![]() ![]() Mandatory disclaimer: I am no longer affiliated with Core Security, so the content of this post does not reflect its views or represents the company in any way. I will try to cover the full process from “hey! let’s look at this MikroTik thing” to actually finding a vulnerability in a network service and writing an exploit for it. The vulnerability is easy to find and exploitation is straight-forward, so the idea is to provide a detailed walk-through that will (hopefully!) be useful for other beginners interested in memory corruption. I will outline the steps we took with my colleague Juan (thanks Juan!) during our time together at Core Security to find and exploit CVE-2018–7445, a remote buffer overflow in MikroTik’s RouterOS SMB service that could be triggered from the perspective of an unauthenticated attacker. This blog post is an attempt to make a small contribution to the ongoing MikroTik RouterOS vulnerability research. This might reflect an increasing interest in MikroTik products and their security posture. MikroTik was recently added to the list of eligible router brands in the exploit acquisition program maintained by Zerodium, including a one-month offer to buy pre-auth RCEs for $100,000. From a remote buffer overflow affecting the built-in web server included in the CIA Vault 7 leak to a plethora of other vulnerabilities reported by Kirils Solovjovs from Possible Security and Jacob Baines from Tenable that result in full remote compromise. ![]() The last few years have seen a surge in the number of public vulnerabilities found and reported in MikroTik RouterOS devices. The post describes the full process from target selection to identifying a vulnerability and then producing a working exploit.Dumb fuzzing still found bugs in interesting targets in 2018 (although I’m sure there must be none left for 2019!).The exploit does ROP to mark the heap as executable and jumps to a fixed location in the heap.The vulnerable binary was not compiled with stack canaries. ![]()
0 Comments
Leave a Reply. |