Page 1 of 1

Denial of SSH service (was "FullDisclosure post ...")

Posted: Mon Sep 02, 2013 6:19 pm
by semenko
Thought I'd open a thread on this recent post to Full Disclosure:

==================
Hello lists,

here you find the analysis of a vulnerability I recently discovered.

Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption

http://kingcope.wordpress.com/2013/09/0 ... orruption/

Additionally it includes a way to drop into a development shell for
recent Mikrotik RouterOS versions.

Cheers :>

Kingcope

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: FullDisclosure post / SSH remote crash / root?

Posted: Tue Sep 03, 2013 7:34 am
by risipetillo
Mikrotik ... I trust that you are working hard to patch this vulnerability ... :shock:

Re: FullDisclosure post / SSH remote crash / root?

Posted: Tue Sep 03, 2013 7:38 am
by jandafields
As not to scare anyone, this is not a security vunerability! This requires a "special" installation onto the router, and at that point allows you to access the underlying linux system.

This can NOT be done remotely! This is NOT a security issue at all! The ONLY way to use this vunerability is IF you have the mikrotik in your possession.

Also, this is nothing new. This has been floating around since at least 4 years ago.
https://sites.google.com/a/osk-net.pl/a ... evel-login

Re: FullDisclosure post / SSH remote crash / root?

Posted: Tue Sep 03, 2013 1:03 pm
by evsnow
No, they used the 'special' build to debug what is going on.

They describe a way to crash the new ssh daemon ROSSSH. If you are able to exploit this crash you gain full access to the router.

Re: FullDisclosure post / SSH remote crash / root?

Posted: Tue Sep 03, 2013 1:18 pm
by normis
We have researched the exploitation claim in first post of the topic.

We can find no basis for this claim "Exploitation of this vulnerability will allow full access to the router device." Following these instructions will NOT allow access/control of the router and will NOT allow further efforts to enable access/control of the router.

By following the instruction for the first "sshd heap corruption”, the sshd service of the router will exit and will not restart. This is a denial of service as only a reboot of the router will make the ssh remote management service available again.

The second method that causes a crash of the sshd program also provides a denial of service as the sshd does not restart and the router requires a reboot to have sshd available. It does not allow or make it possible for further efforts to gain access/control of the router.

To protect yourself from the denial of sshd service (so that you can always use ssh):

1) For those users that do not wish to upgrade:
------------------------------------------------------
For home users that use the default firewall configuration (comes preset), there is no reason to upgrade as the default firewall does not allow access to management interfaces from the interface connected to the internet.

For network administrators that do allow ssh access to the router, it is advised to add firewall rules to restrict access to trusted ports or disable ssh management.

2) For users that would like to upgrade:
--------------------------------------------
RouterOS v6.3 and v5.26 has already fixed this issue.

As always, the security of RouterOS is our main concern, and we continue to research bug reports.

Re: Denial of SSH service (was "FullDisclosure post ...")

Posted: Wed Sep 04, 2013 4:21 am
by nz_monkey
Thanks for such a professional response Mikrotik.

Re: Denial of SSH service (was "FullDisclosure post ...")

Posted: Wed Sep 04, 2013 4:26 am
by w0lt
Thanks for such a professional response Mikrotik.
Ditto !!

Re: Denial of SSH service (was "FullDisclosure post ...")

Posted: Thu Sep 05, 2013 12:39 pm
by evsnow
The 5.26 has not yet been released. When can we expect it?

Re: FullDisclosure post / SSH remote crash / root?

Posted: Thu Sep 05, 2013 6:28 pm
by R1CH
As not to scare anyone, this is not a security vunerability! This requires a "special" installation onto the router, and at that point allows you to access the underlying linux system.

This can NOT be done remotely! This is NOT a security issue at all! The ONLY way to use this vunerability is IF you have the mikrotik in your possession.

Also, this is nothing new. This has been floating around since at least 4 years ago.
https://sites.google.com/a/osk-net.pl/a ... evel-login
I wouldn't be so sure, heap corruption can very often result in arbitrary code execution. See http://en.wikipedia.org/wiki/Heap_overflow

Throwing random data at a vulnerable router will just crash the SSHD, but a targeted exploit could definitely compromise the router if SSH is available remotely.

Re: Denial of SSH service (was "FullDisclosure post ...")

Posted: Fri Sep 06, 2013 12:09 pm
by normis
I woudn't be so sure
We have researched this in detail, and no arbitrary code execution is possible in this particular situation.
The 5.26 has not yet been released. When can we expect it?
v5.26 is on the webpage now.

Re: FullDisclosure post / SSH remote crash / root?

Posted: Fri Sep 06, 2013 7:10 pm
by polymathic
I wouldn't be so sure, heap corruption can very often result in arbitrary code execution. See http://en.wikipedia.org/wiki/Heap_overflow

Throwing random data at a vulnerable router will just crash the SSHD, but a targeted exploit could definitely compromise the router if SSH is available remotely.
My compliments to Mikrotik for responding to this with patches in a timely fashion. I haven't tested them yet, but I will.

R1CH is absolutely right. There is a long history of vendors claiming that a "crash is just a crash" but if you spend any time with exploit development it becomes clear that many overflows provide a mechanism for an experienced attacker to execute arbitrary code. It's not as difficult as you might think, especially if you have ever written code in environments where you had to really understand the nuances of things like page alignment and memory allocation.

I'm a user and fan of ROS, and recommend it to many people, but when it comes to security vulnerabilities, it is important to set aside personal feelings and take time to understand the implications.

Describing the implications of security vulnerabilities should never be construed as an "attack" on your favorite product. Remember that every iPhone jailbreak started with something crashing when it shouldn't.

Re: Denial of SSH service (was "FullDisclosure post ...")

Posted: Mon Sep 09, 2013 10:19 am
by normis
I agree, but in this case, we specifically researched this in detail, we do not take this kind of claim lightly, and we would not post a response like this, without being sure.