Help Me Vulnerabilities You're My Only Hope
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 335 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/48380 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2779 / 335
8
9
12
14
32
38
41
58
60
61
72
75
83
87
92
96
108
115
128
132
143
152
158
159
191
193
218
230
268
271
273
276
278
295
310
320
321
335
00:00
Slide ruleRouter (computing)RootSystem administratorCore dumpRoundness (object)Vulnerability (computing)CodeSlide rulePhysical systemPresentation of a groupOnline helpComputer animation
01:33
Software developerBackdoor (computing)Wide area networkLocal area networkProxy serverFirewall (computing)SoftwareComputer networkExploit (computer security)InternetworkingMass flow rateData managementInterface (computing)Operating systemRouter (computing)In-System-ProgrammierungLattice (order)Presentation of a groupWord2 (number)Shared memoryEnterprise architectureCommunications protocolPoint (geometry)User interfaceSearch engine (computing)WebsiteResultantVirtual machineSet (mathematics)Client (computing)Order (biology)Port scannerVulnerability (computing)Core dumpPhysical systemIP addressVector spaceExpressionInternetworkingPoint cloudLibrary (computing)Disk read-and-write headNumberProduct (business)Internet forumMultiplication signSubject indexingLevel (video gaming)Bit rateSoftwareComputer animation
05:30
Revision controlPort scannerUniqueness quantificationExecution unitMaxima and minima1 (number)Firewall (computing)Router (computing)Proxy serverPrice indexPatch (Unix)Point (geometry)Pie chartPort scannerInternetworkingCuboidSource code
06:29
Revision controlInternetworkingServer (computing)Vulnerability (computing)Information securityLeakBranch (computer science)Computer fileComputer-generated imageryNetwork socketStack (abstract data type)CodeGastropod shellCore dumpLink (knot theory)Kolmogorov complexityPasswordComputing platformCybersexVector spaceRouter (computing)Structural loadLibrary (computing)Euclidean vectorFormal grammarTerm (mathematics)Computer wormNumberMalwareOffice suiteFunction (mathematics)Computer networkInformationData storage deviceInterior (topology)Router (computing)NumberOrder (biology)Exploit (computer security)CodeServer (computing)Patch (Unix)System administratorWeb 2.0Sheaf (mathematics)Statement (computer science)Client (computing)IterationMalwareVulnerability (computing)Flash memoryComputer animation
09:12
GeometryServer (computing)MalwareLoginRouter (computing)Default (computer science)NumberRandom numberPasswordRevision controlRouter (computing)Scripting languageDirectory serviceIn-System-ProgrammierungInternet forumMathematical analysisGame controllerXML
10:03
ChainInformation securityDatabasePrice indexAddress spaceMathematicsLocal area networkRouter (computing)Module (mathematics)ExplosionFrequencyProxy serverMotion captureTravelling salesman problemTotal S.A.Computer networkCommunications protocolMessage passingDependent and independent variablesArmFingerprintExploit (computer security)Heat transferWebsiteData recoveryEnterprise architectureMathematical analysisConfiguration spaceRouter (computing)Different (Kate Ryan album)QuicksortPatch (Unix)Statement (computer science)Motion captureCuboidConnected spaceResultantDatabasePoint (geometry)PasswordTwitterVulnerability (computing)Traffic reportingPort scannerBlock (periodic table)Exploit (computer security)Goodness of fitCodeInjektivitätProxy serverFrequencyWeb pageNumberComputer engineeringMultiplication signComputer animation
13:48
Gastropod shellHecke operatorSystem programmingRouter (computing)Menu (computing)Physical systemDatabaseRevision controlComputer networkPasswordFirewall (computing)Address spaceVulnerability (computing)LoginComputer filePowerPCArmArchitectureTotal S.A.Convex hullBackdoor (computing)System administratorEscape characterTelnetAuthenticationInterface (computing)Electronic mailing listSoftware bugComputer networkClient (computing)Directory serviceUniform resource locatorComputer fileCuboidSurjective functionVulnerability (computing)Patch (Unix)Task (computing)PlanningForcing (mathematics)AuthorizationInterface (computing)QuicksortOnline helpRadical (chemistry)Information securityGastropod shellUser interfaceRevision controlSelf-organizationFlagWritingRouter (computing)RootBranch (computer science)Hash functionTerm (mathematics)CausalityLoginSampling (statistics)Internet forumStatement (computer science)MereologyFile systemExploit (computer security)Slide ruleType theoryCommunications protocolBackdoor (computing)Computer architectureTraverse (surveying)Stability theoryoutputSinc functionAuthenticationPhysical systemDefault (computer science)System administratorPasswordDependent and independent variablesReading (process)Hacker (term)RoutingWeb 2.0Latent heatFault-tolerant systemComputer configurationTelnetNumberExterior algebraComputer animation
20:35
Backdoor (computing)Term (mathematics)Mechanism designRevision controlInterface (computing)Router (computing)LoginArchitectureScripting languageGastropod shellDrop (liquid)Port scannerTime zoneInternet forumRootComputer fileGastropod shellVariety (linguistics)Vulnerability (computing)Interface (computing)RoutingPasswordCodeRevision controlScripting languageComputer architectureType theoryRootQuicksortExploit (computer security)Router (computing)HoaxMultiplication signWeb 2.0Computer animationJSON
22:26
Vapor barrierPlot (narrative)Data typeBootingSystem programmingRevision controlRouter (computing)MaizeBit rateLink (knot theory)MultiplicationBinary fileFunction (mathematics)Gastropod shellTheoryDirectory serviceData storage devicePhysical systemFlagRootBacktrackingTelnetRouter (computing)File systemPhysical systemTheoryCuboidComputer fileBinary fileDirectory serviceRoutingRevision controlEntire functionBootingPoint (geometry)3 (number)Focus (optics)Object-oriented programmingComputer animation
24:06
Binary fileTheoryDirectory serviceData storage devicePhysical systemFlagRootBacktrackingTelnetMUDMassInformation securityBinary codeFunction (mathematics)Physical systemBootingComputer fileDirectory serviceTouchscreenRouter (computing)Address spaceBinary fileMereologyGreatest elementFile systemSpacetimeFlash memory
25:04
RootSystem programmingDirectory serviceData structurePhysical systemTotal S.A.PasswordService (economics)BefehlsprozessorRead-only memoryComputer-generated imageryRouter (computing)Validity (statistics)Directory serviceFiber bundleInternet forumInternetworkingComputer fileReading (process)Scripting languageWritingLoop (music)MereologyLogicLibrary (computing)String (computer science)CuboidSlide ruleMappingProfil (magazine)Binary codeComputer configurationFile systemBinary fileFunction (mathematics)Object (grammar)Computer animation
27:58
Communications protocolRead-only memoryStructural loadBackdoor (computing)Data structureDrop (liquid)MiniDiscConstructor (object-oriented programming)Function (mathematics)Router (computing)OvalPhysical systemMechanism designPasswordGastropod shellEscape characterLoginRootTelnetLibrary (computing)Directory serviceTerm (mathematics)File formatData storage deviceBootingSystem programmingComputer fontTotal S.A.Computer-generated imagerySoftware testingComputer configurationInformationRevision controlElectronic visual displayProof theorySheaf (mathematics)MassObject (grammar)File systemBootingQuicksortLibrary (computing)Directory serviceRootComputer filePhysical systemMultiplication signFile formatElectronic signatureMechanism designMereologyProcess (computing)Scripting languageView (database)Validity (statistics)MappingSinc functionBinary codeConstructor (object-oriented programming)Binary fileSpeech synthesisDigitizingVarianceError messageRemote Access ServiceEntire functionRouter (computing)Black boxStructural loadReading (process)Proof theoryMoment (mathematics)Function (mathematics)WritingSoftware developerRevision controlBackdoor (computing)SpacetimeRoutingType theoryMetropolitan area network19 (number)Message passingData storage deviceSource codeJSON
34:57
Computer-generated imageryMassDirectory serviceScripting languageTelnetData structurePasswordGastropod shellEscape characterMechanism designLoginExistenceBackdoor (computing)Proof theoryDirected setRootRouter (computing)File Transfer ProtocolServer (computing)Physical systemHeat transferSurvival analysisBootingLocal ringASCIIAsynchronous Transfer ModeComputer fileRule of inferenceComputer networkInternet service providerElectronic signatureProcess (computing)Modul <Datentyp>Kernel (computing)Scripting languageFlash memoryReading (process)Physical systemBootingMechanism designInheritance (object-oriented programming)WritingSimulationNumberQuicksortComputer fileLoginModule (mathematics)Revision controlKernel (computing)Installation artGreatest elementRemote Access ServiceDirectory serviceLink (knot theory)CASE <Informatik>Survival analysisType theoryRouter (computing)Configuration spaceContent (media)Gastropod shellData structureError messageSoftware developerMereologyMedical imagingVariancePatch (Unix)Proxy serverFormal verificationWeb browserSign (mathematics)Normal (geometry)Backdoor (computing)Theory of relativityWeb 2.0Level (video gaming)Perfect groupAlgorithmShared memoryJSON
41:56
Multiplication sign
Transcript: English(auto-generated)
00:00
We're going to talk about routers that are pretty horribly broken and then you can't fix them apparently but you are going to break them to fix them if they are broken. Good? Ah, sure. I'm a lawyer, I do what I can. Let's give our next speaker a big round of applause. Alright, thank you everybody and uh welcome. Uh so this has helped me uh uh
00:26
helped me vulnerabilities, you're my only hope. Uh and this talk is about using vulnerabilities to determine if your MicroTik router has been exploited. Um and I actually talk a lot about code that I wrote and data I collected um and I actually just pushed this
00:42
all to GitHub this morning. Uh slides are up there too um so check that out when you have a chance. Uh and here's just the talk's agenda. I'll start with some background on MicroTik and why their routers are interesting. Uh in the middle I'll present uh the problem MicroTik administrators are facing uh and then I'll present a solution to that
01:01
problem. Uh finally after we get root uh I'm gonna get to a brain dump of all the fun places uh attackers can hide in router OS uh that I know about. Uh but I'm gonna start with a very brief introduction of myself and uh some work I've done. Uh my name is Jacob Baines and I use the handle vinyl lobster. Uh I work at I work at Tenable uh as a
01:27
member of the zero day research team. Uh and on the research side I really like working on MicroTik routers. Uh the system design is uh fairly interesting and it uses a custom protocol that it's fun to interact with. Uh and I've written about the routers a few
01:43
times as you can see um and that's my bald head up there at DerbyCon last year talking about the custom uh protocol. Uh and I've also found a few vulnerabilities in the system, a couple of which will be featured uh in this talk. Uh but not only is it everyone's familiar with MicroTik so I want to introduce the victim. Uh MicroTik is a Latvian
02:06
company uh and they produce networking devices and associated software. Uh and the products uh they sell are deployed around the world and for a few reasons uh they have a very enthusiastic user base. Uh not just on uh their MicroTik forums and not on places
02:23
like Reddit but also uh they hold MicroTik user meetings across the globe uh which can uh yield some pretty interesting results and I'll speak about that in a little. But like I was saying MicroTik makes routers uh and since I work on these routers a fair amount
02:41
uh I inevitably try to talk to my coworkers about these. Uh unfortunately I believe this is what comes to mind when I'm talking to them uh just this little SOHO router. Uh which inevitably yields this expression because who really wants to listen to some guy talk about a SOHO router for months on end. But when I think about uh MicroTik this is
03:05
what I'm thinking about. Uh this is a cloud core router. It has uh 36 cores and advertises 28 gigabit per second throughput. Uh and what's really interesting is uh that little SOHO and this big router uh they actually share the same operating system called router
03:22
OS. Uh now this router is good enough for a large enterprise or an ISP. Uh and in fact I know it's used by ISPs uh because uh they like to show up to these MicroTik user meetings uh and give presentation on their ISP deployments featuring these MicroTik routers. Uh you don't have to take my word for it I linked a bunch in here uh and I actually
03:45
stole this screenshot uh from a small ISP in the Philippines. You can see it's just a handful of core routers in Iraq. And of course uh you can actually find quite a few MicroTik routers on Shodan. Uh the router does have a bunch of management
04:04
interfaces uh so it's kind of hard to get an exact number of how many are in and out facing but you can see uh the web interface right there is about 600,000. Um but one interface you won't find on Shodan is for this guy uh and this is the screenshot of
04:22
their management client called Winbox. Uh it uses a custom protocol over 8291 in order to communicate to the router uh and as far as I know none of the internet scanning search engines uh actually index this. Um which is really unfortunate because most of the recent vulnerabilities for MicroTik uh they use uh port 8291 as the attack vector. Uh
04:47
however uh back in March before they got crubbed, PacketTel did an internet wide scan of TCP port 8291 uh and they actually tossed the results up on their website. Uh and uh the website's now kind of down or less I checked it was. Um but you can grab the results off
05:04
the wayback machine and what you find in that data set is 3.6 uh million IP addresses that respond to that TPS TCP scan. Uh and that's a pretty useful data point I think uh but doesn't say exactly how many are actually are really MicroTik routers. And since last
05:27
year I'd actually released a library that can talk this MicroTik protocol. Uh I figured well why don't I scan these 3.6 million addresses and determine which ones are MicroTik. And so that that is what I did. Uh I wrote the scanner uh and it ran in late
05:46
June into July of this year. Um and mind you the PacketTel data was from March so it was getting a little stale but I was able to identify half a million of MicroTik routers with their wind box exposed to the internet. Um which according to MicroTik itself is a
06:02
pretty big no no. Uh also interestingly uh at least 40% of uh the scan routers were vulnerable to a firewall bypass that I'd published in February. Um so that's just our first indication of uh the poor patching practices. Um so this pie chart itself uh is not
06:25
super interesting but I have a specific point I want to make here. Uh you can see that uh 60% of the devices I scanned had been patched in the last year. And that's that rather large chunk that says uh newer than 6.43 RC4. Uh but everything else is more than a year behind
06:43
in patching. Uh most notable is the older than 6.28 chunk and router OS does uh 6.28 is more than 4 years old now. Um and all I'm really trying to say here is uh MicroTik MicroTik administrators are not well known for their good patch patching practices. Um
07:06
so that leads very nicely into this section. Uh MicroTik routers have seen a number of exploitation campaigns over the last few years. Uh so I want to discuss some of those. Uh
07:20
so we can start in 2017. Uh and WikiLeaks released Vault 7. And Vault 7 uh contained this zero day exploit uh that was called Kime Red. Um now Vault 7 didn't actually contain the uh the exploit code or an explanation of how it works. Um but MicroTik did issue a
07:40
patch. Uh and as far as I know, big nerd 95 here was the first to reverse it and figure out how it worked. Um and it's an unauthent- unauthenticated stack clash in the web server. And as we've seen there are about 600,000 web servers currently available. Uh and about a year later in February 2018, Kaspersky published their
08:06
research on Slingshot APT. Uh now Kaspersky noted that Slingshot had exploited MicroTik routers with an unknown vulnerability uh in order to replace some DLLs on the router. Uh and the DLLs actually get dem- downloaded by the Winbox client. Uh so not only did
08:22
Slingshot uh exploit these routers, but they're able to exploit the downstream admins as well. And still not long after that in May 2018, uh Talos uh released their first iteration of their VPN filter work. And MicroTik routers were also caught up in that. Uh again, no specific vulnerability mentioned uh but MicroTik's official
08:45
statement implied that the- the exploit was chime red. Um although I personally take that with a grain of salt. Uh either way I want to point out this FBI notice uh that simply states uh for everyone to reboot their routers uh and we will see later that that is not
09:03
gonna remove malware from a MicroTik router. So this is more of an ongoing thing to my understanding. Uh this is a picture from a very nice analysis done by Trend Micro uh on Trickbot from March 2019. Uh and you can see the threat actor uh was actually using
09:24
exploited MicroTik routers to run command and control uh on their installed Trickbots. Uh it's a great way to stay hidden uh but really not great for the router owners. Uh so this post ac- uh actually appears on the MicroTik forums on April 20th 2018 and it
09:43
basically says uh someone has logged into my router and now I have a couple weird bash scripts in my user directory. Uh and a couple posts after that a guy running a wireless ISP uh comes on and says yeah we're seeing the same thing. Uh and so this turns out that it was uh actually zero day being used in the wild. Uh and 3 days
10:06
later MicroTik actually issued a patch for this which is uh a pretty good turnaround in my opinion. Uh and their statement basically says uh you know someone with a custom tool can connect to the WinBox port without authentication, download the user uh database and
10:23
recover user names and passwords. Uh but that's it for details. There was no POC, there's no CVE. Uh but a month later uh a couple researchers posted this analysis of the vulnerability and shortly after that they published a working POC and then um after that
10:43
finally CVE 2018 14847 uh was assigned. Uh and th- and the POC they wrote uh actually gives the attackers credentials they need to log into the router and start messing with the configuration. And um you know as we've seen MicroTik routers don't get patched very
11:04
quickly uh so people kind of ran with this. Uh one of the things they did was inject CoinHive JavaScripts into the custom 404 page uh that the router can serve up. Uh this is a tweet from bad packets report and it was around the peak of this CoinHive madness in
11:20
uh October 2018 which you can see a quarter of a million affected routers. Uh but other attackers had other ideas. Uh one of the good features of MicroTik routers is that they can uh su- they support packet capture and forwarding. Uh so according to NetLab 360 um about 75 hundred routers have their packets forwarding to a third party. Uh and another
11:46
attack um mentioned by NetLab had a nearly quarter of a million routers uh with their SOX4 proxy enabled just for this one specific net block. Uh which I thought was both weird and fascinating. And I've skipped over other threats like Kaimi Blue uh but I
12:04
think you guys kinda get the idea at this point. And the reality is none of this stuff is really going away. So this is a tweet just last month from GrayNoise uh and uh if you're not familiar with GrayNoise uh they have honeypots all over the place. Um and you can
12:21
see here uh they noticed a very large increase in scans for CVE 2018, 14847 just last month. And that actually uh written and uh deployed my own one box honeypot around that same time period. And uh while the numbers weren't crazy, almost every connection to the
12:42
honeypot was uh an exploitation attempt. Uh and it only took uh about an hour and a half of the honeypot being online uh before the first exploitation attempt rolled in. Uh and again like everything uh in this talk, both the code and results are up on GitHub. And
13:04
of course this is a sort of different kind of threat. Um Zerodium tweeted this earlier this year uh and this this offer is still on their website last I checked. And uh while this isn't Apple zero day money, it certainly isn't nothing either. Uh so presumably Zerodium has someone they want to sell this to. Uh so why did we talk about all that? Well
13:27
hopefully I convinced you that these routers uh you know they're not just little home routers but they're also big beefy enterprise RSP routers. Um and you know they've been exploited quite a bit. Uh but what is the problem I'm here to talk about? So this is the
13:45
problem. Um from left to right, you're looking at winbox, webfig, and the microtech terminal. Uh and this is more or less uh what the administrator has to interact with the device. Uh when what you won't find is um a real shell, any way to uh access the
14:04
underlying file system. Um the administrator really runs in a jail and um they they just don't have any way to know if they've been exploited. And I'm not the only one to notice this. Uh this is just a small sample of uh people on the microtech forums
14:24
wanting to know how they can tell if they've been exploited. And this is actually microtech's official statement in response to CVE 2018 14847. Uh I highlighted the good part. You can see it says there's no way to know if you were affected. Uh in the security
14:48
community isn't uh much better because what we do- what do we do? Uh we write nice blogs, I'm certainly guilty of that, and we publish file hashes. Uh but a microtech administrator can't actually access the file system um so the file hashes aren't
15:03
incredibly useful to them. So that's kind of where the microtech community is. Uh blindly hoping they weren't exploited or if they've upgraded that that um actor has been pushed out. Uh but to my thinking that isn't very acceptable uh cause there are
15:22
serious implications uh for any person or organization with a compromised router. Uh you really do need to know if you're affected or not. Uh but without any type of official solution uh and really no other alternative uh we turn to our only hope. Uh and that's the vulnerabilities themselves. Uh so perhaps we can jailbreak these routers and get some
15:43
answers. Uh but there is one immediate problem with my plan uh and that's the number of architectures that router OS actually supports. Uh I think microtech has a goal to collect all the architectures. Um but writing and maintaining stable shellcode for all these
16:02
architectures uh would surely be an obnoxious task that I certainly was not willing to undertake. The other problem is uh microtech releases so many versions of router OS uh they have even released a version since I gave these slides to Defcon. Um and you can see since 2013 uh they've released about 2 official versions per month. Uh that's ignoring all the
16:24
release candidates. Uh and that's just a lot of versions we need exploits for. Uh and uh it'd be tough to test uh stable exploits across all those versions. So that's kind of 2 strikes against my vulnerability saving the day plan. Uh but this is our saving grace. Uh
16:44
router OS has a backdoor in it. Um it's there on purpose. Uh if a special file exists in a specific location uh you can gain login you can login as uh the devel user and get a root busy box shell. Uh and I cannot emphasize enough uh users cannot they should not and
17:05
they were never intended to be able to make this file and get this root shell. Um but I think with some help from our vulnerability friends uh we might be able to get root and answer some questions. So here's the first vulnerability. Uh this was actually found by
17:25
HackerFantastic and it was dropped as a 0 day onto December 11th 2018 and microtech uh shortly followed up uh with some patches. Uh this vulnerability has no CVE and it's just a simple arbitrary file creation bug. Uh you can you literally just tell the town net client to
17:44
uh create a file. Uh pictured here you can see that I tell the town net client to set trace files slash ram slash package slash option. Uh and that just happens to be the backdoor file. I then login as devel and get a busy box root shell. Uh and just a quick
18:06
note about vulnerabilities requiring authentication on router OS. Uh the system uh ships with a default admin user uh with no password. Um and neither login for the web interface or the win box interface have any sort of brute force protection. Uh so I've
18:22
written a couple of POC to proof that out. So while HackerFantastic's bug does require authentication uh it's still quite serious. Um but back to the bug itself. Uh when HackerFantastic dropped this vulnerability it was just a basic breakdown uh of how you would manually type in the attack. Uh writing a full POC requires the author to know how the
18:45
win box protocol works and since I'm one of the 3 or 4 idiots that publicly understands that I went ahead and wrote these POC uh that automate HackerFantastic's exploit. Uh and these will create the backdoor file um so you can login as root. So this
19:04
next vulnerability is one that I found uh and it was patched twice. Once in March of this year in the stable branch of router OS and then again in May uh in the long term uh version of iOS. Uh interestingly MicroTik doesn't actually flag this uh patch we see here um
19:23
as a vulnerability. Uh they simply call it improved file handling. Uh and they don't even mention the CVE I signed. But either way uh this is a good example of a vulnerability. This bug is a file traversal bug um and it gives you the ability to um both uh create directories and read or write files. Um so it's very powerful uh but does
19:46
require authentication. So I have a couple POC for this um again it just creates the back door um and again it works uh all the way up through May of this year. Uh finally the
20:04
last vulnerability that we'll be using uh is CVE-2018-14-8-4-7. Uh the last vulnerability uh and this vulnerable this is the vulnerability that actually started out on the MicroTik forums. Uh this is all it also turns out that this is a uh file traversal a directory traversal bug uh and it can also be used to read or write files anywhere on the
20:24
box. Uh since I already released an exploit for this back uh for DerbyCon um there's nothing new to release today. Uh but basically the summary of the situation uh is we have these 3 great file creation vulnerabilities uh and they work over a variety of
20:41
interfaces uh and all of them can create the backdoor file to enable the root shell. Um you know and also the MicroTik community has this general problem uh that they can't determine if they've been owned or not. So I'd like to introduce you to a little tool I wrote. It's called Cleaner RAS and Cleaner RAS aims to be a very simple
21:04
tool. The user simply provides the IP of the router, a username and a password and Cleaner RAS will do the rest. Uh it'll exploit uh it'll either try exploiting the uh Windbox interface or the WebTik interface uh it automatically figures out the
21:22
router's version and then creates the backdoor file however or wherever that version dictates. Cleaner RAS gets root on versions of router RAS from 2011 all the way through May of this year by using the 3 vulnerabilities we talked about. Uh router RAS is versions 3 through 6. All are all are supported uh and all architectures are
21:45
supported um because again none of these vulnerabilities actually require any type of shell code. Uh another thing that actually comes with Cleaner RAS is a little script called RAS SH. Uh all you do is you upload that to your uh router and with
22:02
your brand new root shell you run it and it will look for all sorts of bad stuff in the router and let you know what is there. So it's really cool that we got root and that there's this little script to find all the bad stuff in the router uh but this is DefCon and we want to know about all that bad stuff uh so let's go exploring post
22:24
exploitation. Uh and first of all a small disclaimer uh this this discussion is really gonna focus on router OS 6.0 and above uh because before 6.0 as you can see the entire file system was read write. Um so you didn't need any special tricks to hide in the
22:45
system. But modern router OS is quite different uh it's full of tempfs and read only file systems uh so surviving a reboot is not necessarily a given. Um luckily uh since the last release of router OS 5 um was 4 years ago uh there's probably no more 5, 4 or
23:06
version 3's out in the wild. Uh there are. Uh and just one more final point before uh we start talking about the interesting stuff. Uh if you go home and you decide to root a
23:24
router OS VM or a router you have uh do yourself a favor and up upload your own busy box. Uh the built in busy box is extremely limited. It doesn't even have LS uh so it can be quite obnoxious to use. So let's start with something simple. Uh almost everything
23:45
should be let me expand this. Almost everything on the system should be executing out of slash bin slash s bin or slash nova slash bin. Uh and these are actually read only directories that come from digitally signed package that in theory uh should be totally
24:05
trustworthy. Oop shouldn't be messing with stuff. Uh if you see anything executing out of slash read write or uh slash flash uh then you have almost certainly been owned. Uh so because that's persistent file save uh persistent file space that router OS does not
24:25
normally use for execution. Uh finally um you should be looking at these slash package items. You can see them in the PS output. Uh they need to be analyzed a little closer. But before we look at these slash package items um you need to understand that everything uh
24:44
in router OS is a package. Uh for example the files in etsy and the and the binaries in bin are part of the sys are part of the system package. You can see at the bottom of the screen. Um at boot time a squash FS file system is extracted from these
25:00
packages uh and mounted as read only in the package directory. And um you know I kind of apologize for this Charlie Daya slide uh but this is all I'm trying to say here. Uh all the packages get mounted in slash package which it's itself is a read write
25:22
directory within a temp file system. Uh and because the package directory is read write anyone could add their own files there and execute them. Uh in fact picture to the left is a very suspicious looking uh slash pack uh package slash lol directory. Um and uh
25:41
it has a very scary looking RC script. Uh so what is the take away from this slide is basically uh everything in slash package should either be uh a mounted uh read only squash FS file system uh or a s a valid symlink into bundle. Anything else is malicious. So you
26:01
can see the lol directory and the option directory do not belong. So while it's true that package is a place that router OS executes from you do want to be careful and make sure nothing new has been introduced. Uh because if you're just looking at the PS output you'll get something like this. I'm executing busy box uh it blends right in it
26:24
doesn't belong. Uh so since we uh were messing around in the package directory uh I personally found this to be a little interesting. There's this check installation button in the package's UI uh and there's not like a lot of documentation for it. There's no
26:43
documentation that I could find. Um but also pictured here is a forum post of uh some guy that left his router open to the internet just to see what would happen. Uh and he asked a good question uh how do I know if it's been owned will check installation be useful. Um so uh I ran check installation with busy box running like it was in the previous
27:05
slide and you can see that uh micro uh that router OS said that's just fine. Uh a different thing you want to look at is the proc that is the slash proc slash maps for
27:21
SNMP, WWW and the profiler binaries. Uh and here's a screenshot of SNMP's uh proc maps. Uh SNMP itself lives in a read only directory called Nova slash bin uh but you can see that I've gotten it to load a uh shared object called LOL dot SO. Uh and that's
27:41
basically because uh the SNMP library will loop over all the package directories uh and if it finds an SNMP subdirectory it will load any dot SO that it finds. And this is just part of that SNMP logic as you can see uh it does compare the end of the string versus dot SO
28:04
and and if it is true then it will just DL open whatever. And of course hiding execution of shared library is pretty neat so I wrote a POC that uses CV 2019 3943 to write
28:20
this to disk. Uh the POC will then stop the SNMP process and restart it uh and that way the uh the shared object gets picked up by SNMP uh and then you can see this constructor gets executed. Uh the constructor actually deletes itself and um creates the back
28:40
door file so we can log in. Uh and I would again like to take a moment to be very petty and say that uh MicroTik did not put out any notification to the customers about this CBE. And in fact you're going to want to check the proc maps uh for all the binaries. Uh and that's because the first entry in the load library path is a directory
29:04
called slash read write slash lib. Uh and you might recall I said earlier that router OS doesn't execute out of slash read write uh and that is normally true. Uh in fact this directory doesn't even exist. Uh when you exploit the router you're gonna have to create the lib directory yourself. Uh but what's really great about uh slash read write
29:25
slash lib is that it lives in persistent file space so anything we add there uh will survive reboots. Uh so here we are looking at the proc maps of nova bin slash fileman. Uh and
29:41
all of the libraries that this binary actually wants to load uh should be in the read only directory slash lib. Uh but you can see here highlighted in red that uh I was able to load uh libz.so out of read write lib. And of course uh I have a proof of concept for
30:04
this one as well. Uh but this time the proof of concept is MIPS big endian. Uh and the way this basically worked is I downloaded the real libz uh I added this silly constructor uh cross compiled the library uh and then I used uh CBE 2019 3943 yet again
30:23
to create the lib directory and write the shared object. Uh and eventually fileman will just uh restart and pick this up. Uh so uh this will create the the backdoor without rebooting. Uh speaking of rebooting the system let's talk about persistence a little bit.
30:46
One of the challenges uh with the backdoor file is that newer versions uh it actually got moved into tempfs package space. Uh so what that means is when you reboot the router the developer backdoor disappears on versions uh 6 dot 41 and above which is nearly most
31:03
every release since December 2017. Uh also the behavior of upgrades is still sort of a black box uh lots of uh files are overwritten uh some are deleted. Uh but back to read write slash lib like I said uh it survives reboots like a champ. Uh libz in particular gets loaded
31:26
up somewhere very early in the boot process uh so the creation of the backdoor seamless uh and it even works in the most recent release uh which was July 19th uh 6 dot 45 dot 2 uh which is actually pictured here. Um so I actually had very high hopes that I could use
31:42
this mechanism to persist across upgrades. Um unfortunately or fortunately depending on your view um the upgrade process deletes the entire read write lib directory uh so it's still very good for persisting across reboots uh very terrible for surviving upgrades. So
32:05
switching gears yet again remember that everything on the system is a package uh and the packages use the MPK file format and part of that format is what appears to be uh some sort of di- digital signature. Uh before these packages get installed uh the signatures
32:21
are are verified um and then they're stored uh in the directory slash bar slash bar pdb. Uh and as I've mentioned before when the system boots uh it unpackages the M- these MPKs and it mounts it mounts a squash file system that's stored within. So one weird
32:42
thing about uh slash bar slash pdb uh is that it's entirely read write uh so as root we can modify these MPK files. Uh and so uh when I figured this out I was I was just wondering what would happen if I overwrote one of these files. Uh so I had a silly
33:03
experiment where I just echoed lol over the system package and the system package again is the one that can contains all the basic clinic C stuff like slash bin slash lib slash xc. Uh so I overwrote it and I rebooted and I was actually uh met with this error
33:21
message you can see it says uh no system package found and then it went into infinite reboot. Uh so I wondered uh you know if I can overwrite a package maybe I can introduce my own. Uh so I wrote this tool called modify NPK and it takes in a valid
33:42
microtick NPK and a user created a squash fs file system and it replaces the valid squash fs with the user squash fs. Uh now obviously since we've modified the NPK the signature is totally invalid. But if you take the output from uh modify NPK and uh you
34:06
create your own package in slash var slash pdb uh you reboot the system what's gonna happen? Well here you can see that I've created a package called ras and I've moved it into var slash pdb and rebooted. And there you can see that my package actually
34:25
successfully is installed uh despite having an invalid signature. Of course each package has their squash fs file system mounted as read only so what did I put in my squash fs file system? Uh an RC script uh that basically just creates the back door at boot time. Uh
34:46
and of course since this package was successfully installed it will survive a reboot without any type of issue. Uh but we do finally learn what check installation does uh and it appears to validate uh the NPK files in var slash pdb. Uh you can see if a user runs
35:04
check installation uh when my uh my package is installed then it gets flagged as a bad image. Now microtick did eventually patch this in six dot forty two dot one uh but it's unclear to me if they knew they fixed this or um it just happened to get
35:25
accidentally fixed uh at the bottom this is the only release note that I think could maybe sort of be related. Um but still given the number of uh pre six dot forty two installs that still exist uh to me this is a pretty interesting persistence technique uh
35:42
and sort of an even more interesting developer mistake. Uh so let's talk about uh RC scripts a little bit. Um I and I first saw this uh in the comment I read repository uh so I can't really take any credit for it. Uh but in router OS up to six dot forty dot nine
36:02
uh you just you just make an RC uh directory structure off of flash slash XE um and that will be treated like any normal RC scripts. Uh so if you drop something like S18 LOL it will be executed uh next boot. Um and again since this is in flash it's uh entirely
36:24
persistent across reboots. Uh super simple, dead easy persistence method um fortunately uh this was fixed. And of course the system has its own RC scripts off of the XE directory uh and there are two that I want to talk about. Uh you can see first the
36:43
O8 um config script uh you can see it's very simple if uh slash R read write reset exists uh then just gets executed. Um yet again another dead easy persistence mechanism uh but this was fixed after six dot forty dot five. Um but in six dot forty dot one the script
37:05
uh twelve def CF uh was actually changed so that the contents of read write def conf were executed by an eval statement. Um and this is still the case uh pictured here is six dot forty five dot two like I said just released in July. Um and this is actually the
37:23
persistence mechanism that Cleaner RAS uses for these newer versions. Um so we uh but read write def conf isn't perfect it has a couple of issues with it. Uh the first is that if uh read write def conf exists on the system and no one has yet logged in uh then it
37:43
disables login for everyone uh including the back door uh so basically uh shuts down the device. Uh and the second thing is that if read write def conf exists then uh upgrade silently fail. Uh the upgrade looks like it was successful um but it will be the exact same
38:01
version number uh no error logs, no nothing. Uh so Cleaner RAS gets around this login issue uh by uh using an RC script off of package that simply moves a staged file uh to read write def conf at shutdown. Um that seems complicated enough to me that I decided to
38:24
make a standalone POC that people can check out if they're interested. Uh basically the POC uses CV 2019 39 43 uh yet again to create a def conf file and once the system is rebooted uh the def conf file will get executed and it uh will uh put that persistence
38:43
mechanism into place. Uh I never found any type of solution uh for fixing uh disabling upgrade so I'm just gonna call that a feature. Uh and in fact I never found any way uh to maintain uh execution through an upgrade uh although I'm sure it exists um but you know if
39:08
you can't maintain execution what can you do? Uh so my solution was just to drop a sim link uh a hidden sim link in the user directory that the MicroTik user can actually access. Uh you can see here I've actually FTP'd into the router and I found the sim link
39:25
dot survival uh and it's a sim link to root. Uh and it's worth noting if you're using either winbox or the web client uh neither of them show hidden files so they can't see the sim link. Uh and so this is just an example of me uh regaining execution using the
39:49
sim link. Uh you see I have this def conf file I FTP in, I traverse the sim link, uh move to the read write directory and put def conf. And after a reboot um I log right in as
40:04
a devel user uh and I I have a full shell once again this is six dot forty six dot forty five dot two uh just released in July. Uh and just to prove that there uh the persistence the reboot persistence still works uh I rebooted the system, I'm logging
40:22
again and I still have my shell. Uh so that's mostly what I have for you today uh and that's uh actually a fair amount of material so I wanted to just provide a quick summary slide. And I will not sit here and read this to you uh this is more for review. Uh
40:40
like I said everything is on github um so you can check out the summary if you want. Uh but I think it's fair to say that I identified a problem with MicroTik routers, offered a solution and shared various ways I believe attackers uh could abuse the system. Uh so one of the best parts of any talk in my opinion uh is to get new ideas for your
41:03
new re- new ideas for your own research uh so here are just a few things I know uh that could be tackled. Uh recently both the winbox and js proxy login algorithms changed uh no one has published anything about those uh that would be pretty useful. Uh I
41:22
have never looked at the NPK loader system. Uh obviously we see that it has issues in the past, that would probably be fun to dive into. Uh there are actually a lot of kernel modules MicroTik has written for the system, I have not peeked at any of those. Um and I did look briefly at package signing and verification and it looked messed up um but I'm not a
41:43
crypto guy so it could just be I didn't understand it uh so someone would probably do well to look at that. Um and of course we always need more jailbreaks to expand- expand cleaner RAS. Uh and that is all I have for you today. Appreciate everyone coming. Uh thank you to the goons uh and I can take any questions with what time we have
42:04
left.