A Comprehensive Review on the Less-Traveled Road: 9 Years of Overlooked MikroTik Pre-Auth RCE

Presented at DEF CON 31 (2023), Aug. 11, 2023, 3:30 p.m. (45 minutes).

MikroTik, as a supplier of network infrastructures, its products and RouterOS are adopted widely. Currently, at least 3 million+ devices are running RouterOS online. Being the target research by attackers actively, the exploits leaked from the CIA in 2018 and the massive exploits that followed are samples of the havoc that can be caused when such devices are maliciously exploited again. Therefore, RouterOS also attracts many researchers to hunt bugs in it. However, there are rarely high-impact vulnerabilities reported over a long period. Can the OS become perfect overnight? Of course not. Some details have been missed. Researches on RouterOS were mainly against jailbreak, Nova Message in IPC, and analysis of exploits in the wild. Especially researches against Nova Message have reported tons of post-auth vulnerabilities. However, the architecture design and the lower-layer objects, which are closely related to the functionality of Nova Binary, were being neglected due to their complexity, causing some details to be overlooked for a long time. Starting by introducing the mechanisms of the socket callback and the remote object, we will disclose more about the overlooked attack surface and implementations in RouterOS. Moreover, we will discuss how we, at the end of rarely visited trails, found the pre-auth RCE that existed for nine years and can exploit all active versions and the race condition in the remote object. We will also share our methodology and vulnerability patterns. Delving into the design of the RouterOS, attendees will have a greater understanding of the overlooked attack surface and implementation of it and be able to review the system more reliably. Additionally, we will also share our open-source tools and methodology to facilitate researchers researching RouterOS, making it less obscure. , Ting-Yu Chen, aka NiNi, is a security researcher at DEVCORE and a member of the Balsn CTF team. He won the title of the "Master of Pwn" at Pwn2Own Toronto 2022 with the DEVCORE team. NiNi has also made notable achievements in CTF competitions, including placing 2nd and 3rd in DEF CON CTF 27 and 28 as a member of HITCON⚔BFKinesiS and HITCON⚔Balsn teams, respectively. NiNi is currently immersed in vulnerability research and reverse engineering, continuing to hone his skills. You can keep up with his latest discoveries and musings on Twitter via his handle @terrynini38514 or blog at http://blog.terrynini.tw/. REFERENCES: - https://kirils.org/slides/2017-10-21_MT_Hacktivity_pub.pdf - https://kirils.org/slides/2017-09-15_prez_15_MT_Balccon_pub.pdf - https://mum.mikrotik.com/presentations/ID18/presentation_6149_1540240927.pdf - https://medium.com/@maxi./finding-and-exploiting-cve-2018-7445-f3103f163cc1 - https://www.coresecurity.com/core-labs/advisories/mikrotik-routeros-smb-buffer-overflow - https://www.irongeek.com/i.php?page=videos/derbycon8/track-4-15-bug-hunting-in-routeros-jacob-baines - https://www.tenable.com/blog/tenable-research-advisory-multiple-vulnerabilities-discovered-in-mikrotiks-routeros - https://www.tenable.com/security/research/tra-2018-21 - https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Jacob-Baines-Help-Me-Vulnerabilities.-Youre-My-Only-Hope.pdf - https://www.tenable.com/security/research/tra-2019-46 - https://medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21 - https://margin.re/2022/06/pulling-mikrotik-into-the-limelight/ - https://github.com/cq674350529/pocs_slides - https://www.youtube.com/watch?v=fkigIlDe6vs - https://www.tenable.com/security/research/tra-2019-46 - https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/caches-and-self-modifying-code - https://github.com/Cisco-Talos/Winbox_Protocol_Dissector - https://github.com/BigNerd95/RouterOS-Backup-Tools - https://github.com/BigNerd95/Chimay-Red - https://github.com/BigNerd95/Chimay-Blue - https://github.com/0ki/mikrotik-tools - https://github.com/tenable/routeros

Presenters:

  • NiNi Chen - Security Researcher at DEVCORE
    Ting-Yu Chen, aka NiNi, is a security researcher at DEVCORE and a member of the Balsn CTF team. He won the title of the "Master of Pwn" at Pwn2Own Toronto 2022 with the DEVCORE team. NiNi has also made notable achievements in CTF competitions, including placing 2nd and 3rd in DEF CON CTF 27 and 28 as a member of HITCON⚔BFKinesiS and HITCON⚔Balsn teams, respectively. NiNi is currently immersed in vulnerability research and reverse engineering, continuing to hone his skills. You can keep up with his latest discoveries and musings on Twitter via his handle @terrynini38514 or blog at http://blog.terrynini.tw/.

Links:

Similar Presentations: