MikroTik RouterOS 7 Buffer Overflow Vulnerability in libjson.so JSON Parser

A critical buffer overflow vulnerability has been identified in MikroTik RouterOS 7. This issue arises in the libjson.so component, specifically within the JSON parsing function 'parse_json_element'. The vulnerability is triggered by malformed JSON input that includes incomplete Unicode escape sequences, leading to memory corruption. This flaw can be exploited remotely via HTTP POST requests to the '/rest/ip/address/print' endpoint, bypassing basic authentication. The vulnerability causes an infinite parsing loop, resulting in a denial-of-service condition and potential application crash. Furthermore, depending on the memory layout, this vulnerability could be leveraged for code execution.

Impact

Exploitation of this vulnerability causes an immediate application crash due to an infinite loop and out-of-bounds memory access. However, this buffer overflow could potentially be exploited for arbitrary code execution, depending on the memory layout and exploitation techniques used.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to the '/rest/ip/address/print' endpoint. The request must include a JSON payload with an incomplete Unicode escape sequence, such as '\u0' (missing hex digits) followed by null bytes '\0' and an orphaned character. This malformed payload will cause the JSON parser to enter an infinite loop, searching for a closing quote that is never provided, ultimately leading to a crash.