Hi,

Google revealed for me this github repo (5 month old files):
https://github.com/0ki/mikrotik-tools/b ... it_full.sh


There are some scripts which shows how to enable devel mode on several ROS version exploiting a backup file.
In short the attacker must know username/password to be able to login to the box. Then it creates a backup file , uploads it to a server, modifes thab file and uploads it back to the box. After restoring the backup the exploit is activated and devel mode available (it means the attacker has linux shell access and is able to install any binary it wants and is able to do any modifications too).

The visible sign is that there is a backup file named using this template:
jb_$$_$RANDOM.backup
where $$ is PID number of a process and $RANDOM is a random number. So if you see such a file in your 'files' you were exploited probably.

I tried to search this forum and ROS changelog but I found no signs that the vulnerability has been discussed or solved. Sorry if I missed something...
The question is - is this vulnerability already solved? In which version?

doesn't looks like an exploit but rather the way Mikrotik enable the devel login in the internal filesystem
AFAIK this script only adds the following to the end of the backup file I assume it'll create the directory
and that will enable devel login.
../../../nova/etc/devel-login/

Update:I've attempted the process and basically anything below 6.41 is exploitable and allows to open a shell prompt using the devel user

doesn't looks like an exploit but rather the way Mikrotik enable the devel login in the internal filesystem

With devel login you have acces to linux. --> install any binaries. Ideal to make an exploit.

Please answer from @Mikrotik team. Thanks

It's not really anything new, existence of devel login is known for a long time. It's basically standard shell access. What's missing so far (AFAIK) is the official way how MikroTik can enable devel login remotely (I'm under impression that they can, if they know admin password, but I may be wrong). And it's not exactly vulnerability either, you need admin access to device, to enable devel login using this backup trick. IMHO it's nothing to worry about.

Somewhat related to these posts …
in the VPNfilter official statement section of the Mikrotik forums while reading about what the vulnerability was doing/changing , I got the idea to mount a possibly infected ROS filesystem to an Ubuntu server. So with the ROS filesystem mounted on Ubuntu, I looked around at some user stuff in the ROS vmlinuz system and discovered what looks like two additional accounts other than the normal admin login we all know about. I also see an "adminr" and a "adminb". I have no idea what they are or what they do and I also have no idea if all ROS systems come from Mikrotik with these users pre-configured into the sytem , or if somebody/something added them later.

If they are supposed to be there - then it raises some questions if remote access can be gained using the adminb or adminr login formation and who knows those passwords and how come they do not show up in the Mikrotik ROS user listings.

So like you, I'm trying to figure this stuff out and learn what does what and how to identify an already VPNfilter infected system.

North Idaho Tom Jones

If you can mount possibly infected filesystem, you can also mount clean one and compare.

If you can mount possibly infected filesystem, you can also mount clean one and compare.

I can do that - just a matter of having the free spare time here at work.
However , next week (time permitting) I will do so...
North Idaho Tom Jones

@Tom

Downgrade ROS to old Version and use this to get the passwords....

https://github.com/BigNerd95/Chimay-Red ... /README.md

@Tom

Downgrade ROS to old Version and use this to get the passwords....

https://github.com/BigNerd95/Chimay-Red ... /README.md

WOW !!!
I am getting ready to head home from work - however , I will do this mid-next week

Thanks !!!