx=0x77717000 ecx=0x777171e8
edx=0x00000006
2020.06.22-20:13:36.62@0:
2020.06.22-20:13:36.62@0: maps:
2020.06.22-20:13:36.62@0: 08048000-08058000 r-xp 00000000 00:0c 1005
/nova/bin/log
2020.06.22-20:13:36.62@0: 776e1000-77716000 r-xp 00000000 00:0c 966
/lib/libuClibc-0.9.33.2.so
2020.06.22-20:13:36.62@0: 7771a000-77734000 r-xp 00000000 00:0c 962
/lib/libgcc_s.so.1
2020.06.22-20:13:36.62@0: 77735000-77744000 r-xp 00000000 00:0c 945
/lib/libuc++.so
2020.06.22-20:13:36.62@0: 77745000-77791000 r-xp 00000000 00:0c 947
/lib/libumsg.so
2020.06.22-20:13:36.62@0: 77797000-7779e000 r-xp 00000000 00:0c 960
/lib/ld-uClibc-0.9.33.2.so
2020.06.22-20:13:36.62@0:
2020.06.22-20:13:36.62@0: stack: 0x7fec7000 - 0x7fec6818
2020.06.22-20:13:36.62@0: 48 68 ec 7f 7b ce 73 77 00 00 00 00 10 00 00
00 00 00 00 00 00 00 00 00 68 68 ec 7f 21 ac 70 77
2020.06.22-20:13:36.62@0: 40 00 00 00 1b fb 70 77 e8 71 71 77 c0 28 06
08 88 68 ec 7f ec 44 74 77 e4 29 06 08 40 69 ec 7f
2020.06.22-20:13:36.62@0:
2020.06.22-20:13:36.62@0: code: 0x77709d2e
2020.06.22-20:13:36.62@0: 8b 48 08 89 4c 96 04 e9 93 05 00 00 81 7d e0
ff

This vulnerability was initially found in stable 6.46.3, and it seems that
the latest stable version 6.48.2 still suffers from this vulnerability.

4. CVE-2020-20246
The mactel process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the mactel
process due to NULL pointer dereference.

Against stable 6.47, the poc resulted in the following crash dump.

# cat /rw/logs/backtrace.log
2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0: /nova/bin/mactel
2020.06.22-20:25:36.17@0: --- signal=11
--------------------------------------------
2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0: eip=0x0804ddc7 eflags=0x00010202
2020.06.22-20:25:36.17@0: edi=0x08055740 esi=0x7fe78144 ebp=0x7fe780c8
esp=0x7fe78090
2020.06.22-20:25:36.17@0: eax=0x00000000 ebx=0x776b9b40 ecx=0x0000000b
edx=0xffffffff
2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0: maps:
2020.06.22-20:25:36.17@0: 08048000-08051000 r-xp 00000000 00:0c 1041
/nova/bin/mactel
2020.06.22-20:25:36.17@0: 7762c000-77661000 r-xp 00000000 00:0c 966
/lib/libuClibc-0.9.33.2.so
2020.06.22-20:25:36.17@0: 77665000-7767f000 r-xp 00000000 00:0c 962
/lib/libgcc_s.so.1
2020.06.22-20:25:36.17@0: 77680000-7768f000 r-xp 00000000 00:0c 945
/lib/libuc++.so
2020.06.22-20:25:36.17@0: 77690000-776ad000 r-xp 00000000 00:0c 948
/lib/libucrypto.so
2020.06.22-20:25:36.17@0: 776ae000-776af000 r-xp 00000000 00:0c 967
/lib/libutil-0.9.33.2.so
2020.06.22-20:25:36.17@0: 776b1000-776b9000 r-xp 00000000 00:0c 951
/lib/libubox.so
2020.06.22-20:25:36.17@0: 776ba000-77706000 r-xp 00000000 00:0c 947
/lib/libumsg.so
2020.06.22-20:25:36.17@0: 7770c000-77713000 r-xp 00000000 00:0c 960
/lib/ld-uClibc-0.9.33.2.so
2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0: stack: 0x7fe79000 - 0x7fe78090
2020.06.22-20:25:36.17@0: 44 81 e7 7f 01 00 00 00 ff ff ff ff 1f d0 04
08 58 57 05 08 28 b0 70 77 01 00 00 00 00 00 00 00
2020.06.22-20:25:36.17@0: 1c 85 e7 7f 04 1d 05 08 02 db 70 77 40 9b 6b
77 40 57 05 08 44 81 e7 7f f8 80 e7 7f 7c 4a 6b 77
2020.06.22-20:25:36.17@0:
2020.06.22-20:25:36.17@0: code: 0x804ddc7
2020.06.22-20:25:36.17@0: 8b 50 2f 89 55 da 66 8b 40 33 66 89 45 de 83
c4

This vulnerability was initially found in stable 6.46.3, and it seems that
the latest stable version 6.48.2 still suffers from this vulnerability.


Solution
========

As to CVE-2020-20227, upgrade to the corresponding latest RouterOS tree
version. For others, no upgrade firmware available yet


References
==========

[1] https://mikrotik.com/download/changelogs/stable-release-tree


Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close