cbcvebase.
CVE-2018-7445
published 2018-03-19

CVE-2018-7445: A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-09-29
Exploited in the wild
EPSS
61.02%
99.0th percentile
A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system. The overflow occurs before authentication takes place, so it is possible for an unauthenticated remote attacker to exploit it. All architectures and all devices running RouterOS before versions 6.41.3/6.42rc27 are vulnerable.

Affected

13 ranges
VendorProductVersion rangeFixed in
mikrotikrouteros< 6.41.36.41.3
mikrotikrouteros
mikrotikrouteros
mikrotikrouteros
mikrotikrouteros
mikrotikrouteros
mikrotikrouteros
mikrotikrouteros
mikrotikrouteros
mikrotikrouteros
mikrotikrouteros
mikrotikrouteros
mikrotikrouteros

Detection & IOCsextracted from sources · hover to see the quote

port139
commandNETBIOS_SESSION_REQUEST overflow payload: "\xff" * 83 + ebx + esi + edi + ebp + eip + rop
commandROP chain mprotect syscall int 0x80 via vDSO gadget at 0xffffe42e
commandROP chain jump to heap shellcode via gadget at 0x0804e153
bytes
NETBIOS_SESSION_MESSAGE + "\x00\xeb\x02" repeated 4000 times followed by "\x90" * 16 + shellcode
  • Detect CVE-2018-7445 exploitation by monitoring for large TCP streams to port 139 on MikroTik RouterOS devices containing repeated NETBIOS_SESSION_MESSAGE frames (pattern \x00\xeb\x02) sent thousands of times — this is the heap spray stage preceding the overflow.
  • Detect the buffer overflow trigger: a NetBIOS Session Request message to port 139 with a payload starting with 83 bytes of 0xFF followed by register values and a ROP chain.
  • The exploit requires two sequential TCP connections to port 139: the first stores shellcode on the heap, the second sends the overflow. Detect two rapid connections from the same source IP to port 139 on RouterOS.
  • The exploit is pre-authentication; any unauthenticated TCP connection to port 139 on RouterOS that sends oversized NetBIOS Session Request messages should be treated as suspicious.
  • The ROP chain uses a vDSO gadget (int 0x80) at a fixed address 0xffffe42e not affected by ASLR to invoke mprotect with PROT_READ|PROT_WRITE|PROT_EXEC on the heap before jumping to shellcode.
  • The exploit targets the SMB daemon (SMB service) on MikroTik RouterOS. All architectures are affected on versions before 6.41.3/6.42rc27; use version detection on port 139 banners to identify unpatched devices.
  • ·The vDSO gadget used in the ROP chain (int 0x80 at 0xffffe42e) is explicitly noted as not affected by ASLR on the targeted RouterOS builds, making the exploit reliable without an ASLR leak.
  • ·The exploit sprays shellcode via socket-based heap spray before triggering the overflow; the heap address used for the ROP chain jump (0x08075802) is described as '(always?) contain[ing] user controlled data', suggesting heap layout may vary slightly across devices.
  • ·The overflow offset to saved registers is fixed at 83 bytes, implying this PoC targets a specific SMB daemon build; different RouterOS versions or architectures may require adjusted offsets.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.