MikroTik-RouterOS 相關漏洞 CVE-2019-13954 分析

2021-02-20 信安之路

本文作者:cq674350529(信安之路 2019 年度優秀作者)

CVE-2019-13954是MikroTik RouterOS中存在的一個memory exhaustion漏洞。認證的用戶通過構造並發送一個特殊的POST請求,服務程序在處理POST請求時會陷入"死"循環,造成memory exhaustion,導致對應的服務程序崩潰或者系統重啟。

該漏洞與CVE-2018-1157類似,是由於對漏洞CVE-2018-1157的修復不完善造成。下面通過搭建MikroTik RouterOS仿真環境,結合漏洞CVE-2018-1157的PoC腳本及補丁,對漏洞CVE-2019-13954進行分析。

CVE-2018-1157漏洞分析

MikroTik RouterOS環境的搭建、root shell的獲取及相關資料可參考文章《CVE-2018-1158 MikroTik RouterOS 漏洞分析之發現 CVE-2019-13955 》:

https://cq674350529.github.io/2019/08/15/CVE-2018-1158-MikroTik-RouterOS%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B9%8B%E5%8F%91%E7%8E%B0CVE-2019-13955/

根據Tenable的漏洞公告:

https://www.tenable.com/security/research/tra-2018-21

漏洞CVE-2018-1157在6.40.9、6.42.7及6.43等版本中修復。為了便於對漏洞CVE-2018-1157進行分析,選取的相關鏡像版本如下。

6.40.5,x86架構,用於進行漏洞分析

6.42.11,x86架構,用於進行補丁分析

為了便於分析,臨時關閉了系統的ASLR機制。

與該漏洞相關的程序為www,在設備上利用gdbserver附加到該進程進行遠程調試,然後運行對應的PoC腳本,發現系統直接重啟,在本地gdb中捕獲不到任何異常信息。根據漏洞公告中提到的"/jsproxy/upload",在函數JSProxyServlet::doUpload()內設置斷點,進行單步跟蹤調試,發現會一直執行如下的代碼片段。

int __cdecl JSProxyServlet::doUpload(int a1, int a2, Headers *a3, Headers *a4){        while ( 1 )    {        sub_77464E9F(v27, (char *)s1);           if ( !LOBYTE(s1[0]) )            break;        string::string((string *)&v36, (const char *)s1);        v11 = Headers::parseHeaderLine((Headers *)&v37, (const string *)&v36);        string::freeptr((string *)&v36);        if ( !v11 )        {            string::string((string *)&v36, "");            Response::sendError(a4, 400, (const string *)&v36);            string::freeptr((string *)&v36);        LABEL_56:            tree_base::clear(v13, v12, &v37, map_node_destr<string,HeaderField>);            goto LABEL_57;        }    }    }
其中,函數sub_77464E9F()用於讀取POST請求數據並將其保存在s1指向的內存地址空間,其偽代碼如下。
char *__usercall sub_77464E9F@<eax>(istream *a1@<eax>, char *a2@<edx>){      v2 = a2;    istream::getline(a1, a2, 0x100u, 10);        result = 0;    v4 = strlen(v2) + 1;    if ( v4 != 1 )    {        result = &v2[v4 - 2];        if ( *result == 13 )            *result = 0;    }    return result;}
可以看到,當滿足以下任一條件時會跳出while循環。
查看對應的PoC腳本,其對應的部分 POST 請求數據為Content-Disposition: form-data; name="file"; filename="<filename>"\r\n。
std::string filename;for (int i = 0; i < 0x200; i++){    filename.push_back('A');}
if (jsSession.uploadFile(filename, "lol.")){    std::cout << "success!" << std::endl;}
當filename參數的值過長時,調用istream::getline()讀取的內容一直為Content-Disposition:form-data; name="file"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."(長度超過0x100)。由於上面的2個條件都不滿足,造成while循環無法退出,一直執行最終導致"memory exhaustion"。
CVE-2018-1157補丁分析
版本6.42.11中對CVE-2018-1157進行了修復,根據前面的分析,定位到JSProxyServlet::doUpload()中對應的代碼片段,如下。可以看到,在補丁中增加了對讀取的 POST 請求數據長度的判斷:當長度超過0x100(包括最後的'\x00')時,會跳出 while 循環。
由於兩次jsproxy.p的加載基址不一樣,所以部分函數的名稱可能不一致。
int __cdecl JSProxyServlet::doUpload(int a1, int a2, Headers *a3, Headers *a4){        while ( 1 )    {        sub_774C31F7(v14, s1);            if ( !LOBYTE(s1[0]) )            break;        v15 = -1;        v16 = (char *)s1;        do        {            if ( !v15 )            break;            v17 = *v16++ == 0;            --v15;        }        while ( !v17 );            if ( v15 != 0xFFFFFEFF )         {            v37 = 0;            string::string((string *)&v46, (const char *)s1);            v18 = Headers::parseHeaderLine((Headers *)&v47, (const string *)&v46);            string::freeptr((string *)&v46);            if ( v18 )            continue;        }        string::string((string *)&v46, "");        Response::sendError(a4, 400, (const string *)&v46);        string::freeptr((string *)&v46);    LABEL_60:        tree_base::clear(v20, v19, &v47, map_node_destr<string,HeaderField>);        goto LABEL_61;    }    }
CVE-2019-13954發現
通過對漏洞CVE-2018-1157分析可知,調用istream::getline(a1, a2, 0x100u, '\n')讀取數據時,如果請求數據過長(在遇到分隔符'\n'前0x100個字符已被寫入a2中),那麼每次a2中的數據內容都是一樣的。而在對應的補丁中,增加了對讀取數據長度的判斷。
注意到,在調用istream::getline(a1, a2, 0x100u, '\n')讀取數據時,分隔符為'\n'。也就是說,即使filename參數的值中包含'\x00',讀取時也不會造成截斷,但是會影響後面的長度計算。因此,只需要在filename參數後面追加大量的'\x00',即可繞過補丁,再次觸發該漏洞。
在原有PoC的基礎上進行簡單修改,在版本為6.42.11的設備上進行驗證,發現系統直接重啟了。
std::string filename;for (int i = 0; i < 0x50; i++){filename.push_back('A');}
for (int i = 0; i < 0x100; i++)    {filename.push_back('\x00');}
if (jsSession.uploadFile(filename, "lol.")){std::cout << "success!" << std::endl;}
通過代碼靜態分析,該漏洞在"Long-term"版本6.43.16上仍然存在。
6.43.16為發現該問題時 "Long-term" 系列的最新版本。該漏洞(CVE-2019-13954)目前已被修復,建議及時升級到最新版本。
小結
由於對漏洞CVE-2018-1157的修復不完善,通過在filename參數後面追加大量的'\x00',可繞過對應的補丁,再次觸發該漏洞(CVE-2019-13954)。
相關連結
Mikrotik RouterOS Multiple Authenticated Vulnerabilities:
https://www.tenable.com/security/research/tra-2018-21
Two vulnerabilities found in MikroTik's RouterOS:
https://seclists.org/fulldisclosure/2019/Jul/20
Mikrotik RouterOS Changelogs:
https://mikrotik.com/download/changelogs/long-term-release-tree

相關焦點

  • CVE-2018-1158 MikroTik RouterOS漏洞分析之發現CVE-2019-13955
    該漏洞由Tenable的Jacob Baines發現,同時提供了對應的PoC腳本。另外,他的關於RouterOS漏洞挖掘的議題《Bug Hunting in RouterOS》非常不錯,對MikroTik路由器中使用的一些自定義消息格式進行了細緻介紹,同時還提供了很多工具來輔助分析。相關工具、議題以及PoC腳本可在git庫routeros獲取,強烈推薦給對MikroTik設備感興趣的人。
  • DEF CON 27上針對 MikroTik RouterOS 系統漏洞利用的研究
    我寫了一個PoC來說明CVE-2019–3943的用例。https://github.com/tenable/routeros/tree/master/poc/cve_2019_3943_snmp_lib本質上,經過身份驗證的攻擊者可以使用漏洞的目錄遍歷來創建/ pckg /目錄結構。
  • 基於CVE-2018-14847的Mikrotik RouterOS安全事件分析
    一、 背景    近段時間,我們從網際網路上相關數據獲知巴西境內大量Mikrotik路由器被感染挖礦,規模很大,且有全網蔓延趨勢,攻擊者利用了今年早些時候的一個比較嚴重的漏洞
  • MikroTik RouterOS未經認證可繞過防火牆訪問NAT內部網絡(CVE-2019-3924)
    在針對MikroTik進行漏洞研究時,我在RouterOS中發現了一個未公開的漏洞,該漏洞的編號為CVE-2019-3924。該漏洞允許遠程攻擊者在未經身份驗證的情況下通過路由器的Winbox埠代理特製的TCP和UDP請求。該代理請求甚至可以繞過路由器的防火牆,到達LAN主機。
  • CVE-2019-0708 漏洞分析及相關測試
    漏洞背景CVE-2019-0708 | 遠程桌面服務遠程執行代碼漏洞安全漏洞發布時間: 2019-05-14MITRE CVE-2019-0708當未經身份驗證的攻擊者使用 RDP 連接到目標系統並發送經特殊設計的請求時,遠程桌面服務(以前稱為「終端服務」)中存在遠程執行代碼漏洞。此漏洞是預身份驗證,無需用戶交互。
  • CVE-2018-14847:一個能修復自己的RouterOS漏洞
    本文將對CVE-2018-14847目錄穿越漏洞成因進行分析,同時闡述我們的一些發現,如何通過受此漏洞影響的Winbox指令進行任意文件上傳,從而實現一些更有趣的利用方式。我們能夠利用CVE-2018-14847在RouterOS 6.42中觸發後門shell,或在其他漏洞的配合下,通過在LD_LIBRARY_PATH中注入動態連結庫的方法,對存在漏洞的可執行文件進行熱補丁修復。
  • 深入分析MikroTik RouterOS CVE-2018-14847 & Get bash shell
    登錄、認證相關功能,相關的POST數據包都發送到RouterOS的jsproxy處理,這裡的jsproxy就相當於jsp中servlet一樣。漏洞分析3.1 初步利用分析理清楚整個通信過程以及json消息的含義之後,正式開始漏洞分析。
  • 漏洞分析|CVE-2019-0708遠程桌面高危漏洞分析
    微軟發布了最新的安全公告,修復了Windows遠程桌面服務的遠程代碼執行漏洞,該漏洞會影響大部分舊版本的windows系統,漏洞編號:CVE-2019-0708。-2019-0708/ 漏洞分析CVE-2019-0708遠程桌面執行漏洞存在於遠程桌面服務(RDP)
  • 從0到Reverseshell:Mikrotik SMB漏洞實戰(CVE-2018–7445)
    二、mikrotik環境搭建 磁碟文件:https://download2.mikrotik.com/routeros/6.40.5/chr-6.40.5.vmdk(VM安裝) died with signal 11 on Tue Apr 9 20:11:25 2019」需要下載smb用來分析: mikrotik中:cd /tmp&&wget http://192.168.37.132:88/busybox_HTTPD &&chmod 777 *&&
  • Windows本地提權漏洞分析(CVE-2019-1405及CVE-2019-1322)
    在本文中,我們將討論NCC Group在分析COM本地服務時找到的兩個漏洞。
  • 深入分析macOS CVE-2019-8507漏洞
    這兩個版本修復了大量的安全漏洞,其中包括QuartzCore(即CoreAnimation)中的CVE-2019-8507。關於蘋果更新的詳細信息,可以參考這篇【公告】(點擊底部閱讀原文查看)。在這篇文章中,我們將對macOS中的漏洞CVE-2019-8507進行詳細分析。
  • 漏洞分析 | CVE-2019-11043
    漏洞分析期間採用的請求包為:GET /index.php/PHP_VALUE%0Asession.auto_start=1;;;?QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
  • Exchange漏洞系列分析(一) 【CVE-2021-26855、CVE-2021-27065】
    ,微軟發布了一款工具,用於幫助用戶檢測Exchange是否被黑客利用相關漏洞入侵。cve-2021-26855、cve-2021-26857、cve-2021-27065、cve-2021-26858http-vuln-cve2021-26855.nsenmap掃描腳本,檢測指定URL是否存在CVE-2021-26855漏洞Test-ProxyLogon.ps1該腳本檢查CVE-2021-26855、26858、26857和
  • CVE-2019-5786 漏洞原理分析及利用
    作者:Kerne7@知道創宇404實驗室時間:2020年6月29日首先根據谷歌博客收集相關CVE-2019-5786漏洞的資料:High CVE-2019-5786: Use-after-free in FileReader[1],得知是FileReader上的UAF漏洞。
  • 漏洞預警|Jackson遠程代碼執行高危漏洞分析(CVE-2019-12384)
    監測到,國外安全研究員在分析一個使用Jackson庫對JSON進行反序列化的應用程式時,發現了一個反序列化漏洞,可以控制要反序列化的類。我們分析復現如何利用此反序列化漏洞來觸發伺服器端請求偽造(SSRF)漏洞和遠程代碼執行漏洞(RCE)。漏洞對應的編號為CVE-2019-12384,RedHat的多個分支受該漏洞影響,如下所示:
  • 不斷發酵的windows RDP遠程代碼執行漏洞CVE-2019-0708
    時間事件連結2019年5月14日微軟官方發布安全補丁https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/2019年5月15日
  • 【獨家】K8S漏洞報告|近期多個CVE漏洞解讀
    安全漏洞CVE-2019-11247/ CVE-2019-11248/ CVE-2019-11249分析Kubernetes v1.15+ Bug Fix數據分析安全漏洞CVE-2019-11247/ CVE-2019-11248/ CVE-2019-11249分析近期Kubernetes社區通過Google
  • RouterOS 重要漏洞【注意】
    一個工程師的 MikroTik 說昨天說:「該漏洞允許一個特殊的工具來連接8291管理埠,並得到系統的用戶資料庫文件。」MikroTik表示零日漏洞影響了自v6.29以來發布的所有RouterOS版本。該公司在今天早些時候發布的RouterOS v6.42.1和v6.43rc4上修補了零日。
  • 漏洞分析 | CVE-2021-40444
    >隨著cve-2021-40444的披露,隨機引爆了全球的網絡安全,雖然最近微軟發布了補丁,但是cve-2021-40444的利用卻越發猖狂,本人深入分析了這個漏洞。經過簡單的靜態分析與調試,基本上就是它會去請求伺服器獲取一個cab文件,並且會通過執行cpl文件去執行一個inf然後通過樣本庫獲取到這個cab,初步分析這個cab,發現了其解壓路徑是..
  • CVE-2019-20760 : Netgear認證前漏洞分析
    概述Netgear R9000設備2019年爆出認證繞過漏洞CVE-2019-20760,題目之所以說這個漏洞遠被低估,主要以下兩個原因:實際漏洞危害較大,公開信息僅顯示該漏洞為一個認證繞過漏洞,沒有具體漏洞信息或者POC,但是經過分析,發現該漏洞其實是一個認證前的注入漏洞,攻擊者只需要知道設備ip便可以獲取設備的