Page 1 of 1

Security bug Report

Posted: Sat Feb 24, 2024 5:42 pm
by ahmedramze
Hello All.

Since Mikrotik removed Winbox from Dude packages , and add the command in tools menu and copy file into dude folder. by mistake the Winbox.exe name was Winbox64.exe and I found big surprise.

YOU CAN SHOW ADMIN OR ANY USER PASSWORD STORED IN DUDE.

just add any wrong command using tools with ip + user + password.
111.exe [Device.FirstAddress] [Device.UserName] "[Device.Password]"

then see below attached.
:?
Screenshot 2024-02-24 at 18.33.32.png

please Mikrotik there is some request.
use encryption for tools or any other password API request.
add winbox on dude setup folder and update it automatically from host machine.

Re: Security bug Report

Posted: Mon Feb 26, 2024 10:39 am
by normis
Were you under the impression that this is encrypted? Then how would it be magically decrypted? RouterOS has no "authentication by hash" features or API auth keys.
Of course it's the administrators tool, so do not give access to this tool to anyone who is not administrator. Windows has appropriate security features for that.

Re: Security bug Report

Posted: Mon Feb 26, 2024 2:38 pm
by ahmedramze
Were you under the impression that this is encrypted? Then how would it be magically decrypted? RouterOS has no "authentication by hash" features or API auth keys.
Of course it's the administrators tool, so do not give access to this tool to anyone who is not administrator. Windows has appropriate security features for that.
Hello Normis.
Thanks for replay.

I have multiple admins and each on different password but same access level , this show password of Device in Dude not the user pass.

for example I use dudeuser/XXXX password for all routers and we put it one time when device added.
other users (admins) they are only for Dude server but they need access tools to ping Winbox ssh etc.




what I request to improve Dude
1-Encrypt any stored password.
2-Make user list (when we add new device or auto discovery) use specific user or from list just for devices. like SNMP profile.
3-add Winbox to dude tools.

Thanks

Re: Security bug Report

Posted: Mon Feb 26, 2024 7:29 pm
by infabo
Were you under the impression that this is encrypted? Then how would it be magically decrypted? RouterOS has no "authentication by hash" features or API auth keys.
Of course it's the administrators tool, so do not give access to this tool to anyone who is not administrator. Windows has appropriate security features for that.
Famous last words.

Re: Security bug Report

Posted: Mon Feb 26, 2024 8:52 pm
by stmx38
Even if the password would be encrypted, looks like we may have an issue if one of the administrators, which added one of the devices, will change their password.

In that case, we may consider to use a generic user for devices credentials.

Re: Security bug Report

Posted: Tue Feb 27, 2024 8:38 am
by normis
If passwords would be encrypted, you still would have to give all your admins the decryption password. For all devices.
So you should maybe use a password manager app with different access levels for different people.