Looks like ChimayRed is described here: https://wikileaks.org/ciav7p1/cms/page_16385037.html
Fascinating. Would love to know the details of what the exploit is. Sounds like a vulnerability in the ROS web server. -- Nathan ________________________________________ From: [email protected] <[email protected]> on behalf of Nathan Anderson <[email protected]> Sent: Tuesday, March 7, 2017 1:06 PM To: [email protected] Subject: Re: [Mikrotik] Quick side question... Based on my use of 'devel', tool/profile probably would not show. This is an interesting page, but it leaves some questions unanswered and also doesn't make sense 100%. "should be hardware-agnostic" -- don't see how; you have to build a separate busybox binary for each arch. As MT comes out with RBs based on new CPU archs, you gotta keep up. Also, I don't see how "implant" can be hardware-ag unless it's just a shell script that relies on busybox? You clearly have to already know the admin credentials for this to work, just like you would with 'devel'. Not sure what "ChimayRed" is. Presumably a tool developed internally. 'devel' has not been patched/"closed". It is still an integral part of ROS and is presumably used by MT developers to this day and kept around for that purpose (development and testing, hence the name). It has also never been enabled by default and you have to go to some lengths to enable it. (There were some security bugs that allowed you to create the devel-login file from a ROS CLI and no other tools required waaaaay in the past...like, the 3.x past. THOSE have been LONG closed, yeah. But 'devel' is absolutely still a thing. I have enabled it on many an x86, MIPS, and PPC RouterOS box running latest 6.x code.) I am also not aware of any way to enable 'devel' without either already knowing the admin login (with the old 3.x holes) or having physical access to the router (current methods). So I'm not sure how this method is better. I have not been able to get devel access on RB3011 (ARM) or CCR (Tile) yet, just because I don't have kernels yet that I can netboot and that have all of the proper hardware support (most important: either console access, USB port access, or single ethernet port, plus drivers for the NAND or SPI). I also don't have a Tile cross-compile environment set up yet either. So this is mildly interesting from that perspective. -- Nathan ________________________________________ From: [email protected] <[email protected]> on behalf of Eric Tykwinski <[email protected]> Sent: Tuesday, March 7, 2017 12:46 PM To: [email protected] Subject: [Mikrotik] Quick side question... Don't know if anyone caught the wikileaks release, but there's some Mikrotik stuff in there. https://wikileaks.org/ciav7p1/cms/page_44957707.html Looks like it's your basic busybox shell and a backdoor on the routers, including CCRs. Just wondering if you think tool/profiles would show the process running? Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20170307/728ed0bb/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
