During an audit the Mikrotik RouterOS sshd (ROSSSH) has been identified to havea remote previous to authentication heap corruption in its sshd component.

Exploitation of this vulnerability will allow full access to the router device.

This analysis describes the bug and includes a way to get developer access to recent versions of Mikrotik RouterOSusing the /etc/devel-login file. This is done by forging a modified NPK file using a correct signature and logginginto the device with username âdevelâ and the password of the administrator. This will drop into a busybox shell forfurther researching the sshd vulnerability using gdb and strace tools that havebeen compiled for the Mikrotik busyboxplatform.

Shodanhq.com shows >290.000 entries for the ROSSSH search term.

The 50 megs Mikrotik package including the all research items can be downloadedhere:

http://www.farlight.org/mikropackage.ziphttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/28056.zip