May 17, 2019

CVE-2018-14847 and Router Compromises

A recent Microtik router vulnerability can open up internal resources and lead to ransomware attacks or worse when coupled with recent Microsoft vulnerabilites.

On a recent external penetration test my Nessus scanner alerted to a  Microtik router which was vulnerable to CVE-2018-14847.  The CVE was rated 9.2 and the description reads as follows:

MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.

CVE background and exploit PoC

One thing immediately jumped out at me.  If an unauthenticated attacker can read any file, they might be able to read credentials and then quickly become an authenticated attacker that can write files...  Sure enough, this was the case as demonstrated by a PoC exploit developed by Tenable: https://github.com/tenable/routeros/tree/master/poc/bytheway

Oddly enough, Nessus only rated this as a high finding despite their own team making exploit code that chained an unauth session to full root compromise. Sure sounds like a crit to me.  Being a real world test I was not about to go YOLO sec and backdoor a public facing router.  Another member of my team found the following PoC code which just performed the first stage which was to utilize the unauthenticated directory traversal and file read vulnerability to extract the data file that contains user passwords.  https://github.com/BasuCert/WinboxPoC

The author of the PoC already wrote up the bug in Winbox that allowed for arbitrary unauthenticated file read: https://n0p.me/winbox-bug-dissection/

In short, the Winbox protocol uses an incremented value as a form of session management. However, you can get a session id with an initial connection packet, then increment the session ID and send a packet asking for a file read. Since the session ID is the only session management in the conversation it is essentially an authentication bypass vulnerability IMO.  The location of the user database which gets decoded to reveal the admin password can be found in the PoC code:

msg.add_string(1, "//./.././.././../flash/rw/store/user.dat");

Exploit implications

Using the exploit was simple... once I found out what port Winbox was listening on.  The ISP had chosen the security by obscurity modus of operandi and placed it on a non-standard port.  

Admin password extraction using Winbox exploit

Great success, the creds work.  I had no intentions on rooting or modifying this device since this was during a pentest and not a Red Team.  There were a variety of nasty things that you could do on the RouterOS, but most would quickly get you caught.  You could modify the DNS server settings that get passed down on DHCP leases, you could do web redirects, and even monitor traffic.

What would a real world attacker do?  The brand new crit CVE from Microsoft affecting RDP comes to mind.  

https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708

Sure Shodan will tell you that there a bazillion RDP services exposed on public IP addresses, but to be honest I have not come across a single public RDP instance in the last 2 years of doing non-stop pentests and Red Team engagements.  However, with the power of firewall rules on a compromised router, you could simply map high range ports on the routers public IP to port 3389 on internal IPs. The exploit code has already been sold and it is just a matter of weeks before a public PoC will get leaked. The same could be done for port 445 so you could attempt Eternal Blue.

Compromised MicroTik Router

Takeaway

Don't trust SOHO equipment or your ISP devices. Everyone has known for decades that they are full of bugs and never get patched.  If you have to use an ISP device, port scan it and make sure they are not unknowingly exposing management ports without ACL's in place.  And above all else, treat the ISP edge device as compromised and make sure you are using a Firewall between your company devices and the edge device.