Community discussions

MikroTik App
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 12534
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Wed Jan 24, 2024 3:06 pm

💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

NEVER TRUST, there is no guarantee that the remote site will not be modified on purpose to execute arbitrary commands on your router.

It's one thing to download and import a list of addresses via script,
it's another to download a list of commands to apply blindly, without any limits or controls, in the router.

In general, never trust files provided by external sources.
 
optio
Forum Veteran
Forum Veteran
Posts: 915
Joined: Mon Dec 26, 2022 2:57 pm

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Wed Jan 24, 2024 8:07 pm

Agree, example https://blocklister.gefoo.org/
Especially HTTP fetch can be problematic where attacker can perform MITM attack and modify response even if site is providing non malicious response.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 12534
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Wed Jan 24, 2024 10:52 pm

attacker can perform MITM attack
also, right!
 
iwikus
newbie
Posts: 35
Joined: Sat Jun 16, 2007 9:55 am

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Sep 12, 2024 4:41 pm

We just need mikrotik to implement firewall list load feature, since now there is no easy and simple way...
 
User avatar
dang21000
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat Feb 25, 2023 2:30 pm
Location: France

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Sep 12, 2024 8:48 pm

Never trust, yes!
like ip dns adlist

You should mirror check everytime
 
iwikus
newbie
Posts: 35
Joined: Sat Jun 16, 2007 9:55 am

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Fri Sep 13, 2024 10:28 am

Do you know what is sad? Docker images works exactly this way....you download something and run it. Also go programs uses this, includes sources directly from internet.
 
optio
Forum Veteran
Forum Veteran
Posts: 915
Joined: Mon Dec 26, 2022 2:57 pm

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Fri Sep 13, 2024 6:10 pm

That's why docker images needs to be downloaded from trusted repositories and even then it's good to treat them as insecure network client by restricting connections to/from them only for provided service by container.
For downloaded application software at least you can use some antivirus/anti malware solution but also it is sane to know what you are installing and from which source.
 
 
User avatar
LAYERWEB
just joined
Posts: 10
Joined: Thu Nov 14, 2024 1:40 am
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 6:13 pm

Agree, example https://blocklister.gefoo.org/
Especially HTTP fetch can be problematic where attacker can perform MITM attack and modify response even if site is providing non malicious response.
If HTTPS/SSL is available, you don't have to be afraid of the man attack in the middle.
 
User avatar
LAYERWEB
just joined
Posts: 10
Joined: Thu Nov 14, 2024 1:40 am
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 6:15 pm

Do not make unnecessary comments. Unfortunately, people like you have time to discuss empty things that are really problematic because of the pushes like you.
Look: viewtopic.php?p=1109299#p1109299
 
optio
Forum Veteran
Forum Veteran
Posts: 915
Joined: Mon Dec 26, 2022 2:57 pm

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 7:05 pm

Agree, example https://blocklister.gefoo.org/
Especially HTTP fetch can be problematic where attacker can perform MITM attack and modify response even if site is providing non malicious response.
If HTTPS/SSL is available, you don't have to be afraid of the man attack in the middle.
HTTP != HTTPS - That's why I mentioned especially HTTP, if someone using http (unencrypted) protocol in fetch.

Regarding MITM attack on HTTPS, there are ways to also perform it, but it requires manual intervention from user to install CA certificate which MITM response uses to sign own certificate. User can be tricked by some social engineering technique like phishing, less chance than HTTP but possible.
Still, even if MITM is not performed concern is in aspect how much you trust the public source, if is for eg. Github source, repository owner account can be compromised and repo then can be updated with malicious script, if is some other site then you are not certain how well is protected, etc... I always follow the rule - better safe than sorry
Last edited by optio on Thu Nov 14, 2024 7:19 pm, edited 2 times in total.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1611
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 7:10 pm

@LAYERWEB - What rextended is suggesting is that you should avoid trusting or automatically downloading third-party ROS scripts. An untrusted source could include elements that compromise your router’s security. If you want to work with scripts, download only raw data and write your own script directly on your router or on a separate server. The use of HTTPS/SSL for the actual transfer does not change this risk.
 
User avatar
LAYERWEB
just joined
Posts: 10
Joined: Thu Nov 14, 2024 1:40 am
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 7:14 pm

@LAYERWEB - What rextended is suggesting is that you should avoid trusting or automatically downloading third-party ROS scripts. An untrusted source could include elements that compromise your router’s security. If you want to work with scripts, download only raw data and write your own script directly on your router or on a separate server. The use of HTTPS/SSL for the actual transfer does not change this risk.
Unless it's a reliable source, yes, you're right. It doesn't make sense to use it. Here it depends on how much you trust the source. In addition, instead of automation, it can be achieved manually by allocating labor, as you said. Not every convenience is always completely safe.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4280
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 7:36 pm

I'm not sure the "💀⚠️CRITICAL" is necessary. Everything here can be relegated to security "best practices". And applies equality to "cut-and-paste" scripts and containers. Or even the dude, which downloads the matching version. And winbox4 new's "Update Winbox" risks MITM attacks, if one adopts the posture suggested here.

There is nothing magical about RouterOS scripting in this regard than an other OS. Some mainstream software use "curl ... | sh" - whether that's "safe" depends on the environment it's used and threat profile.
Last edited by Amm0 on Thu Nov 14, 2024 7:39 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21823
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 7:39 pm

+1 for the emoji's ;-P
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 12534
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 7:44 pm

If HTTPS/SSL is available, you don't have to be afraid of the man attack in the middle.

As I wrote in the other post:
Obviously, it is obvious that you do not know how to distinguish a list of IPs from a list of commands, there is little to add.

Who guarantees that yourself on the github do not insert commands that create users and open backdoors in the router?
"Your" link does not just refer to a ready-made list of IPs, but creates an "import" where you can safely put any command you want to execute in the router, maybe it's a way to make money by selling machines on the darkweb.

If people "can check" it does not mean that they do not go and check when for others it is already too late.

If you can't see the security problem, it is certainly not my fault.


And let me be clear, I never talked about HTTP or HTTPS issues, it's the content that's the problem, not the means of transport.
However the suggested script does NOT install the proper SSL certificate and does NOT check HTTPS, so no matter what happens a MITM attack is still possible...
Last edited by rextended on Thu Nov 14, 2024 7:53 pm, edited 3 times in total.
 
optio
Forum Veteran
Forum Veteran
Posts: 915
Joined: Mon Dec 26, 2022 2:57 pm

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 7:45 pm

depends on the environment it's used and threat profile.
Key word "environment", which makes company environments much more sensitive than home users environment. If somehow I find out that my ISP is using such way to update their router, from public source script without proper automated source checks / sanitization, I will be concerned and probably switch to another ISP, just saying, maybe it's just me...
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 12534
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 7:55 pm

I'm not sure the "💀⚠️CRITICAL" is necessary.
Yes, because most users can only copy & paste without knowing what they are doing, without distinguishing a list of commands from a list of IPs...
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 12534
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 7:56 pm

If somehow I find out that my ISP is using such way to update their router, from public source script without proper automated source checks / sanitization, I will be concerned and probably switch to another ISP, just saying, maybe it's just me...
I see you get the point...
 
jaclaz
Forum Guru
Forum Guru
Posts: 1919
Joined: Tue Oct 03, 2023 4:21 pm

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 8:01 pm

Key word "environment", which makes company environments much more sensitive than home users environment. If somehow I find out that my ISP is using such way to update their router, from public source script without proper automated source checks / sanitization, I will be concerned and probably switch to another ISP, just saying, maybe it's just me...
Well, this is pure fantasy, but if I *somehow* manage to find out what my ISP does (no matter what is actually done) it means that their security (be it the technical or "human" one) is a nice colander.
 
User avatar
LAYERWEB
just joined
Posts: 10
Joined: Thu Nov 14, 2024 1:40 am
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 8:04 pm

If HTTPS/SSL is available, you don't have to be afraid of the man attack in the middle.

As I wrote in the other post:
Obviously, it is obvious that you do not know how to distinguish a list of IPs from a list of commands, there is little to add.

Who guarantees that yourself on the github do not insert commands that create users and open backdoors in the router?
"Your" link does not just refer to a ready-made list of IPs, but creates an "import" where you can safely put any command you want to execute in the router, maybe it's a way to make money by selling machines on the darkweb.

If people "can check" it does not mean that they do not go and check when for others it is already too late.

If you can't see the security problem, it is certainly not my fault.


And let me be clear, I never talked about HTTP or HTTPS issues, it's the content that's the problem, not the means of transport.
However the suggested script does NOT install the proper SSL certificate and does NOT check HTTPS, so no matter what happens a MITM attack is still possible...
Image
I really won't argue with you :D. Good luck to you in life. (I hope you will improve your incomplete knowledge in practice.)
my answer:
viewtopic.php?t=152632&start=300#p1109312 & viewtopic.php?t=152632&start=300#p1109322
 
optio
Forum Veteran
Forum Veteran
Posts: 915
Joined: Mon Dec 26, 2022 2:57 pm

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 8:10 pm

Well, this is pure fantasy, but if I *somehow* manage to find out what my ISP does (no matter what is actually done) it means that their security (be it the technical or "human" one) is a nice colander.
Depends where you live, in small communities, people with similar interest/occupation gathers and talk, you never know what you can find out...
 
jaclaz
Forum Guru
Forum Guru
Posts: 1919
Joined: Tue Oct 03, 2023 4:21 pm

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 8:17 pm

Depends where you live, in small communities, people with same interest/occupation gathers and talk, you never know what you can find out...
Well, in small communities you don't even need to share interests or occupation, if the boyfriend of the cousin of the friend of your brother-in-law likes a few pints of beer or some wine ...
 
optio
Forum Veteran
Forum Veteran
Posts: 915
Joined: Mon Dec 26, 2022 2:57 pm

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 8:20 pm

Yes, but the point is, It's not always a fantasy to find out some insider information :)
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4280
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 8:25 pm

Who guarantees that yourself on the github do not insert commands that create users and open backdoors in the router?
The issue is you suggest that anyone who builds an open source script/framework and publish them transparently on GitHub is an 💀⚠️CRITICAL" ..."security issue".

So you devalue the work that me, @eworm, @merlinthemagic, and MANY others to do publish their work on GitHub, and make it easier for people who not coders to use well-designed scripts to mask the complexity of RouterOS. The basic idea of OSS is that transparency is the security - while not everyone is an expert in scripting, enough are. And folks like @eworm even follow best practices like using HTTPS and certificate verification, which mitigates some of the risks here.

Billons of people use code downloaded they do not understand and/or cannot even access to audit —like RouterOS itself.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1611
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 8:37 pm

Probably true, but there’s always a chance of hidden backdoors, like the "XZ backdoor". With popular solutions, it’s easier to spot and handle malicious hacks and put in countermeasures because of the sheer number of people involved. But if you’re using less reliable sources, the risk goes up, and making those kinds of judgments takes a lot of experience and not everyone has that.

EDIT:
Using smart pattern-matching tools like machine learning and LLMs to check source code for malicious hacks will probably become pretty common in the future. I heard that the Linux Foundation is working on security improvements using these kind of tools. This was mentioned on a podcast on Spotify a few months ago (can’t remember his name tho but it might have been 'XZ Backdoor: A FOSS Danger Story')
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21823
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 9:43 pm

Just asking cause I am ignorant of such things but Git Hub is a repository. Who is responsible or what kind of vetting process is there to ensure no hacks or quacks in the stuff that is put there.
If your saying its completely reliant upon users checking each other, that is not security, until ENOUGH actual qualified people have actually dissected the contents to the degree required ( repeatable and all edge cases explored ) and have reported back on their findings.....
Compare to Apple, for example, where there is what seems to be a strict vetting process, ( sure a. to ensure revenue but I imagine b. to check security ).

When I see AMMO as an author, I run to the hills ;-P
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1611
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Thu Nov 14, 2024 10:56 pm

You’re spot on, it’s exactly the vetting process that’s the weak link!

There are plenty of techical tools to lock down a GitHub repo, but it’s up to the owners/admins to decide how to use them. In the case of the XZ backdoor, the attacker got in using social engineering which let the villains access the xz-utils repository on GitHub (which BTW is shut down now).

Ps..
Run to the hills? Nah, when I see Amm0, I grab my notebook - always something new to learn! 😄
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 12534
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Fri Nov 15, 2024 1:32 am

(I hope you will improve your incomplete knowledge in practice.)
Nobody knows everything, but staying within the RouterOS scripts, at most I'll teach you.

Telling me about incomplete knowledge of RouterOS scripting, or arguing about https (which you don't verify) says much more than many words.
Not to you, of course, but to others it does.
Last edited by rextended on Fri Nov 15, 2024 1:40 am, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 12534
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Fri Nov 15, 2024 1:37 am

So you devalue the work that me, @eworm, @merlinthemagic, and MANY others to do publish their work on GitHub, […]
No, for two reasons, and also for others not listed,

the first is that the warning is to avoid doing the "/import" automatically from who knows what sources,
without do any veify on script before import (like check if present other than "add addres..."), and without check certificates.

and the second, "the user who posts once and goes away" is certainly less reliable than someone who is always present on the forum...
 
User avatar
LAYERWEB
just joined
Posts: 10
Joined: Thu Nov 14, 2024 1:40 am
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Fri Nov 15, 2024 2:15 am

Nobody knows everything, but staying within the RouterOS scripts, at most I'll teach you.
I am always open to new information, but due to your initial approach, I am closed to any information from you.
and the second, "the user who posts once and goes away" is certainly less reliable than someone who is always present on the forum...
The world is not just this forum and I am newly registered in the forum, yes, but I do not have an anonymous account. To be long-term, you have to start somewhere.

you are really funny. Your aim is obvious when I examine her profile a little.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 12534
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Fri Nov 15, 2024 2:18 am

Good thing, at least you get a laugh.
 
5009Owner
newbie
Posts: 45
Joined: Sun Jan 09, 2022 9:09 am

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Sat Nov 16, 2024 1:40 pm

Some general obsevations.
Every now and then someone is asking here in the forum"what to do, I forgot my password, can't get in to my rooter!". Well, hopefully no one is giving them an advice how to do it. Even if there was a way to do it without resetting your rooter.
This one was quite obvious, but what if an evil hacker is asking and getting information bit by bit how to make evil things in our rooters? "How to make this and how to make that?". There are experts in this forum who can give brilliant assistance, you just have to ask. In the end of the day hackers might have useful info how to get things going as they like. Does anyone see there might be a problem? I'm not saying that you should not help users to get their rooters working, but do you recognise a weird inquiries? At least, if someone find a bug that compromise rooter security, please don't bring it here to the forum, but inform Mikrotik asap.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 12534
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Sat Nov 16, 2024 2:14 pm

It's not a security bug.

It is normal for the knife to be sharp, that is its purpose.
I'm just telling you not to rub the blade on your skin... because you read somewhere on the internet that it keeps mosquitoes away...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21823
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Sat Nov 16, 2024 3:15 pm

I am always open to new information, but due to your initial approach, I am closed to any information from you.
Your loss and I guess some folks can't handle the truth. I find honest no BS answers refreshing and they are irrefutable when back up by technical acumen.
 
msatter
Forum Guru
Forum Guru
Posts: 2940
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Sun Nov 17, 2024 12:04 am

Never ever run scripts unvetted, from any place.

There are script that use to import lists and those scripts you should vet and then use over and over. If a new version is published the you start again with vetting it before using it.

Git's are nice, but code from this forum is seen by members that can see if someting is not right. And as it is with updates be a bit patient so you are not the first one catching a bug.

Who is online

Users browsing this forum: No registered users and 41 guests