A security researcher has detailed the lengthy and ingenious route taken to complete compromise of a MikroTik router, a vulnerability which has been patched recently by the manufacturer.
Tenable researcher Jacob Baines points out in a detailed blog post that the vital hub that leads to the chain of compromise is simply allowing the router to run Winbox, which if disabled in favour of SSH would mitigate all of the attacks. "Unfortunately, last I looked, there are more than half a million Winbox instances facing the internet," noted Baines, indicating that the issue is still very much a live one.
This is far from the first time that Tenable has documented serious vulnerabilities in MikroTik routers. A slew of issues were reported over the last few years, including a directory traversal bug CVE-2018-14847 reported back in late 2018. Tenable noted at the time that based on Shodan analysis, there are hundreds of thousands of MikroTik deployments worldwide, with strong concentrations in Brazil, Indonesia, China, the Russian Federation and India.
Baines began this latest journey to root by using the resolve command for DNS lookups, which in the MikroTik router is hooked into RouterOS’s Winbox protocol. The protocol "allows an unauthenticated remote user to make DNS requests through the router to a DNS server of their choice,'' states Baines, which he then used to poison the router’s DNS records - specifically the manufacturer’s update domains.
Next, Baines performed a downgrade attack, aided by the fact that the MikroTik update process is conducted over HTTP, exposing the operational details to an attacker. Although the packages themselves are signed, tricking the router into installing an older package as a new update is a matter of renaming an older version and duplicating the legitimate server routines exposed over HTTP.
The key element of the downgrade attack was the following note in the official changelog:
Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication.
This downgrade attack thus not only clears the admin password, but also re-introduces a host of previously-patched flaws that can be exploited. Finally, Baines details a method of creating a backdoor into the system without using a new exploit, due to "a bug in package installation that allowed an attacker to create arbitrary directories on the system."
"First, MikroTik fails to include the first 8 bytes of the file in the SHA-1. These bytes contain the file’s magic bytes (0xbad0f11e) and the total length of the file. Furthermore, RouterOS stops computing the package’s SHA-1 once it hits the signature section. Meaning, an attacker can append arbitrary data to an npk (software package used to deliver and install updates to MikroTik routers) and it won’t invalidate the signature verification scheme," claims Baines.
This allows an attacker to use an appended "part info" field to create a directory anywhere on disk, which in turn means that the backdoor enablement file for 6.41.4 - /pckg/option - can be created and accessed.
"While the focus is on getting root, the Cache poisoning attack is really powerful on its own," Baines told SC Media UK.
"When the router is used as a DNS server (which isn't uncommon), all of the router's internal hosts are affected, allowing an outside attacker to redirect internal hosts to malicious sites," he said, explaining the impact of the attack.
The researcher suggested that the best overall mitigation would be to disable Winbox entirely, but given the wide range of MikroTik implementations across the globe, this may prove problematic from a practical point of view.