[lacnog] New Exploit for MikroTik Router WinBox Vulnerability Gives Full Root Access

Ivan Chapero info en ivanchapero.com.ar
Mar Oct 9 17:00:49 -03 2018

Prestar atención si saltan de una version previa a 6.41.x dado que hubo
cambios en el manejo de los port switch (master/slave-port).
Se aconseja verificar coherencia post-upgrade dado que ahora esto se maneja
en un bridge con HW-offload, desapareciendo la config master/slave-port de
las interfaces eth.


El mar., 9 oct. 2018 a las 16:10, Lucimara Desiderá (<lucimara en cert.br>)

> https://thehackernews.com/2018/10/router-hacking-exploit.html
> New Exploit for MikroTik Router WinBox Vulnerability Gives Full Root Access
> October 08, 2018Swati Khandelwal
> mikrotik router hacking exploit
> A known vulnerability in MikroTik routers is potentially far more
> dangerous than previously thought.
> A cybersecurity researcher from Tenable Research has released a new
> proof-of-concept (PoC) RCE attack for an old directory traversal
> vulnerability that was found and patched within a day of its discovery
> in April this year.
> The vulnerability, identified as CVE-2018-14847, was initially rated as
> medium in severity but should now be rated critical because the new
> hacking technique used against vulnerable MikroTik routers allows
> attackers to remotely execute code on affected devices and gain a root
> shell.
> The vulnerability impacts Winbox—a management component for
> administrators to set up their routers using a Web-based interface—and a
> Windows GUI application for the RouterOS software used by the MikroTik
> devices.
> The vulnerability allows "remote attackers to bypass authentication and
> read arbitrary files by modifying a request to change one byte related
> to a Session ID."
> New Hack Turned 'Medium' MikroTik Vulnerability Into 'Critical'
> However, the new attack method found by Tenable Research exploits the
> same vulnerability and takes it to one step ahead.
> A PoC exploit, called "By the Way," released by Tenable Research Jacob
> Baines, first uses directory traversal vulnerability to steal
> administrator login credentials from user database file and the then
> writes another file on the system to gain root shell access remotely.
> In other words, the new exploit could allow unauthorized attackers to
> hack MikroTik's RouterOS system, deploy malware payloads or bypass
> router firewall protections.
> The technique is yet another security blow against MikroTik routers,
> which was previously targeted by the VPNFilter malware and used in an
> extensive cryptojacking campaign uncovered a few months ago.
> New MikroTik Router Vulnerabilities
> Besides this, Tenable Research also disclosed additional MikroTik
> RouterOS vulnerabilities, including:
>     CVE-2018-1156—A stack buffer overflow flaw that could allow an
> authenticated remote code execution, allowing attackers to gain full
> system access and access to any internal system that uses the router.
>     CVE-2018-1157—A file upload memory exhaustion flaw that allows an
> authenticated remote attacker to crash the HTTP server.
>     CVE-2018-1159—A www memory corruption flaw that could crash the HTTP
> server by rapidly authenticating and disconnecting.
>     CVE-2018-1158—A recursive parsing stack exhaustion issue that could
> crash the HTTP server via recursive parsing of JSON.
> The vulnerabilities impact Mikrotik RouterOS firmware versions before
> 6.42.7 and 6.40.9.
> Tenable Research reported the issues to MikroTik in May, and the company
> addressed the vulnerabilities by releasing its RouterOS versions 6.40.9,
> 6.42.7 and 6.43 in August.
> While all the vulnerabilities were patched over a month ago, a recent
> scan by Tenable Research revealed that 70 percent of routers (which
> equals to 200,000) are still vulnerable to attack.
> The bottom line: If you own a MikroTik router and you have not updated
> its RouterOS, you should do it right now.
> Also, if you are still using default credentials on your router, it is
> high time to change the default password and keep a unique, long and
> complex password.
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog


*Ivan ChaperoÁrea Técnica y Soporte*
Fijo: 03464-470280 (interno 535) | Móvil:  03464-155-20282  | Skype ID:
GoDATA Banda Ancha - CABLETEL S.A. | Av. 9 de Julio 1163 - 2183 - Arequito
- Santa Fe - Argentina
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20181009/62026280/attachment.html>

Más información sobre la lista de distribución LACNOG