| Título | MikroTik RouterOS 7 Memory Corruption |
|---|
| Descrição | Critical buffer overflow vulnerability in libjson.so JSON parser affecting RouterOS devices. The vulnerability exists in the parse_json_element function at address 0xf7ef6992, specifically in Unicode escape sequence processing logic.
TECHNICAL DETAILS:
- Function: parse_json_element (0xf7ef657b - 0xf7ef6fbb)
- Root Cause: Insufficient length validation for \u Unicode escape sequences
- Trigger: Malformed JSON with incomplete Unicode sequences like "\u0\0\\"
- Impact: Infinite parsing loop leading to DoS/potential code execution
EXPLOITATION:
- Remote trigger via HTTP POST to /rest/ip/address/print endpoint
- Malicious payload: {"0":"\u0\0\\"0
- Can bypass basic authentication
- Immediate application crash, potential for code execution
AFFECTED BINARY:
- libjson.so (MD5: c6e0f91c84de5e261c7f2decbf51fad3)
- SHA256: b6c00cb53461ed70610e53d11bb2c8a36868accbd55142a2ac5992c97fbe4cf4
The vulnerability occurs when the parser encounters \u followed by insufficient hex digits, causing state corruption in the string parsing loop and resulting in infinite iteration until memory exhaustion. |
|---|
| Fonte | ⚠️ https://github.com/a2ure123/libjson-unicode-buffer-overflow-poc |
|---|
| Utilizador | a2ure (UID 41072) |
|---|
| Submissão | 11/09/2025 04h51 (há 7 meses) |
|---|
| Moderação | 25/09/2025 08h03 (14 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 325818 [MikroTik RouterOS 7 libjson.so /rest/ip/address/print parse_json_element Excesso de tampão] |
|---|
| Pontos | 20 |
|---|