vendor:
RouterOS
by:
Jacob Baines
9.1
CVSS
CRITICAL
Path Traversal
22
CWE
Product Name: RouterOS
Affected Version From: 6.30.1
Affected Version To: 6.43rc3
Patch Exists: YES
Related CWE: CVE-2018-14847
CPE: o:mikrotik:routeros
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: Various
2018
RouterOS Remote Rooting
By the Way is an exploit coded in C++ that enables a root shell on Mikrotik devices running RouterOS versions: Longterm: 6.30.1 - 6.40.7 Stable: 6.29 - 6.42 Beta: 6.29rc1 - 6.43rc3. The exploit leverages the path traversal vulnerability CVE-2018-14847 to extract the admin password and create an 'option' package to enable the developer backdoor. Post exploitation the attacker can connect to Telnet or SSH using the root user 'devel' with the admin's password.
Mitigation:
Mikrotik patched CVE-2018-14847 back in April. However, until this PoC was written, I don't believe its been publicly disclosed that the attack can be levegered to write files.
