Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Friday October 12 2018, @12:32AM   Printer-friendly
from the route-666 dept.

Arthur T Knackerbracket has found the following story:

Researchers say a medium severity bug should now be rated critical because of a new hack technique that allows for remote code execution on MikroTik edge and consumer routers.

A new hacking technique used against vulnerable MikroTik routers gives attackers the ability to execute remote code on affected devices. The technique is yet another security blow against the MikroTik router family. Previous hacks have left the routers open to device failures, cyptojacking and network eavesdropping.

The hacking technique, found by Tenable Research and outlined on Sunday at DerbyCon 8.0 in Louisville, Kentucky, is tied to the existing directory traversal bug (CVE-2018-14847) found and patched in April. That vulnerability was rated medium in severity and impacted Winbox, which is a management component and a Windows GUI application for MikroTik's RouterOS software.

Tenable Research says it has found a new attack technique that exploits the same bug (CVE-2018-14847) that allows for unauthenticated remote code execution. "By exploiting the flaw, the remote attacker can get a root shell on the device as well as bypass the router's firewall, gain access to the internal network, and even load malware onto victims' systems undetected," Tenable Research said in a blog post accompanying the presentation.

The underlying flaw is tied to a Winbox Any Directory File that allows threat actors to read files that flow through the router without authentication. The new technique, found by Jacob Baines, researcher at Tenable Research, goes one step further allowing an adversary to write files to the router. Baines also created a proof of concept of the attack outlined Sunday.

"The licupgr binary has an sprintf that an authenticated user can use to trigger a stack buffer overflow. The sprintf is used on the following string:

GET /ssl_conn.php?usrname=%s&passwd=%s&softid=%s&level=%d&pay_typ'e=%d&board=%d HTTP/1.0

"Where the user has control of the username and password strings, an authenticated user can exploit this to gain root access to the underlying system," he wrote.

This is as bad as it gets, Baines told Threatpost. "This bug was reported in April, but we are now able to show how an attacker can use it to get root shell on a system. It uses CVE-2018-14847 to leak the admin credentials first and then an authenticated code path gives us a back door."

Also at The Register:

Tenable's blog post noted that: "As of October 3, 2018, approximately 35,000 – 40,000 devices display an updated, patched version," discovered through a Shodan.io search. Baines' presentation estimated that 67.8 per cent of MikroTik routers currently remain unpatched.

MikroTik patched the security cockups in Router OS versions 6.42.7, 6.40.9, and 6.43 in late August. So, if you haven't already done so, grab and install those as soon as you can – before your router becomes someone else's router.

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Funny) by Gaaark on Friday October 12 2018, @02:15AM

    by Gaaark (41) on Friday October 12 2018, @02:15AM (#747755) Journal

    So does Microsoft security.

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    Starting Score:    1  point
    Moderation   +1  
       Funny=1, Total=1
    Extra 'Funny' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3