![winbox mikrotik winbox mikrotik](https://4.bp.blogspot.com/-Kz2yyTv5KRA/WQ5wajdzeNI/AAAAAAAAGvY/RL-7vpwqT18Ls8kD6oDiwS-DvRuJMXR5QCLcB/s1600/Winbox%2BMikrotik%2BLinux.jpeg)
Interestingly, this approach has had more than a couple security flaws. This file includes all the necessary DLLs for Winbox to use in order to communicate with the Router. Now let’s get started on sending some packets across! First, we turn off secure communication between the Router and Winbox just because we can! When looking at the packets, we’ll see a tiny conversation between the Router and Winbox and then we’ll see the list file being sent to Winbox.
#Winbox mikrotik code
Since the code scans the strings 4 bytes at a time, we could place our dots between them so it couldn’t be discovered by the code. In that telnet session, there’s no RouterOS shell, instead, it’s bash! easy :-)Īfter putting a breakpoint on the “list” string, we started digging around and finally got the string which bypasses the first condition without violating any rules. After that the RouterOS will boot and it’ll login with “devel” account with the same password as your admin account. It was pretty easy on VM since all you need to do is mount RouterOS vmdk somewhere and add additional files. So we added a new and big BusyBox in addition to a gdbserver to do the job for us. It shows an easy way to get a bash shell inside a RouterOS and copy additional binaries to its filesystem. After some digging around, we found an interesting project “mikrotik-tools”. So, how can we confirm this? We don’t have GDB and we don’t have a shell (yet). we ran bindiff on the files and found some differences between the two versions, but there was a simple “if” statement which was added to the file. So this bug could’ve been anything memory related. Mproxy is a 63K binary with no (except for a simple NX section) security measurements. Which makes sense because mproxy binary handles all Winbox requests. As you can see, mproxy binary has changed.
![winbox mikrotik winbox mikrotik](https://iotsecuritynews.com/wp-content/uploads/2018/10/router-hacking-exploit.jpg)
I hashed every file inside those packages to see the difference, and long behold I found a few. I just named them “after” and “before” on my laptop. What we did was downloading RouterOS 6.40.7 and 6.40.8 npk files and look through each file to find the differences. RouterOS is written on top of Linux Kernel so a lot of kernel modules will be different in each version. The vulnerability affects all versions of RouterOS from 6.29 (release date: 5) to 6.42 (release date 0) The Diffįirst things first, we had to see which binaries was changed before and after the patching. RouterOS is the operating system of most Mikrotik devices.
#Winbox mikrotik software
MikroTik now provides hardware and software for Internet connectivity in most of the countries around the world. What is MikrotikĪccording to the official website, MikroTik is a Latvian company which was founded in 1996 to develop routers and wireless ISP systems. UPDATE: CVE-2018-14847 has been assigned to this vulnerability and there should be a MetaSploit module related to this bug soon.
#Winbox mikrotik full
UPDATE: full PoC is now available on Github. myself and of (part of IR CERT) reverse engineering lab tried to figure out what exactly got fixed, what was the problem in the first place and how severe was the impact of it. On April 23rd 2018, Mikrotik fixed a vulnerability “that allowed gaining access to an unsecured router”.