0 0
Read Time:1 Minute, 22 Second

CVE-2022-45313 (Mikrotik RouterOs before stable v7.5 was discovered to contain an OOB R/ in the hotspot vuln process) +
The hotspot process suffers from an OOB R/ vulnerability. Due to lack of proper validation, by sending a crafted nova message with a specific

u32_id

key with negative value, it’s possible to cause OOB R/, which may affect the function pointer of an indirect call furtherly. It’s possible for an authenticated user to achieve code execution.
Vulnerability was initially found in long-term

6.44.6 and was fixed in stable
7.5

CVE-2022-45315(Mikrotik RouterOs before stable v7.6 was discovered to contain an OOB R/ in the snmp process) + PoC
The

snmp

process suffers from an OOB R/ vulnerability. Due to lack of proper validation on value of a specific

u32_id

key, by sending a crafted packet, it’s possible to cause OOB R/, which may affect the function pointer of an indirect call furtherly. It’s possible for an authenticated user to achieve code execution.


CVE-2022-45313

Description

The hotspot process suffers from an out-of-bounds read vulnerability. Due to lack of proper validation, by sending a crafted nova message with a specific u32_id key with negative value, it’s possible to cause out-of-bounds read, which may affect the function pointer of an indirect call furtherly. It’s possible for an authenticated user to achieve code execution.

The authentication here means that the user should be authenticated to the device itself (e.g. web, winbox).

Against stable 6.46.5, the poc resulted in the following crash captured by gdb.

About Post Author

Treadstone 71

@Treadstone71LLC Cyber intelligence, counterintelligence, Influence Operations, Cyber Operations, OSINT, Clandestine Cyber HUMINT, cyber intel and OSINT training and analysis, cyber psyops, strategic intelligence, Open-Source Intelligence collection, analytic writing, structured analytic techniques, Target Adversary Research, cyber counterintelligence, strategic intelligence analysis, estimative intelligence, forecasting intelligence, warning intelligence, threat intelligence
Happy
Happy
0 %
Sad
Sad
33 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
33 %
Surprise
Surprise
33 %

By Treadstone 71

@Treadstone71LLC Cyber intelligence, counterintelligence, Influence Operations, Cyber Operations, OSINT, Clandestine Cyber HUMINT, cyber intel and OSINT training and analysis, cyber psyops, strategic intelligence, Open-Source Intelligence collection, analytic writing, structured analytic techniques, Target Adversary Research, cyber counterintelligence, strategic intelligence analysis, estimative intelligence, forecasting intelligence, warning intelligence, threat intelligence