Community discussions

 
semenko
just joined
Topic Author
Posts: 14
Joined: Mon Feb 04, 2013 6:37 pm

Denial of SSH service (was "FullDisclosure post ...")

Mon Sep 02, 2013 6:19 pm

Thought I'd open a thread on this recent post to Full Disclosure:

==================
Hello lists,

here you find the analysis of a vulnerability I recently discovered.

Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption

http://kingcope.wordpress.com/2013/09/0 ... orruption/

Additionally it includes a way to drop into a development shell for
recent Mikrotik RouterOS versions.

Cheers :>

Kingcope

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 
risipetillo
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Tue Feb 03, 2009 7:08 pm

Re: FullDisclosure post / SSH remote crash / root?

Tue Sep 03, 2013 7:34 am

Mikrotik ... I trust that you are working hard to patch this vulnerability ... :shock:
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: FullDisclosure post / SSH remote crash / root?

Tue Sep 03, 2013 7:38 am

As not to scare anyone, this is not a security vunerability! This requires a "special" installation onto the router, and at that point allows you to access the underlying linux system.

This can NOT be done remotely! This is NOT a security issue at all! The ONLY way to use this vunerability is IF you have the mikrotik in your possession.

Also, this is nothing new. This has been floating around since at least 4 years ago.
https://sites.google.com/a/osk-net.pl/a ... evel-login
 
evsnow
just joined
Posts: 2
Joined: Wed May 09, 2012 12:54 pm

Re: FullDisclosure post / SSH remote crash / root?

Tue Sep 03, 2013 1:03 pm

No, they used the 'special' build to debug what is going on.

They describe a way to crash the new ssh daemon ROSSSH. If you are able to exploit this crash you gain full access to the router.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: FullDisclosure post / SSH remote crash / root?

Tue Sep 03, 2013 1:18 pm

We have researched the exploitation claim in first post of the topic.

We can find no basis for this claim "Exploitation of this vulnerability will allow full access to the router device." Following these instructions will NOT allow access/control of the router and will NOT allow further efforts to enable access/control of the router.

By following the instruction for the first "sshd heap corruption”, the sshd service of the router will exit and will not restart. This is a denial of service as only a reboot of the router will make the ssh remote management service available again.

The second method that causes a crash of the sshd program also provides a denial of service as the sshd does not restart and the router requires a reboot to have sshd available. It does not allow or make it possible for further efforts to gain access/control of the router.

To protect yourself from the denial of sshd service (so that you can always use ssh):

1) For those users that do not wish to upgrade:
------------------------------------------------------
For home users that use the default firewall configuration (comes preset), there is no reason to upgrade as the default firewall does not allow access to management interfaces from the interface connected to the internet.

For network administrators that do allow ssh access to the router, it is advised to add firewall rules to restrict access to trusted ports or disable ssh management.

2) For users that would like to upgrade:
--------------------------------------------
RouterOS v6.3 and v5.26 has already fixed this issue.

As always, the security of RouterOS is our main concern, and we continue to research bug reports.
No answer to your question? How to write posts
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1817
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: Denial of SSH service (was "FullDisclosure post ...")

Wed Sep 04, 2013 4:21 am

Thanks for such a professional response Mikrotik.
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
w0lt
Member
Member
Posts: 484
Joined: Wed Apr 02, 2008 2:12 pm
Location: Minnesota USA

Re: Denial of SSH service (was "FullDisclosure post ...")

Wed Sep 04, 2013 4:26 am

Thanks for such a professional response Mikrotik.
Ditto !!
MTCNA - 2011

" The Bitterness of Poor Quality Remains Long After the Sweetness of Low Price is Forgotten "

Image
 
evsnow
just joined
Posts: 2
Joined: Wed May 09, 2012 12:54 pm

Re: Denial of SSH service (was "FullDisclosure post ...")

Thu Sep 05, 2013 12:39 pm

The 5.26 has not yet been released. When can we expect it?
 
R1CH
Forum Veteran
Forum Veteran
Posts: 888
Joined: Sun Oct 01, 2006 11:44 pm

Re: FullDisclosure post / SSH remote crash / root?

Thu Sep 05, 2013 6:28 pm

As not to scare anyone, this is not a security vunerability! This requires a "special" installation onto the router, and at that point allows you to access the underlying linux system.

This can NOT be done remotely! This is NOT a security issue at all! The ONLY way to use this vunerability is IF you have the mikrotik in your possession.

Also, this is nothing new. This has been floating around since at least 4 years ago.
https://sites.google.com/a/osk-net.pl/a ... evel-login
I wouldn't be so sure, heap corruption can very often result in arbitrary code execution. See http://en.wikipedia.org/wiki/Heap_overflow

Throwing random data at a vulnerable router will just crash the SSHD, but a targeted exploit could definitely compromise the router if SSH is available remotely.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Denial of SSH service (was "FullDisclosure post ...")

Fri Sep 06, 2013 12:09 pm

I woudn't be so sure
We have researched this in detail, and no arbitrary code execution is possible in this particular situation.
The 5.26 has not yet been released. When can we expect it?
v5.26 is on the webpage now.
No answer to your question? How to write posts
 
polymathic
just joined
Posts: 5
Joined: Wed Aug 29, 2012 4:16 am

Re: FullDisclosure post / SSH remote crash / root?

Fri Sep 06, 2013 7:10 pm

I wouldn't be so sure, heap corruption can very often result in arbitrary code execution. See http://en.wikipedia.org/wiki/Heap_overflow

Throwing random data at a vulnerable router will just crash the SSHD, but a targeted exploit could definitely compromise the router if SSH is available remotely.
My compliments to Mikrotik for responding to this with patches in a timely fashion. I haven't tested them yet, but I will.

R1CH is absolutely right. There is a long history of vendors claiming that a "crash is just a crash" but if you spend any time with exploit development it becomes clear that many overflows provide a mechanism for an experienced attacker to execute arbitrary code. It's not as difficult as you might think, especially if you have ever written code in environments where you had to really understand the nuances of things like page alignment and memory allocation.

I'm a user and fan of ROS, and recommend it to many people, but when it comes to security vulnerabilities, it is important to set aside personal feelings and take time to understand the implications.

Describing the implications of security vulnerabilities should never be construed as an "attack" on your favorite product. Remember that every iPhone jailbreak started with something crashing when it shouldn't.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Denial of SSH service (was "FullDisclosure post ...")

Mon Sep 09, 2013 10:19 am

I agree, but in this case, we specifically researched this in detail, we do not take this kind of claim lightly, and we would not post a response like this, without being sure.
No answer to your question? How to write posts

Who is online

Users browsing this forum: MSN [Bot] and 82 guests