[lacnog] New Exploit for MikroTik Router WinBox Vulnerability Gives Full Root Access

Lucimara Desiderá lucimara en cert.br
Mar Oct 9 16:09:42 -03 2018


New Exploit for MikroTik Router WinBox Vulnerability Gives Full Root Access
October 08, 2018Swati Khandelwal
mikrotik router hacking exploit
A known vulnerability in MikroTik routers is potentially far more
dangerous than previously thought.

A cybersecurity researcher from Tenable Research has released a new
proof-of-concept (PoC) RCE attack for an old directory traversal
vulnerability that was found and patched within a day of its discovery
in April this year.

The vulnerability, identified as CVE-2018-14847, was initially rated as
medium in severity but should now be rated critical because the new
hacking technique used against vulnerable MikroTik routers allows
attackers to remotely execute code on affected devices and gain a root

The vulnerability impacts Winbox—a management component for
administrators to set up their routers using a Web-based interface—and a
Windows GUI application for the RouterOS software used by the MikroTik

The vulnerability allows "remote attackers to bypass authentication and
read arbitrary files by modifying a request to change one byte related
to a Session ID."

New Hack Turned 'Medium' MikroTik Vulnerability Into 'Critical'

However, the new attack method found by Tenable Research exploits the
same vulnerability and takes it to one step ahead.

A PoC exploit, called "By the Way," released by Tenable Research Jacob
Baines, first uses directory traversal vulnerability to steal
administrator login credentials from user database file and the then
writes another file on the system to gain root shell access remotely.

In other words, the new exploit could allow unauthorized attackers to
hack MikroTik's RouterOS system, deploy malware payloads or bypass
router firewall protections.

The technique is yet another security blow against MikroTik routers,
which was previously targeted by the VPNFilter malware and used in an
extensive cryptojacking campaign uncovered a few months ago.

New MikroTik Router Vulnerabilities
Besides this, Tenable Research also disclosed additional MikroTik
RouterOS vulnerabilities, including:

    CVE-2018-1156—A stack buffer overflow flaw that could allow an
authenticated remote code execution, allowing attackers to gain full
system access and access to any internal system that uses the router.
    CVE-2018-1157—A file upload memory exhaustion flaw that allows an
authenticated remote attacker to crash the HTTP server.
    CVE-2018-1159—A www memory corruption flaw that could crash the HTTP
server by rapidly authenticating and disconnecting.
    CVE-2018-1158—A recursive parsing stack exhaustion issue that could
crash the HTTP server via recursive parsing of JSON.

The vulnerabilities impact Mikrotik RouterOS firmware versions before
6.42.7 and 6.40.9.

Tenable Research reported the issues to MikroTik in May, and the company
addressed the vulnerabilities by releasing its RouterOS versions 6.40.9,
6.42.7 and 6.43 in August.

While all the vulnerabilities were patched over a month ago, a recent
scan by Tenable Research revealed that 70 percent of routers (which
equals to 200,000) are still vulnerable to attack.

The bottom line: If you own a MikroTik router and you have not updated
its RouterOS, you should do it right now.

Also, if you are still using default credentials on your router, it is
high time to change the default password and keep a unique, long and
complex password.

Más información sobre la lista de distribución LACNOG