Quoting Mikrotik's response (indicating it is more of a DOS risk than auth bypass)"
http://forum.mikrotik.com/viewtopic.php?f=2&t=76310 "We have researched the exploitation claim in first post of the topic. We can find no basis for this claim "Exploitation of this vulnerability will allow full access to the router device." Following these instructions will NOT allow access/control of the router and will NOT allow further efforts to enable access/control of the router. By following the instruction for the first "sshd heap corruption”, the sshd service of the router will exit and will not restart. This is a denial of service as only a reboot of the router will make the ssh remote management service available again. The second method that causes a crash of the sshd program also provides a denial of service as the sshd does not restart and the router requires a reboot to have sshd available. It does not allow or make it possible for further efforts to gain access/control of the router." On Tue, Sep 3, 2013 at 11:18 AM, Micah Miller <mi...@nbson.com> wrote: > If I'm reading this correctly, an npk file is forged with the > /etc/devel-login file, then the install iso is modified to include the > forged npk. > > Is this correct? > > So you'd have to install this modified iso? > > > On Tue, Sep 3, 2013 at 10:38 AM, Ben West <b...@gowasabi.net> wrote: > >> I haven't had a chance yet to verify whether this affects any of the >> RouterOS v5.25 boxes I've deployed, but forwarding along FYI ... >> >> ---------- Forwarded message ---------- >> From: king cope <isowarez.isowarez.isowa...@googlemail.com> >> Date: Mon, Sep 2, 2013 at 9:45 AM >> Subject: [Full-disclosure] Mikrotik RouterOS 5.* and 6.* sshd remote >> preauth heap corruption >> To: full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com, >> submissi...@packetstormsecurity.com >> >> >> Hello lists, >> >> here you find the analysis of a vulnerability I recently discovered. >> >> Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption >> >> >> http://kingcope.wordpress.com/2013/09/02/mikrotik-routeros-5-and-6-sshd-remote-preauth-heap-corruption/ >> >> Additionally it includes a way to drop into a development shell for >> recent Mikrotik RouterOS versions. >> >> Cheers :> >> >> Kingcope >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> >> >> -- >> Ben West >> http://gowasabi.net >> b...@gowasabi.net >> 314-246-9434 >> >> _______________________________________________ >> Wireless mailing list >> Wireless@wispa.org >> http://lists.wispa.org/mailman/listinfo/wireless >> >> > > > -- > Micah Miller > Network/Server Administrator > Network Business Systems, Inc. > Phone: 309-944-8823 > > _______________________________________________ > Wireless mailing list > Wireless@wispa.org > http://lists.wispa.org/mailman/listinfo/wireless > > -- Ben West http://gowasabi.net b...@gowasabi.net 314-246-9434
_______________________________________________ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
