The vulnerability is easy to find and exploitation is straight-forward, so the idea is to provide a detailed walk-through that will (hopefully!) be useful for other beginners interested in memory corruption. I will outline the steps we took with my colleague Juan (thanks Juan!) during our time together at Core Security to find and exploit CVE-2018–7445, a remote buffer overflow in MikroTik’s RouterOS SMB service that could be triggered from the perspective of an unauthenticated attacker. ![]() This blog post is an attempt to make a small contribution to the ongoing MikroTik RouterOS vulnerability research. This might reflect an increasing interest in MikroTik products and their security posture. MikroTik was recently added to the list of eligible router brands in the exploit acquisition program maintained by Zerodium, including a one-month offer to buy pre-auth RCEs for $100,000. From a remote buffer overflow affecting the built-in web server included in the CIA Vault 7 leak to a plethora of other vulnerabilities reported by Kirils Solovjovs from Possible Security and Jacob Baines from Tenable that result in full remote compromise. The last few years have seen a surge in the number of public vulnerabilities found and reported in MikroTik RouterOS devices. The post describes the full process from target selection to identifying a vulnerability and then producing a working exploit.Dumb fuzzing still found bugs in interesting targets in 2018 (although I’m sure there must be none left for 2019!).The exploit does ROP to mark the heap as executable and jumps to a fixed location in the heap.The vulnerable binary was not compiled with stack canaries. ![]() ![]() It was found using dumb-fuzzing assisted with the Mutiny Fuzzer tool from Cisco Talos and reported/fixed about a year ago.CVE-2018–7445 is a stack buffer overflow in the SMB service binary present in all RouterOS versions and architectures prior to 6.41.3/6.42rc27.Finding and exploiting CVE-2018–7445 (unauthenticated RCE in MikroTik’s RouterOS SMB) Summary for the anxious reader
0 Comments
Leave a Reply. |