Kczwa1MYHACK58:62201890054Router vulnerability analysis the sixth bullet: CVE-2018-7445 MikroTik router system buffer overflow vulnerability-vulnerability warning-the black bar safety net
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.887 High
EPSS
Percentile
98.4%
A. Vulnerability overview
CVE-2018-7445 MikroTik RouterOS SMB buffer overflow
Reference information: https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow
Vulnerability firmware version:
mikrotik-6.40.6.iso the x86 version
Download: https://mikrotik.com/download
Mikrotik vulnerabilities of the earliest into the field of view(I)is earlier in the year the leak of the CIA Arsenal. According to Kabbah information,there is APT Organization for mikrotik vulnerabilities with the lot:
A few days ago, Kaspersky Lab security experts announced that it has discovered a new complex APT the organization, the organization from at least the beginning of 2012 at least already on the radar in the run. Kaspersky tracking the organization, and determine it using a series of malicious software, called Slingshot, to compromise in the Middle East and Africa, hundreds of thousands of victims of the system.
The researchers have in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania found that about 100 members of the slingshot of the victims and found its modules. Kenya and Yemen have so far infected the most. Most of the victims are individuals rather than organizations, the government organizations are limited in number. APT groups use Latvian network hardware provider Mikrotik use router zero-day Vulnerability(CVE-2007-5633; CVE-2010-1592, CVE-2009-0824 will be the spyware into the victim’s computer.
The attackers first destroyed the router, and then use the file system for malicious code replaces it with a DLL, when the user run the Winbox Loader software Mikrotik router Management Suite, The Library will be loaded into the target computer’s memory.
This DLL file on the victim’s machine to run on, and connect to the remote server to download the final payload that Kaspersky monitoring the attack in the Slingshot malicious software. It is unclear Slingshot gang is also the use of CVE-2018-7445 vulnerability hazard router.
II. The vulnerability analysis.
2.1 to build a router os analysis environment
First install the router os, open iso file,remove the default hard disk,adding an IDE hard drive
! [](/Article/UploadPic/2018-4/2018424183238258. png? www. myhack58. com)
Boot
! [](/Article/UploadPic/2018-4/2018424183238296. png? www. myhack58. com)
Press a to select all,and then I install,all the way to the y
! [](/Article/UploadPic/2018-4/2018424183238266. png? www. myhack58. com)
After the installation is done restart the admin and empty password for the Den and then the setup command to set the ip
! [](/Article/UploadPic/2018-4/2018424183238199. png? www. myhack58. com)
If all goes well then you can ssh to connect to the rooteros.
Rooteros does not support some basic linux commands,for more convenient operation,need the busybox and gdbserver into them.
The cd selection is one of the ubuntu mirror
! [](/Article/UploadPic/2018-4/2018424183238145. png? www. myhack58. com)
Choose to boot into the bios to set boot options,
! [](/Article/UploadPic/2018-4/2018424183238575. png? www. myhack58. com)
Select first boot from cd
! [](/Article/UploadPic/2018-4/2018424183239994. png? www. myhack58. com)
Then restart the virtual machine, select try ubuntu
! [](/Article/UploadPic/2018-4/2018424183239807. png? www. myhack58. com)
After entering the system, the /dev/sda2 mount to create a temporary folder
! [](/Article/UploadPic/2018-4/2018424183239621. png? www. myhack58. com)
Put busybox and gdbserver is copied to the bin directory under the
! [](/Article/UploadPic/2018-4/2018424183239672. png? www. myhack58. com)
And create the following path of the script,when the router system startup automatically execute this script
! [](/Article/UploadPic/2018-4/2018424183239985. png? www. myhack58. com)
PS:to modify this 3 files for the executable
The contents of the script:
#!/ bin/bash
mkdir /ram/mybin
/flash/bin/busybox-i686 --install-s /ram/mybin
export PATH=/ram/mybin:$PATH
telnetd-p 23000-l bash
Then restart the router,you can telnet into it
telnet192. 168. 174. 160 23000
! [](/Article/UploadPic/2018-4/2018424183239270. png? www. myhack58. com)
telnet is successful
Namp sweep,to find and not open 139 port.
Need to use the following command to open the SMB service.
Ip smb setenabled=yes
Then use the the ip smb print view
! [](/Article/UploadPic/2018-4/2018424183239909. png? www. myhack58. com)
Nmap check.
! [](/Article/UploadPic/2018-4/2018424183239564. png? www. myhack58. com)
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.887 High
EPSS
Percentile
98.4%