Vulners
Lucene search
MikroTik RouterOS 6.x Reachable Assertion Failure / Null Pointer Dereference Vulnerabilities
MikroTik RouterOS 6.x Reachable Assertion Failure / Null Pointer Dereference
Details
=======
Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) from Codesafe Team of Legendsec at Qi'anxin
Group
Product Description
==================
RouterOS is the operating system used on MikroTik's devices, such as
switch, router and access point.
Description of vulnerabilities
==========================
1. reachable assertion failure
The netwatch process suffers from an assertion failure vulnerability. There
is a reachable assertion in the netwatch process. By sending a crafted
packet, an authenticated remote user can crash the netwatch process due to
assertion failure.
Against stable 6.47, the poc resulted in the following crash dump.
# cat /rw/logs/backtrace.log
2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0: /ram/pckg/advanced-tools/nova/bin/netwatch
2020.06.29-14:27:25.52@0: --- signal=6
--------------------------------------------
2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0: eip=0x776b855b eflags=0x00000246
2020.06.29-14:27:25.52@0: edi=0xffffffff esi=0x776c0200 ebp=0x7feea6a0
esp=0x7feea698
2020.06.29-14:27:25.52@0: eax=0x00000000 ebx=0x000000b8 ecx=0x000000b8
edx=0x00000006
2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0: maps:
2020.06.29-14:27:25.52@0: 08048000-0804d000 r-xp 00000000 00:10 14
/ram/pckg/advanced-tools/nova/bin/netwatch
2020.06.29-14:27:25.52@0: 7768a000-776bf000 r-xp 00000000 00:0c 966
/lib/libuClibc-0.9.33.2.so
2020.06.29-14:27:25.52@0: 776c3000-776dd000 r-xp 00000000 00:0c 962
/lib/libgcc_s.so.1
2020.06.29-14:27:25.52@0: 776de000-776ed000 r-xp 00000000 00:0c 945
/lib/libuc++.so
2020.06.29-14:27:25.52@0: 776ee000-7773a000 r-xp 00000000 00:0c 947
/lib/libumsg.so
2020.06.29-14:27:25.52@0: 77740000-77747000 r-xp 00000000 00:0c 960
/lib/ld-uClibc-0.9.33.2.so
2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0: stack: 0x7feeb000 - 0x7feea698
2020.06.29-14:27:25.52@0: 00 00 6c 77 00 00 6c 77 d8 a6 ee 7f 77 40 6b
77 06 00 00 00 00 02 6c 77 20 00 00 00 00 00 00 00
2020.06.29-14:27:25.52@0: bc b0 ee 7f 38 a7 ee 7f d4 a6 ee 7f f4 aa 73
77 b8 a6 ee 7f f4 aa 73 77 bc b0 ee 7f ff ff ff ff
2020.06.29-14:27:25.52@0:
2020.06.29-14:27:25.52@0: code: 0x776b855b
2020.06.29-14:27:25.52@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7
d8
This vulnerability was initially found in stable 6.46.2, and it seems that
the latest stable version 6.48.3 still suffers from this vulnerability.
2. NULL pointer dereference
The tr069-client process suffers from a memory corruption vulnerability. By
sending a crafted packet, an authenticated remote user can crash the
tr069-client process due to NULL pointer dereference.
Against stable 6.47, the poc resulted in the following crash dump.
# cat /rw/logs/backtrace.log
2020.06.10-17:04:17.63@0:
2020.06.10-17:04:17.63@0:
2020.06.10-17:04:17.63@0: /ram/pckg/tr069-client/nova/bin/tr069-client
2020.06.10-17:04:17.63@0: --- signal=11
--------------------------------------------
2020.06.10-17:04:17.63@0:
2020.06.10-17:04:17.63@0: eip=0x0805a185 eflags=0x00010206
2020.06.10-17:04:17.63@0: edi=0x7ff74a04 esi=0x7ff74a04 ebp=0x7ff74988
esp=0x7ff7497c
2020.06.10-17:04:17.63@0: eax=0x00000000 ebx=0x080a9290 ecx=0x776924ec
edx=0x7769187c
2020.06.10-17:04:17.63@0:
2020.06.10-17:04:17.63@0: maps:
2020.06.10-17:04:17.63@0: 08048000-08096000 r-xp 00000000 00:10 13
/ram/pckg/tr069-client/nova/bin/tr069-client
2020.06.10-17:04:17.63@0: 7762f000-77664000 r-xp 00000000 00:0c 966
/lib/libuClibc-0.9.33.2.so
2020.06.10-17:04:17.63@0: 77668000-77682000 r-xp 00000000 00:0c 962
/lib/libgcc_s.so.1
2020.06.10-17:04:17.63@0: 77683000-77692000 r-xp 00000000 00:0c 945
/lib/libuc++.so
2020.06.10-17:04:17.63@0: 77693000-7769d000 r-xp 00000000 00:0c 963
/lib/libm-0.9.33.2.so
2020.06.10-17:04:17.63@0: 7769f000-776bc000 r-xp 00000000 00:0c 948
/lib/libucrypto.so
2020.06.10-17:04:17.63@0: 776bd000-776c0000 r-xp 00000000 00:0c 954
/lib/libxml.so
2020.06.10-17:04:17.63@0: 776c1000-7770d000 r-xp 00000000 00:0c 947
/lib/libumsg.so
2020.06.10-17:04:17.63@0: 77710000-7771b000 r-xp 00000000 00:0c 955
/lib/libuhttp.so
2020.06.10-17:04:17.63@0: 7771c000-77724000 r-xp 00000000 00:0c 951
/lib/libubox.so
2020.06.10-17:04:17.63@0: 77728000-7772f000 r-xp 00000000 00:0c 960
/lib/ld-uClibc-0.9.33.2.so
2020.06.10-17:04:17.63@0:
2020.06.10-17:04:17.63@0: stack: 0x7ff75000 - 0x7ff7497c
2020.06.10-17:04:17.63@0: 10 a0 08 08 40 4b 72 77 90 92 0a 08 b8 49 f7
7f 7c fa 71 77 90 92 0a 08 04 4a f7 7f 05 00 00 00
2020.06.10-17:04:17.63@0: 28 4a f7 7f b4 49 f7 7f 40 4b 72 77 88 5b 09
08 40 4b 72 77 80 4d f7 7f 04 4a f7 7f 28 4a f7 7f
2020.06.10-17:04:17.63@0:
2020.06.10-17:04:17.63@0: code: 0x805a185
2020.06.10-17:04:17.63@0: ff 30 6a 01 56 e8 81 49 ff ff 83 c4 0c ff 73
24
This vulnerability was initially found in stable 6.47, and was fixed in
stable 6.48.2.
3. NULL pointer dereference
The ptp process suffers from a memory corruption vulnerability. By sending
a crafted packet, an authenticated remote user can crash the ptp process
due to NULL pointer dereference.
Against stable 6.48.1, the poc resulted in the following crash dump.
# cat /rw/logs/backtrace.log
2021.02.08-12:13:09.33@0:
2021.02.08-12:13:09.33@0: /nova/bin/ptp
2021.02.08-12:13:09.33@0: --- signal=11
--------------------------------------------
2021.02.08-12:13:09.33@0:
2021.02.08-12:13:09.33@0: eip=0x08050abb eflags=0x00010202
2021.02.08-12:13:09.33@0: edi=0x7fd5ee94 esi=0x0805be48 ebp=0x7fd5ee18
esp=0x7fd5ee18
2021.02.08-12:13:09.33@0: eax=0x00000000 ebx=0x776f5b40 ecx=0x0805c6a8
edx=0x00000001
2021.02.08-12:13:09.33@0:
2021.02.08-12:13:09.33@0: maps:
2021.02.08-12:13:09.33@0: 08048000-08058000 r-xp 00000000 00:0c 1067
/nova/bin/ptp
2021.02.08-12:13:09.33@0: 7767d000-776b2000 r-xp 00000000 00:0c 966
/lib/libuClibc-0.9.33.2.so
2021.02.08-12:13:09.33@0: 776b6000-776d0000 r-xp 00000000 00:0c 962
/lib/libgcc_s.so.1
2021.02.08-12:13:09.33@0: 776d1000-776e0000 r-xp 00000000 00:0c 945
/lib/libuc++.so
2021.02.08-12:13:09.33@0: 776e1000-776eb000 r-xp 00000000 00:0c 963
/lib/libm-0.9.33.2.so
2021.02.08-12:13:09.33@0: 776ed000-776f5000 r-xp 00000000 00:0c 951
/lib/libubox.so
2021.02.08-12:13:09.33@0: 776f6000-77742000 r-xp 00000000 00:0c 947
/lib/libumsg.so
2021.02.08-12:13:09.33@0: 77748000-7774f000 r-xp 00000000 00:0c 960
/lib/ld-uClibc-0.9.33.2.so
2021.02.08-12:13:09.33@0:
2021.02.08-12:13:09.33@0: stack: 0x7fd5f000 - 0x7fd5ee18
2021.02.08-12:13:09.33@0: 48 ee d5 7f 7c 0a 6f 77 48 be 05 08 94 ee d5
7f 05 00 00 00 86 3c 71 77 f8 ef d5 7f 0c 00 fe 08
2021.02.08-12:13:09.33@0: 58 ee d5 7f 40 5b 6f 77 a0 f1 d5 7f 94 ee d5
7f b8 ee d5 7f 16 41 6f 77 94 ee d5 7f a0 f1 d5 7f
2021.02.08-12:13:09.33@0:
2021.02.08-12:13:09.33@0: code: 0x8050abb
2021.02.08-12:13:09.33@0: 8b 10 89 45 08 8b 42 18 5d ff e0 55 89 e5 31
c0
This vulnerability was initially found in stable 6.48.1, and was fixed in
stable 6.48.2.
Solution
========
Upgrade to the corresponding latest RouterOS tree version.
References
==========
[1] https://mikrotik.com/download/changelogs/stable-release-tree
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Jul 2021 00:00Current
7.2High risk
Vulners AI Score7.2