### Vulnerability Overview **Title:** MikroTik RouterOS 6.49.8 Out-of-Bounds Read (nova/lib/www/scep.p) #4 **Type:** Out-of-Bounds Read (CWE-125), Improper Handling of Length Parameter Inconsistencies (CWE-130) **Description:** An out-of-bounds read vulnerability exists in the `nova/lib/www/scep.p` component of the MikroTik RouterOS firmware. When parsing attacker-controlled PKCS#7 signed attributes (such as `transactionID` and `messageType`), the SCEP server returns the raw `ASN1_STRING_data` pointer and subsequently consumes these values using NUL-terminated C string semantics. This allows an attacker to send a PKIOperation request containing a non-NUL-terminated ASN1 PrintableString. This causes the parser to read beyond the boundaries of the original ASN1 attribute, resulting in pre-authentication information leakage in the `certRep` response. ### Affected Scope * **Vendor:** MikroTik * **Product:** MikroTik RouterOS Firmware * **Affected Version:** 6.49.8 (ARM) * **Affected Component:** `nova/lib/www/scep.p` * **Attack Surface:** `/scep/operation=PKIOperation` ### Remediation * Preserve explicit ASN.1 lengths for all signed attribute consumers in `scep.p`. * Replace `atoi()` with length-aware parsing using `asn1()` and raw string `::assign(char *)` style handling. * Pass explicit trusted lengths to `ASN1_STRING_set` instead of relying on `-1` / `strlen`. * Reject malformed or non-compliant PrintableString values before constructing the reply. * If possible, delay the consumption of security-sensitive signed attributes until after signature verification. * Audit sibling SCEP parsing paths for similar length confusion patterns. ### POC Code or Exploit Code **Step 1: Generate a valid baseline SCEP request** ```bash /certificate add-scep-template=scep-clean-1 scep-url=http://127.0.0.1/scep/ ``` **Step 3: Replay the request** ```bash curl -sS -X POST "http://127.0.0.1/scep/operation=PKIOperation" \ -H "Content-Type: application/x-pki-message" \ --data-binary @mutated-request.der ```