0day DoS: Mikrotik Server side DoS attack


After exploring the winbox clientserver protocol, i wanted to find some ways to get rid of winbox service and winbox client…
This finding, has to do only with the mikrotik router, who has winbox service running (on port 8291 or in any other port)
On my try to make a test on the server, in order to cause a lot of traffic, i saw the service being unstable, causing various probs to whole router. The minimum prob was the 100% cpu load, but there are various probs depending on hardware and routeros version. The exploit’s logic is very simple, and the winbox protocol analysis is simple too.So it made me identify that vulnerability very easy. The vulnerability found while trying to download a DLL/plugin file from mikrotik router (just like winbox client does) and choose a big file, and request the 1st part of it many times.. That is what causes the DoS. The only file needed here is the .py script, and it is tested on python 2.4 and 2.7 versions.

More details, download and usage, are below.. :

Continue reading

0day: Mikrotik’s Winbox Client Side attack. A remote code execution exploit

Hello ppl,
In this post I wanna present you a vulnerability I found and exploited, concerning Winbox. Winbox is the client that controls mikrotik routers.. It is a popular router OS. For more info www.mikrotik.com 🙂
Winbox has a custom protocol communicating with the mikrotik routers and you can select between secure/unsecure communication. Winbox uses a tcp port 8291 by default. Old routers had that port hardcoded, newer ones have the ability to change port. At the bottom of the post, you’ll find a link to download the script and the files needed. You’ll find info how/why in script comments or here…

About the exploit
The exploit you will see in this post, is a mikrotik winbox service emulator. It is a listener, that waits for a winbox client/victim to connect, sends him a malicious dll/plugin and winbox executes it. Using this feature (that we can inject dlls in winbox) we exploit also the fact that a secure connection can be decided by server-side.. So no matter what client has selected, we can sent unencrypted data in his winbox. So attacker have to social his victim or via a MiTM can gain a shell.

Download the exploit code: mtikInject
* Updated on 30/4/2012 Lines 99 & 148 as said in Post’s comments *


 Vulnerability Description
When you connect to mikrotik router using winbox, it is asking for an index with plugins (DLLs) their size, version and CRCs. If something new is found, or if that client haven’t connected to that mikrotik version yet, winbox requests the new plugin(s) (.dll file(s)) from mikrotik router. When winbox downloads all the DLLs required in order to load the controlling interface of the mikrotik router, loads those DLLs (executes the DllMain() of each one) and then tries to make an authentication to the remote mikrotik router. The vulnerability exploits that winbox is loading the remote dlls before authentication and without any further confirmation of plugins originality.

Continue reading