Mikrotik RouterOS Resource / Stack Exhaustion

Mikrotik RouterOS versions prior to 6.44.5 and 6.45.1 suffer from stack and resource exhaustion vulnerabilities.

MD5 | eeba1d7bbe580c07aa40fc01480b5df5

Advisory: two vulnerabilities found in MikroTik's RouterOS


Product: MikroTik's RouterOS
Affected Versions: before 6.44.5 (Long-term release tree),
before 6.45.1 (Stable release tree)
Fixed Versions: 6.44.5 (Long-term release tree),
6.45.1 (Stable release tree)
Vendor URL: https://mikrotik.com/download/changelogs/long-term-release-tree
Vendor Status: fixed version released
CVE: CVE-2019-13954, CVE-2019-13955
Credit: Qian Chen(@cq674350529) of the Qihoo 360 Nirvan Team

Product Description

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.

Details of vulnerabilities

These two vulnerabilities were tested only against the MikroTik RouterOS
6.42.11 and 6.43.16 (Long-term release tree) when found.

1. CVE-2019-13954: memory exhaustion via a crafted POST request
This vulnerability is similiar to the CVE-2018-1157. An authenticated user
can cause the www binary to consume all memory via a crafted POST request
to /jsproxy/upload. It's because of the incomplete fix for the

Based on the poc for cve_2018_1157 provided by the @Jacob Baines (really
appreciate!), crafting a filename ending with many '\x00' can bypass the
original fix to trigger the vulnerability.

2. CVE-2019-13955: stack exhaustion via recuring parsing of JSON
This vulnerability is similar to the CVE-2018-1158. An authenticated user
communicating with the www binary can trigger a stack exhaustion
vulnerability via recursive parsing of JSON containing message type M.

Based on the poc for cve_2018_1158 provided by the @Jacob Baines (really
appreciate!), crafting an JSON message with type M can trigger the
vulnerability. A simple python script to generate the crafted message is as

msg = "{M01:[M01:[]]}"
for _ in xrange(2000):
msg = msg.replace('[]', "[M01:[]]")


Upgrade to RouterOS versions 6.44.5 (Long-term release tree), 6.45.1
(Stable release tree).


[1] https://mikrotik.com/download/changelogs/long-term-release-tree
[2] https://github.com/tenable/routeros

Related Posts