[WISPA] Fwd: Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption
I haven't had a chance yet to verify whether this affects any of the RouterOS v5.25 boxes I've deployed, but forwarding along FYI ... -- Forwarded message -- From: king cope isowarez.isowarez.isowa...@googlemail.com Date: Mon, Sep 2, 2013 at 9:45 AM Subject: [Full-disclosure] Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption To: full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com, submissi...@packetstormsecurity.com Hello lists, here you find the analysis of a vulnerability I recently discovered. Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption http://kingcope.wordpress.com/2013/09/02/mikrotik-routeros-5-and-6-sshd-remote-preauth-heap-corruption/ Additionally it includes a way to drop into a development shell for recent Mikrotik RouterOS versions. Cheers : Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ben West http://gowasabi.net b...@gowasabi.net 314-246-9434 ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
Re: [WISPA] Fwd: Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption
If I'm reading this correctly, an npk file is forged with the /etc/devel-login file, then the install iso is modified to include the forged npk. Is this correct? So you'd have to install this modified iso? On Tue, Sep 3, 2013 at 10:38 AM, Ben West b...@gowasabi.net wrote: I haven't had a chance yet to verify whether this affects any of the RouterOS v5.25 boxes I've deployed, but forwarding along FYI ... -- Forwarded message -- From: king cope isowarez.isowarez.isowa...@googlemail.com Date: Mon, Sep 2, 2013 at 9:45 AM Subject: [Full-disclosure] Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption To: full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com, submissi...@packetstormsecurity.com Hello lists, here you find the analysis of a vulnerability I recently discovered. Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption http://kingcope.wordpress.com/2013/09/02/mikrotik-routeros-5-and-6-sshd-remote-preauth-heap-corruption/ Additionally it includes a way to drop into a development shell for recent Mikrotik RouterOS versions. Cheers : Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ben West http://gowasabi.net b...@gowasabi.net 314-246-9434 ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless -- Micah Miller Network/Server Administrator Network Business Systems, Inc. Phone: 309-944-8823 ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
Re: [WISPA] Fwd: Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption
Quoting Mikrotik's response (indicating it is more of a DOS risk than auth bypass) http://forum.mikrotik.com/viewtopic.php?f=2t=76310 We have researched the exploitation claim in first post of the topic. We can find no basis for this claim Exploitation of this vulnerability will allow full access to the router device. Following these instructions will NOT allow access/control of the router and will NOT allow further efforts to enable access/control of the router. By following the instruction for the first sshd heap corruption”, the sshd service of the router will exit and will not restart. This is a denial of service as only a reboot of the router will make the ssh remote management service available again. The second method that causes a crash of the sshd program also provides a denial of service as the sshd does not restart and the router requires a reboot to have sshd available. It does not allow or make it possible for further efforts to gain access/control of the router. On Tue, Sep 3, 2013 at 11:18 AM, Micah Miller mi...@nbson.com wrote: If I'm reading this correctly, an npk file is forged with the /etc/devel-login file, then the install iso is modified to include the forged npk. Is this correct? So you'd have to install this modified iso? On Tue, Sep 3, 2013 at 10:38 AM, Ben West b...@gowasabi.net wrote: I haven't had a chance yet to verify whether this affects any of the RouterOS v5.25 boxes I've deployed, but forwarding along FYI ... -- Forwarded message -- From: king cope isowarez.isowarez.isowa...@googlemail.com Date: Mon, Sep 2, 2013 at 9:45 AM Subject: [Full-disclosure] Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption To: full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com, submissi...@packetstormsecurity.com Hello lists, here you find the analysis of a vulnerability I recently discovered. Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption http://kingcope.wordpress.com/2013/09/02/mikrotik-routeros-5-and-6-sshd-remote-preauth-heap-corruption/ Additionally it includes a way to drop into a development shell for recent Mikrotik RouterOS versions. Cheers : Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ben West http://gowasabi.net b...@gowasabi.net 314-246-9434 ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless -- Micah Miller Network/Server Administrator Network Business Systems, Inc. Phone: 309-944-8823 ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless -- Ben West http://gowasabi.net b...@gowasabi.net 314-246-9434 ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
Re: [WISPA] Fwd: Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption
http://www.mikrotik.com/download/routeros-ALL-6.3.torrent Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Tue, Sep 3, 2013 at 2:16 PM, Bryce Duchcherer bduc...@netago.ca wrote: I noticed today when I was upgrading one of my routers that 6.3 is now out, but haven’t got the announcement from Mikrotik yet and it does not show up under the downloads on MikroTik’s Website. ** ** I attached a screenshot of the changelog. ** ** ** ** *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *Ben West *Sent:* Tuesday, September 03, 2013 10:26 AM *To:* WISPA General List *Subject:* Re: [WISPA] Fwd: Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption ** ** Quoting Mikrotik's response (indicating it is more of a DOS risk than auth bypass) http://forum.mikrotik.com/viewtopic.php?f=2t=76310 We have researched the exploitation claim in first post of the topic. We can find no basis for this claim Exploitation of this vulnerability will allow full access to the router device. Following these instructions will NOT allow access/control of the router and will NOT allow further efforts to enable access/control of the router. By following the instruction for the first sshd heap corruption”, the sshd service of the router will exit and will not restart. This is a denial of service as only a reboot of the router will make the ssh remote management service available again. The second method that causes a crash of the sshd program also provides a denial of service as the sshd does not restart and the router requires a reboot to have sshd available. It does not allow or make it possible for further efforts to gain access/control of the router. ** ** On Tue, Sep 3, 2013 at 11:18 AM, Micah Miller mi...@nbson.com wrote: If I'm reading this correctly, an npk file is forged with the /etc/devel-login file, then the install iso is modified to include the forged npk. ** ** Is this correct? ** ** So you'd have to install this modified iso? ** ** On Tue, Sep 3, 2013 at 10:38 AM, Ben West b...@gowasabi.net wrote: I haven't had a chance yet to verify whether this affects any of the RouterOS v5.25 boxes I've deployed, but forwarding along FYI ... ** ** -- Forwarded message -- From: *king cope* isowarez.isowarez.isowa...@googlemail.com Date: Mon, Sep 2, 2013 at 9:45 AM Subject: [Full-disclosure] Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption To: full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com, submissi...@packetstormsecurity.com Hello lists, here you find the analysis of a vulnerability I recently discovered. Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption http://kingcope.wordpress.com/2013/09/02/mikrotik-routeros-5-and-6-sshd-remote-preauth-heap-corruption/ Additionally it includes a way to drop into a development shell for recent Mikrotik RouterOS versions. Cheers : Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ** ** ** ** -- Ben West http://gowasabi.net b...@gowasabi.net 314-246-9434 ** ** ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless ** ** -- Micah Miller Network/Server Administrator Network Business Systems, Inc. Phone: 309-944-8823 ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless -- Ben West http://gowasabi.net b...@gowasabi.net 314-246-9434 ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
Re: [WISPA] Fwd: Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption
Upgraded my router at home right after I sent the last email, now I can't get back into it and it does not respond to pings very well. So maybe wasn't a good move lol. Will have a look when I get home and see what's goin on with it. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Tuesday, September 03, 2013 12:59 PM To: WISPA General List Subject: Re: [WISPA] Fwd: Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption http://www.mikrotik.com/download/routeros-ALL-6.3.torrent Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Tue, Sep 3, 2013 at 2:16 PM, Bryce Duchcherer bduc...@netago.camailto:bduc...@netago.ca wrote: I noticed today when I was upgrading one of my routers that 6.3 is now out, but haven't got the announcement from Mikrotik yet and it does not show up under the downloads on MikroTik's Website. I attached a screenshot of the changelog. From: wireless-boun...@wispa.orgmailto:wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.orgmailto:wireless-boun...@wispa.org] On Behalf Of Ben West Sent: Tuesday, September 03, 2013 10:26 AM To: WISPA General List Subject: Re: [WISPA] Fwd: Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption Quoting Mikrotik's response (indicating it is more of a DOS risk than auth bypass) http://forum.mikrotik.com/viewtopic.php?f=2t=76310 We have researched the exploitation claim in first post of the topic. We can find no basis for this claim Exploitation of this vulnerability will allow full access to the router device. Following these instructions will NOT allow access/control of the router and will NOT allow further efforts to enable access/control of the router. By following the instruction for the first sshd heap corruption, the sshd service of the router will exit and will not restart. This is a denial of service as only a reboot of the router will make the ssh remote management service available again. The second method that causes a crash of the sshd program also provides a denial of service as the sshd does not restart and the router requires a reboot to have sshd available. It does not allow or make it possible for further efforts to gain access/control of the router. On Tue, Sep 3, 2013 at 11:18 AM, Micah Miller mi...@nbson.commailto:mi...@nbson.com wrote: If I'm reading this correctly, an npk file is forged with the /etc/devel-login file, then the install iso is modified to include the forged npk. Is this correct? So you'd have to install this modified iso? On Tue, Sep 3, 2013 at 10:38 AM, Ben West b...@gowasabi.netmailto:b...@gowasabi.net wrote: I haven't had a chance yet to verify whether this affects any of the RouterOS v5.25 boxes I've deployed, but forwarding along FYI ... -- Forwarded message -- From: king cope isowarez.isowarez.isowa...@googlemail.commailto:isowarez.isowarez.isowa...@googlemail.com Date: Mon, Sep 2, 2013 at 9:45 AM Subject: [Full-disclosure] Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption To: full-disclos...@lists.grok.org.ukmailto:full-disclos...@lists.grok.org.uk, bugt...@securityfocus.commailto:bugt...@securityfocus.com, submissi...@packetstormsecurity.commailto:submissi...@packetstormsecurity.com Hello lists, here you find the analysis of a vulnerability I recently discovered. Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption http://kingcope.wordpress.com/2013/09/02/mikrotik-routeros-5-and-6-sshd-remote-preauth-heap-corruption/ Additionally it includes a way to drop into a development shell for recent Mikrotik RouterOS versions. Cheers : Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ben West http://gowasabi.net b...@gowasabi.netmailto:b...@gowasabi.net 314-246-9434tel:314-246-9434 ___ Wireless mailing list Wireless@wispa.orgmailto:Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless -- Micah Miller Network/Server Administrator Network Business Systems, Inc. Phone: 309-944-8823tel:309-944-8823 ___ Wireless mailing list Wireless@wispa.orgmailto:Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless -- Ben West http://gowasabi.net b...@gowasabi.netmailto:b...@gowasabi.net 314-246-9434tel:314-246-9434 ___ Wireless mailing list Wireless@wispa.orgmailto:Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless