Community discussions

MUM Europe 2020
 
User avatar
markrobo
just joined
Topic Author
Posts: 8
Joined: Tue Sep 26, 2017 10:29 am

MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Mon Apr 16, 2018 1:29 pm

Hi!

Does anyone have some information about "MikroTik 6.41.4 - FTP daemon Denial of Service PoC" and CVE-2018-10070 vulnerability?
The PoC has appeared on this link: https://www.exploit-db.com/exploits/44450/.

Is it possible to have some security mailing list and dedicated "Security" subforum?
Security issues with MikroTik has emerged lately - it would bi nice to improve at least awareness about this things.

Regards,
Robo
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1456
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Mon Apr 16, 2018 2:20 pm

Not again! I just upgraded a couple of clients due to the previous security vulnerability and explained to my customers that it is for security reasons.

If I tell them again the same thing, they are going to lose faith in Mikrotik product.

Mikrotik Support, can we please get some confirmation / clarification on the above post?
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Mon Apr 16, 2018 2:25 pm

Guys. Any service can be overloaded when it is polled enough times. How is this a vulnerability? This is simple DoS. If you set a simple firewall rule to limit number of connections per IP, in your input chain, this will not work at all.

Why would anyone keep FTP open to the public, no firewall and no limitations set?
Possibly we need the rule to exist by default, that is another question.
No answer to your question? How to write posts
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1456
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Mon Apr 16, 2018 2:55 pm

Guys. Any service can be overloaded when it is polled enough times. How is this a vulnerability? This is simple DoS. If you set a simple firewall rule to limit number of connections per IP, in your input chain, this will not work at all.

Why would anyone keep FTP open to the public, no firewall and no limitations set?
Possibly we need the rule to exist by default, that is another question.
Thank you
MTCNA, MTCTCE, MTCRE & MTCINE
 
c0nstantine
just joined
Posts: 5
Joined: Thu Dec 14, 2017 5:54 am

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Mon Apr 16, 2018 7:19 pm

Guys. Any service can be overloaded when it is polled enough times. How is this a vulnerability? This is simple DoS. If you set a simple firewall rule to limit number of connections per IP, in your input chain, this will not work at all.

Why would anyone keep FTP open to the public, no firewall and no limitations set?
Possibly we need the rule to exist by default, that is another question.
I sent the report to your company before I publish the vulnerability and you didn't answer. I don't know how did you comment here when you don't know how the exploit works because I didn't publish how I made the crafted request and what is that :) The 6 connections and less than 80KB crafted requests are enough for exhausting all the cpu and ram for rebooting the router.
Limiting the connection is a workaround, You should fix the problem(such as other company). If you want, you can give me an IP address and I show you how it works.
The PoC is clear:
https://vimeo.com/264461602
 
User avatar
markrobo
just joined
Topic Author
Posts: 8
Joined: Tue Sep 26, 2017 10:29 am

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 10:23 am

I still think that MikroTik should invest more effort regarding security.

My suggestions are:
  • Create separate mail address where security concerns and vulnerabilities will be reported and at least answer people who submit valid stuff.
  • Create some bug bounty program where experts will test your products for vulnerabilities and reward them for this.
  • Create separate subforum regarding security topics.
  • Create separate security mailing list where you will inform people about security issues.

Regards,
Robo
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 10:29 am

I sent the report to your company before I publish the vulnerability and you didn't answer.
We answer all emails. Make sure you are not filtering ours, or post the ticket number, so I can check what was answered.
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 5974
Joined: Mon Jun 08, 2015 12:09 pm

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 10:49 am

I sent the report to your company before I publish the vulnerability and you didn't answer. I don't know how did you comment here when you don't know how the exploit works because I didn't publish how I made the crafted request and what is that :) The 6 connections and less than 80KB crafted requests are enough for exhausting all the cpu and ram for rebooting the router.
Don't you have better things to do wirth your life? Spending all that time to find out how you can destroy other people's property?
Maybe you can file a vulnerability report of bus shelters and claim that their windows cannot withstand the throwing of stones by local youth?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 10:55 am

Nice example, pe1chl,

Nevertheless, we will fix it.
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 5974
Joined: Mon Jun 08, 2015 12:09 pm

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 12:08 pm

Good! But the point that those sore losers that claim to be "whitehat hackers" don't seem to understand that everything in society is
built up to some reasonable standard of quality and security, as a trade-off between effort/cost and result.
Of course the bus shelter could be built with steel plate or bulletproof glass, but it appearance would not be so good or it would cost too much.
Normal people just use it as a shelter, only the mentally derailed people destroy it "because it can be destroyed".

In internet security it is the same, but there the derailed people not only destroy other people's property, they also blackmail the
producers with threats to publish details "if it is not fixed according to their set rules". It is like the guys that ask you to pay protection
money to prevent your property from being damaged.

It is not as much that those guys should be tracked down and locked up (which would be good), but even more they need to be
taught normal forms of behaviour in a society. That includes not touching without permission what does not belong to you, and
not engaging in interactions as shown above. ("we told you about it and you did not react to our standards so now...")
 
c0nstantine
just joined
Posts: 5
Joined: Thu Dec 14, 2017 5:54 am

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 12:21 pm

I sent the report to your company before I publish the vulnerability and you didn't answer.
We answer all emails. Make sure you are not filtering ours, or post the ticket number, so I can check what was answered.
The Email is sent at Fri, Apr 13, 2018 to support@mikrotik.com
Unfortunately I think the security is not important for your company.
Hardening the kernel's parameter and changing them according to your product's resources before introducing them to the markets should be a priority for you.People are using your products without the simple default security.
The vulnerability is in the parsing function and it's patched 5 years ago on the linux kernels. Just one packet can exhaust all available cpu for more than 20 minutes.
I didn't publish anywhere how I made the crafted request because more than 590000 mikrotik devices are vulnerable(you can check this out on shodan), please fix the vulnerability and pay attention to the security.
Best Regards
 
pe1chl
Forum Guru
Forum Guru
Posts: 5974
Joined: Mon Jun 08, 2015 12:09 pm

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 12:30 pm

The Email is sent at Fri, Apr 13, 2018 to support@mikrotik.com
Unfortunately I think the security is not important for your company.
That is only 1.5 work day ago!
In a company, such mails need to be categorized, the issue investigated, and a reply be made and verified.
You cannot expect that to happen within 1.5 working day.
Hardening the kernel's parameter and changing them according to your product's resources before introducing them to the markets should be a priority for you.
Priority for you should be to search psychological help!
I don't know how readily available it is in your country, but maybe there is some other way for you to overcome the problems of your disorder.
 
User avatar
markrobo
just joined
Topic Author
Posts: 8
Joined: Tue Sep 26, 2017 10:29 am

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 12:34 pm

Good! But the point that those sore losers that claim to be "whitehat hackers" don't seem to understand that everything in society is
built up to some reasonable standard of quality and security, as a trade-off between effort/cost and result.
Of course the bus shelter could be built with steel plate or bulletproof glass, but it appearance would not be so good or it would cost too much.
Normal people just use it as a shelter, only the mentally derailed people destroy it "because it can be destroyed".

In internet security it is the same, but there the derailed people not only destroy other people's property, they also blackmail the
producers with threats to publish details "if it is not fixed according to their set rules". It is like the guys that ask you to pay protection
money to prevent your property from being damaged.

It is not as much that those guys should be tracked down and locked up (which would be good), but even more they need to be
taught normal forms of behaviour in a society. That includes not touching without permission what does not belong to you, and
not engaging in interactions as shown above. ("we told you about it and you did not react to our standards so now...")

I would not agree with you.
These people are called Security Researchers and they should be rewarded for their effort.
This is how security works these days, with various nation-state hackers, governments and black hats strugling to find “zero days” and vulnerabilities to exploit.

Why do you think some great companies organise Bug Bounties and Pwn2Own and similar contests?
People have different skill sets and mistakes happen in various places during development and manufacture process before the product is finished.
Do you really trust all of the manufacturers and vendors that their products are fully secure and that they don’t have any flaws?

Who do you think is better to find vulnerability in product - some nation-state hackers, government agencies, black hats or security researchers?
Security researchers are the only one who will report this issues to the manufacturer, the others will keep this for themselves and use them against people and networks.
I would only agree with the fact that there is some criminals between white hats and security researchers, but this is not the majority.

Vendors should definitely reward security researchers effort and thank them. Between them there are many young and bright minds which will be more motived to do the right thing after they get at least “thank you” from manufacturer or vendor.

Regards,
Robo
 
pe1chl
Forum Guru
Forum Guru
Posts: 5974
Joined: Mon Jun 08, 2015 12:09 pm

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 12:42 pm

The problem is not real researchers who find a problem on the device they personally own, then report it in private
to the manufacturer, and know that not all problems they report will be solved in the manner they prefer.

The problem is the people like c0nstantine and many others, who set their own rules, send a mail on Friday and
start whining the next Tuesday about "still not resolved" (with the actual time available for processing maybe being
even less due to timezone difference), and go on with publishing details and other threatening.

This is not related to improving security, this is just boosting of own ego, and finding some thing to do in the
lack of any employer wanting them to work there. Some people call them "bright minds" but in reality they are
just socially inept.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 12:49 pm

The Email is sent at Fri, Apr 13, 2018 to support@mikrotik.com
Unfortunately I think the security is not important for your company.
That is only 1.5 work day ago!
In a company, such mails need to be categorized, the issue investigated, and a reply be made and verified.
You cannot expect that to happen within 1.5 working day.
Hardening the kernel's parameter and changing them according to your product's resources before introducing them to the markets should be a priority for you.
Priority for you should be to search psychological help!
I don't know how readily available it is in your country, but maybe there is some other way for you to overcome the problems of your disorder.
Even worse, it is not true. Mailserver logs and even junk filters show no email of this kind. This is really unprofessional and irresponsible.
No answer to your question? How to write posts
 
c0nstantine
just joined
Posts: 5
Joined: Thu Dec 14, 2017 5:54 am

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 1:04 pm

The Email is sent at Fri, Apr 13, 2018 to support@mikrotik.com
Unfortunately I think the security is not important for your company.
That is only 1.5 work day ago!
In a company, such mails need to be categorized, the issue investigated, and a reply be made and verified.
You cannot expect that to happen within 1.5 working day.
Hardening the kernel's parameter and changing them according to your product's resources before introducing them to the markets should be a priority for you.
Priority for you should be to search psychological help!
I don't know how readily available it is in your country, but maybe there is some other way for you to overcome the problems of your disorder.
Even worse, it is not true. Mailserver logs and even junk filters show no email of this kind. This is really unprofessional and irresponsible.
You can check this out:
https://ibb.co/bHcd47
Good luck
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 1:30 pm

Thanks for the image. Zero emails in last 5 months.
No answer to your question? How to write posts
 
User avatar
markrobo
just joined
Topic Author
Posts: 8
Joined: Tue Sep 26, 2017 10:29 am

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 1:51 pm

...
The problem is the people like c0nstantine and many others, who set their own rules, send a mail on Friday and
start whining the next Tuesday about "still not resolved" (with the actual time available for processing maybe being
even less due to timezone difference), and go on with publishing details and other threatening.

This is not related to improving security, this is just boosting of own ego, and finding some thing to do in the
lack of any employer wanting them to work there. Some people call them "bright minds" but in reality they are
just socially inept.

Unfortunately, there are still no general rules about reporting vulnerabilities - some people were mad about the way the Israeli firm “CTS Labs” reported vulnerabilities to AMD, but they didn’t said: “OK, you have not reported vulnerability correctly - we don’t consider this as a vulnerability, nor we will fix it until you do so”.
That’s why some serious vendors create Bug Bounties and regulate reporting of vulnerabilities.

Guys. Any service can be overloaded when it is polled enough times. How is this a vulnerability? This is simple DoS. If you set a simple firewall rule to limit number of connections per IP, in your input chain, this will not work at all.

This was also unprofessional - you could at least have said “We will check this out”.

MikroTik, you have a keys to people homes and companies - security must be the first priority of yours.


Regards,
Robo
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 1:55 pm

We did check it. Firewall stops it, like it was written above.
No answer to your question? How to write posts
 
c0nstantine
just joined
Posts: 5
Joined: Thu Dec 14, 2017 5:54 am

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 2:24 pm

We did check it. Firewall stops it, like it was written above.
I didn't talk about firewall, It's about FTP service and it's clear the firewalls can block any connection, as you know this service has a vulnerability on parsing function, you can fix that easily.
I will not continue this conversation, I reported the vulnerability to you and if you want, please let me know for sending the structure of crafted request to you.
Best regards
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 2:37 pm

People are using your products without the simple default security.
Could you elaborate more on this? What do you mean "without the simple security"?
Real admins use real keyboards.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 2:40 pm

We did check it. Firewall stops it, like it was written above.
I didn't talk about firewall, It's about FTP service and it's clear the firewalls can block any connection, as you know this service has a vulnerability on parsing function, you can fix that easily.
I will not continue this conversation, I reported the vulnerability to you and if you want, please let me know for sending the structure of crafted request to you.
Best regards
Your email never reached our mailservers. Sad you chose to publish it, without any confirmation that MikroTik received it.
No answer to your question? How to write posts
 
R1CH
Forum Veteran
Forum Veteran
Posts: 907
Joined: Sun Oct 01, 2006 11:44 pm

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 4:18 pm

Another home grown Mikrotik daemon with vulnerabilities... :roll: . Any normal Linux ftp daemon will not be vulnerable to such simple DoS attack.

Trying to claim this is a normal DoS attack that would work against any service is wrong, see "6 connections and less than 80KB crafted requests are enough for exhausting all the cpu and ram" - no other FTP server in the world would fall over and take the OS with it at these rates. This is almost certainly a bug in the Mikrotik FTP daemon that allows such requests to balloon out of control and consume excessive resources. Firewalling the FTP server will only be hiding the real problem.

There should really be resource limits in place for services like httpd, ftpd, winboxd, smbd, etc so that excessive CPU and RAM usage cannot kill the whole router!
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 4:29 pm

Not only Mikrotik has problems ... some homebrown FTP deamons could allow an unauthenticated, remote attacker to log in to the FTP server of the device without a valid password. https://tinyurl.com/y926t3br :) You should cross your fingers and look for valid maintanace contract to resolve problem.
Real admins use real keyboards.
 
tippenring
Member Candidate
Member Candidate
Posts: 179
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 6:32 pm

I wish I had time to write a longer reply, but no one would read it anyway.

Just like the world population, there is no black and white when it comes to vuln discovery and reporting. Each of us has our personal opinions on the matter, and they won't agree with others.

Industry has generally come up with a sort-of semi-agreed upon 90 day notification prior to publication (I think), but there's no hard and fast rules.

IMHO, it was very irresponsible of Constantine to wait only 1.5 days before publication--assuming he/she really sent the email at all. It isn't difficult to spoof a screenshot after all.

In any case, for many of us on the forum, I don't anticipate issues because we wouldn't expose routers' services to the wide open internet without access control anyway. Obviously not everyone that installs routers knows or cares that they should be concerned. Shodan shows >590,000 devices that appear to be publishing Mikrotik FTP servers (https://www.shodan.io/search?query=mikrotik+ftp)

Mikrotik should have a security notice listserv which we could subscribe to. Forums are not particularly good for that kind of notification.
 
Sob
Forum Guru
Forum Guru
Posts: 4876
Joined: Mon Apr 20, 2009 9:11 pm

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

Tue Apr 17, 2018 10:34 pm

Don't you have better things to do wirth your life? Spending all that time to find out how you can destroy other people's property?
Maybe you can file a vulnerability report of bus shelters and claim that their windows cannot withstand the throwing of stones by local youth?
That's not it. It's obvious that big enough stone will break the glass. But if the glass can also be broken by just a light touch of one finger, if you know the right place, then it's a problem that must be fixed. It's not reasonable to expect that nobody will ever touch the glass like that, someone will find about it eventually. And I'm glad when it's someone who will tell the manufacturer. We surely don't want anything again like that long-lived CIA exploit, do we?

And "but nobody would leave that part exposed" is just excuse, btw. :)

Announcing it to the world, before making sure that MikroTik got the message, that's another story, it's true that it could have been handled better.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: MSN [Bot] and 72 guests