Stories
Slash Boxes
Comments

SoylentNews is people

Proof of Concept Attack Escalates MikroTik Router Bug to ‘As Bad As It Gets’

posted by chromas on Friday October 12 2018, @12:32AM   Printer-friendly
from the route-666 dept.

Arthur T Knackerbracket has found the following story:

Researchers say a medium severity bug should now be rated critical because of a new hack technique that allows for remote code execution on MikroTik edge and consumer routers.

A new hacking technique used against vulnerable MikroTik routers gives attackers the ability to execute remote code on affected devices. The technique is yet another security blow against the MikroTik router family. Previous hacks have left the routers open to device failures, cyptojacking and network eavesdropping.

The hacking technique, found by Tenable Research and outlined on Sunday at DerbyCon 8.0 in Louisville, Kentucky, is tied to the existing directory traversal bug (CVE-2018-14847) found and patched in April. That vulnerability was rated medium in severity and impacted Winbox, which is a management component and a Windows GUI application for MikroTik's RouterOS software.

Tenable Research says it has found a new attack technique that exploits the same bug (CVE-2018-14847) that allows for unauthenticated remote code execution. "By exploiting the flaw, the remote attacker can get a root shell on the device as well as bypass the router's firewall, gain access to the internal network, and even load malware onto victims' systems undetected," Tenable Research said in a blog post accompanying the presentation.

The underlying flaw is tied to a Winbox Any Directory File that allows threat actors to read files that flow through the router without authentication. The new technique, found by Jacob Baines, researcher at Tenable Research, goes one step further allowing an adversary to write files to the router. Baines also created a proof of concept of the attack outlined Sunday.

"The licupgr binary has an sprintf that an authenticated user can use to trigger a stack buffer overflow. The sprintf is used on the following string:

GET /ssl_conn.php?usrname=%s&passwd=%s&softid=%s&level=%d&pay_typ'e=%d&board=%d HTTP/1.0

"Where the user has control of the username and password strings, an authenticated user can exploit this to gain root access to the underlying system," he wrote.

This is as bad as it gets, Baines told Threatpost. "This bug was reported in April, but we are now able to show how an attacker can use it to get root shell on a system. It uses CVE-2018-14847 to leak the admin credentials first and then an authenticated code path gives us a back door."

Also at The Register:

Tenable's blog post noted that: "As of October 3, 2018, approximately 35,000 – 40,000 devices display an updated, patched version," discovered through a Shodan.io search. Baines' presentation estimated that 67.8 per cent of MikroTik routers currently remain unpatched.

MikroTik patched the security cockups in Router OS versions 6.42.7, 6.40.9, and 6.43 in late August. So, if you haven't already done so, grab and install those as soon as you can – before your router becomes someone else's router.

-- submitted from IRC

Original Submission

 
This discussion has been archived. No new comments can be posted.
Proof of Concept Attack Escalates MikroTik Router Bug to ‘As Bad As It Gets’ | Log In/Create an Account | Top | 11 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by zocalo on Friday October 12 2018, @02:16PM (2 children)

    by zocalo (302) on Friday October 12 2018, @02:16PM (#747898)
    True, but according to Shodan there are approx 200k users who are *not* in their right mind. Or (more likely in most cases, I suspect) are completely unaware that the clueless fscks at their ISP supplied them with a router with the admin port enabled to make it easier for the ISP - and anyone else - to gain access to the router.
    --
    UNIX? They're not even circumcised! Savages!
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 1) by Chromium_One on Friday October 12 2018, @04:04PM (1 child)

    by Chromium_One (4574) on Friday October 12 2018, @04:04PM (#747950)

    It's always worse than you'd think. Would be interested in a followup on the Internet Census of 2012, and willing to bet there's been little improvement in general practices.

    --
    When you live in a sick society, everything you do is wrong.

    • (Score: 3, Interesting) by zocalo on Friday October 12 2018, @08:12PM

      by zocalo (302) on Friday October 12 2018, @08:12PM (#748019)
      By users/admins? I think it's highly unlikely there will have been any improvement, in fact judging by all the coverage in the media over just how much garbage there is under the IoT banner in the wake of botnets like Mirai, Sartori, et al and the number of people/organizations that got burnt by WannaCry, I suspect the general level of cluelessness is a lot lower in 2018 than it was in 2012 - something my firewall logs certainly seem to confirm as the volume of portscanning is definitely much higher. Some of that is going to be attributable to higher bandwidths enabling each scanner to check a much greater number of potential victims, of course.

      However, since 2012 it does seem like there are more people willing to don a grey hat and step up to the plate where it's possible to do something about it. Mirai and its ilk had The Janit0r and "BrickerBot" [bleepingcomputer.com], and it appears that Mikrotik now has someone called Alexey [zdnet.com] trying to clean up the mess, so there's that at least.
      --
      UNIX? They're not even circumcised! Savages!