12/27/2022 0 Comments Mikrotik comIn a thread started by a customer disturbed at learning about Slingshot from reports in the media rather than from MikroTik, MikroTik responded, "There is NO insecure Winbox v3. MikroTik claims on its support forum that Winbox is secure. While the router vulnerability would be the first stage of the attack, the second stage would be the use of Winbox to get the malicious downloads. Kaspersky Lab informed the company about its research prior to its own publication. It is not clear at this point whether the Slingshot group gained access to the MikroTik routers using the CVE-2018-7445 vulnerability, but it is tempting to think so. The attackers gain access by first getting control of MikroTik routers, and using that position to download DLL files to the target computer via MikroTik's Winbox management tool. Last week, Kaspersky Lab released a report on a hacking group it calls Slingshot. MikroTik's advice for customers that cannot upgrade is that they should turn off SMB. It did not inform Core, and there is no apparent mention of the flaw or the fix in its new version announcement to customers - but it subsequently confirmed that the flaw has been fixed. On Monday, March 12, 2018, it released the new version. MikroTik then asked for an extension to Thursday, March 8, 2018, and then told Core it still wouldn't be ready. It proposed March 1, 2018, which was confirmed by MikroTik. Core asked for a coordinated publication of the new version and its own advisory. On the same day, Core noticed the flaw was already scheduled for a fix by MikroTik in a new software release candidate. "Our testing," says Core's advisory, "showed this approach to be extremely reliable." The reserved CVE number is CVE-2018-7445.Ĭore sent its initial vulnerability notice to MikroTik on February 19, 2018. This allows a payload on the heap to jump to a fixed location. Address space layout randomization (ASLR) can be neutralized because the base address of the heap is not randomized. Data execution prevention (DEP) is bypassed with a return-oriented programming (ROP) chain that calls 'mprotect' to mark a memory region as both writable and executable. The function is reached by sending a NetBIOS session request message. The vulnerability exists because the first byte of the source buffer is read and used as the size for the copy operation to the destination buffer - but ultimately, no validation is performed to ensure that the data fits into the destination buffer, potentially allowing a stack overflow.Ĭore's vulnerability advisory includes a proof of concept exploit against MikroTik's x86 Cloud Hosted Router. Since the overflow occurs before authentication, an unauthenticated remote attacker can exploit it. The vulnerability, a MikroTik RouterOS SMB buffer overflow flaw, allows a remote attacker with access to the service to gain code execution on the system. RouterOS is its Linux-based operating system. MikroTik is a Latvian manufacturer that develops routers and software used throughout the world. Details were discovered February and disclosed by Core Security on Thursday. A vulnerability exists in MikroTik's RouterOS in versions prior to the latest 6.41.3, released Monday, March 12, 2018.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |