Core Security - Corelabs Advisory http://ift.tt/140w507 MikroTik RouterOS SMB Buffer Overflow 1. **Advisory Information** Title: MikroTik RouterOS SMB Buffer Overflow Advisory ID: CORE-2018-0003 Advisory URL: http://ift.tt/2HCjrcq Date published: 2018-03-15 Date of last update: 2018-03-01 Vendors contacted: MikroTik Release mode: Coordinated release 2. **Vulnerability Information** Class: Stack-based Buffer Overflow [CWE-121] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2018-7445 3. **Vulnerability Description*** * MikroTik is a Latvian company which was founded in 1996 to develop routers and wireless ISP systems. MikroTik now provides hardware and software for Internet connectivity in most of the countries around the world. RouterOS is MikroTik's stand-alone operating system based on Linux v3.3.5 kernel. A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system. The overflow occurs before authentication takes place, so it is possible for an unauthenticated remote attacker to exploit it. 4. **Vulnerable Packages** . All architectures and all devices running RouterOS before versions 6.41.3/6.42rc27 5. **Vendor Information, Solutions and Workarounds** . MikroTik released version 6.41.3 of RouterOS [1] that fixes the reported issue. . The workaround suggested by MikroTik in case it is not possible to install an update consists of disabling the SMB service. 6. **Credits** This vulnerability was discovered and researched by Juan Caillava and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team. 7. **Technical Description / Proof of Concept Code*** * The overflow takes place in the function in charge of parsing NetBIOS names, which receives two stack allocated buffers as parameters. As an example reference, this function is located at address 0x08054607 on the x86 SMB binary version 6.40.5. The first byte of the source buffer is read and used as the size for the copy operation. The function then copies that amount of bytes into the destination buffer. Once that is done, the next byte of the source buffer is read and used as the new size. This loop finishes when the size to copy is equal to zero. No validation is done to ensure that the data fits on the destination buffer, resulting in a stack overflow. Simplified pseudo-code of the vulnerable function: /--
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment