Similar to /rw/RESET, the contents of /rw/DEFCONF can be executed thanks to an eval statement in S12defconf. Perhaps seeing this used in the wild is why MikroTik altered S08config’s behavior. Here we can see the attacker using /rw/RESET to execute their /rw/info binary. Somehow this forum user obtained MikroTik’s debug package and was able to examine some files post exploitation. After I log in as devel, delete the file, and log out, I can no longer access the root shell. The existence of that file enables the backdoor. You can see in the following video, I use HackerFantastic’s set tracefile vulnerability to create the special file /pckg/option on RouterOS 6.41.4. Assuming the special file exists, you access the busybox shell by logging in as the devel user with the admin user’s password. If you aren’t familiar with the developer backdoor in RouterOS, here is a very quick rundown: Since RouterOS 3.x the system was designed to give you a root busybox shell over telnet or ssh if a special file exists in a specific location on the system (that location has changed over the years). This shouldn’t actually be possible, but thanks to the magic of vulnerabilities it is. However, that’s only because I’ve exploited the router and enabled the developer backdoor. Above, I’ve included a screenshot where I appear to have a root shell. The other thing that’s important to know is that users don’t actually have access to a real shell on RouterOS. ![]() The trick is figuring out how to use that space to achieve and maintain execution. ![]() While all of the system’s executables appear to reside within read-only space, there does appear to be some read-write space, both tmpfs and persistent, that an attacker can manipulate. The storage the user has access to as seen from a root shell and Webfig
0 Comments
Leave a Reply. |