The ability to remotely downgrade devices based on RouterOS (Mikrotik) endangers hundreds of thousands of network devices. The vulnerability is related to the poisoning of the DNS cache of the Winbox protocol and allows you to download outdated (with a default password reset) or modified firmware to the device.
Vulnerability details
The RouterOS terminal supports the resolve command for DNS lookups.
This request is handled by a binary named resolver. Resolver is one of the many binaries that are connected to RouterOS's Winbox protocol. At a high level, "messages" sent to a Winbox port can be routed to various binaries in RouterOS based on an array-based numbering scheme.
The DNS server feature is disabled by default in RouterOS.
However, even with the server function disabled, the router maintains its own DNS cache.
When we make a request using winbox_dns_request like example.com, the router will cache the result.
Since we can specify the DNS server through which the request should go, it is trivial to enter incorrect addresses. For example, you can configure the DNS server implementation from to always reply with an A record containing the IP address 192.168.88.250.
def dns_response(data):
request = DNSRecord.parse(data)
reply = DNSRecord(DNSHeader(
id=request.header.id, qr=1, aa=1, ra=1), q=request.q)
qname = request.q.qname
qn = str(qname)
reply.add_answer(RR(qn,ttl=30,rdata=A("192.168.88.250")))
print("---- Reply:n", reply)
return reply.pack()Now if you use Winbox to search for example.com, you can see that the DNS cache of the router is poisoned.
Of course, poisoning example.com isn't very useful, since the router won't actually use it. However, the router needs to access upgrade.mikrotik.com, cloud.mikrotik.com, cloud2.mikrotik.com and download.mikrotik.com. And thanks to another mistake, it is possible to poison them all at once.
def dns_response(data):
request = DNSRecord.parse(data)
reply = DNSRecord(DNSHeader(
id=request.header.id, qr=1, aa=1, ra=1), q=request.q)
qname = request.q.qname
qn = str(qname)
reply.add_answer(RR(qn,ttl=30,rdata=A("192.168.88.250")))
reply.add_answer(RR("upgrade.mikrotik.com",ttl=604800,
rdata=A("192.168.88.250")))
reply.add_answer(RR("cloud.mikrotik.com",ttl=604800,
rdata=A("192.168.88.250")))
reply.add_answer(RR("cloud2.mikrotik.com",ttl=604800,
rdata=A("192.168.88.250")))
reply.add_answer(RR("download.mikrotik.com",ttl=604800,
rdata=A("192.168.88.250")))
print("---- Reply:n", reply)
return reply.pack()The router requests one grant, and we grant five back. The router incorrectly caches all of these responses.
Obviously, this attack is also useful if the router is acting as a DNS server, since it allows attacking the router's clients.
Also, this attack allows exploiting a more serious vulnerability: downgrading or backporting the version of RouterOS. The attacker recreates the update server logic, including the changelog, and forces RouterOS to accept the outdated (vulnerable) version as up-to-date. The danger here lies in the fact that when you “upgrade” the version, the administrator password is reset to the “default” value - an attacker can log in with a blank password!
The attack is quite working, despite the fact that implements several more vectors related, among other things, to , but this is already redundant technology and its use for illegitimate purposes is illegal.
DEF
Simply disabling Winbox helps protect against these attacks. Despite the convenience of administration through Winbox, it is better to use the SSH protocol.
Source: habr.com