| Название | MikroTik RouterOS 7 Memory Corruption |
|---|
| Описание | Critical buffer overflow vulnerability in libjson.so JSON parser affecting RouterOS devices. The vulnerability exists in the parse_json_element function at address 0xf7ef6992, specifically in Unicode escape sequence processing logic.
TECHNICAL DETAILS:
- Function: parse_json_element (0xf7ef657b - 0xf7ef6fbb)
- Root Cause: Insufficient length validation for \u Unicode escape sequences
- Trigger: Malformed JSON with incomplete Unicode sequences like "\u0\0\\"
- Impact: Infinite parsing loop leading to DoS/potential code execution
EXPLOITATION:
- Remote trigger via HTTP POST to /rest/ip/address/print endpoint
- Malicious payload: {"0":"\u0\0\\"0
- Can bypass basic authentication
- Immediate application crash, potential for code execution
AFFECTED BINARY:
- libjson.so (MD5: c6e0f91c84de5e261c7f2decbf51fad3)
- SHA256: b6c00cb53461ed70610e53d11bb2c8a36868accbd55142a2ac5992c97fbe4cf4
The vulnerability occurs when the parser encounters \u followed by insufficient hex digits, causing state corruption in the string parsing loop and resulting in infinite iteration until memory exhaustion. |
|---|
| Источник | ⚠️ https://github.com/a2ure123/libjson-unicode-buffer-overflow-poc |
|---|
| Пользователь | a2ure (UID 41072) |
|---|
| Представление | 11.09.2025 04:51 (9 месяцы назад) |
|---|
| Модерация | 25.09.2025 08:03 (14 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 325818 [MikroTik RouterOS 7 libjson.so /rest/ip/address/print parse_json_element повреждение памяти] |
|---|
| Баллы | 20 |
|---|