vendor:
RouterOS
by:
Farlight
9,8
CVSS
HIGH
Heap Corruption
119
CWE
Product Name: RouterOS
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Busybox
2020
Mikrotik RouterOS sshd (ROSSSH) Remote Pre-Authentication Heap Corruption
During an audit the Mikrotik RouterOS sshd (ROSSSH) has been identified to have a remote previous to authentication heap corruption in its sshd component. Exploitation of this vulnerability will allow full access to the router device. This analysis describes the bug and includes a way to get developer access to recent versions of Mikrotik RouterOS using the /etc/devel-login file. This is done by forging a modified NPK file using a correct signature and logging into the device with username ‘devel’ and the password of the administrator. This will drop into a busybox shell for further researching the sshd vulnerability using gdb and strace tools that have been compiled for the Mikrotik busybox platform.
Mitigation:
The user should update the Mikrotik RouterOS to the latest version and ensure that the /etc/devel-login file is not accessible to unauthorized users.
