Expert presented a new attack technique to compromise MikroTik Routers

Pierluigi Paganini October 08, 2018

Experts from Tenable Research have devised a new attack technique to fully compromise MikroTik Routers.

MikroTik routers continue to be under attack, and the situation is getting worse because of the availability of a new PoC code.

The new attack technique discovered by experts at Tenable Research could be exploited by remote attackers to execute arbitrary code on the vulnerable devices.

The experts at Tenable Research presented the technique on October 7 at DerbyCon 8.0 during the talk “Bug Hunting in RouterOS” at Derbycon, it leverages a known directory traversal flaw tracked as CVE-2018-14847.

Mikrotik routers vulnerable

The vulnerability was rated medium in severity was discovered in April, it affects the Winbox, that is a management console for MikroTik’s RouterOS software.

In the past months, MikroTik devices running RouterOS were targeted by malicious code that includes the exploit for the Chimay-Red vulnerability.

The Chimay Red hacking tool leverages 2 exploits, the Winbox Any Directory File Read (CVE-2018-14847) and Webfig Remote Code Execution Vulnerability.

Now Tenable Research devised a new attack technique that exploits the same CVE-2018-14847 issue to execute arbitrary code on the target device.

“The vulnerabilities include CVE-2018-1156 — an authenticated remote code execution (RCE) — as well as a file upload memory exhaustion (CVE-2018-1157), a www memory corruption (CVE-2018-1159) and a recursive parsing stack exhaustion (CVE-2018-1158). The most critical of these vulnerabilities is the authenticated RCE, which would allow attackers to potentially gain full system access. They were tested against RouterOS 6.42.3 (release date: 05-25-2018) using the x86 ISO.” reads a blog post published by Tenable Research.

“All of these vulnerabilities require authentication (essentially legitimate credentials). If the authenticated RCE vulnerability (CVE-2018-1156) is used against routers with default credentials, an attacker can potentially gain full system access, granting them the ability to divert and reroute traffic and gain access to any internal system that uses the router.”

Jacob Baines, the Tenable researcher who devised the attack technique, also made a proof of concept of the attack, he explained that it is possible to trigger  a stack buffer overflow in the sprintf function of the licupgr binary.

“The licupgr binary has an sprintf that an authenticated user can use to trigger a stack buffer overflow. The sprintf is used on the following string:

MikroTik routers poc

“Where the user has control of the username and password strings, an authenticated user can exploit this to gain root access to the underlying system,” explained the expert.

What’s expected now?

MikroTik released RouterOS versions 6.40.9, 6.42.7 and 6.43 in August to address the flaws, users have to upgrade their devices and change the default credentials.

Unfortunately, the experts revealed that only approximately 30 percent of vulnerable modems have been patched, this means that roughly 200,000 routers could be hacked.

The good news is that currently, experts are not aware of the technique being exploited in the wild.

“Based on Shodan analysis, there are hundreds of thousands of Mikrotik deployments worldwide, with strong concentrations in Brazil, Indonesia, China, the Russian Federation and India. As of October 3, 2018, approximately 35,000 – 40,000 devices display an updated, patched version.” concludes Tenable Research.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – MikroTik routers, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment