Bug Hunting in RouterOS

RouterOS is the “operating system” that router manufacturer Mikrotik built on top of Linux for their embedded devices.Typically, when researchers think of embedded devices they think of simple interfaces and easy-to-find vulnerabilities. However, this isn’t the case with RouterOS. The OS is rich with features you’d expect to find in more expensive Cisco models and it’s been largely protected from bug hunters due to the proprietary protocols it uses with its web client (webfig) and its thick client (winbox). Some APT events like Slingshot and VPNFilter prove that RouterOS is a valuable target. By exploiting vulnerabilities in RouterOS, attackers gain a privileged position in the victim’s network. Yet, there is no public tooling to aid in finding vulnerabilities in RouterOS. In this presentation, I will breakdown Mikrotik’s proprietary protocols and show the audience how to find bugs deep within the system. In this talk, I'll show the audience how to negotiation communication with RouterOS's webfig and break down the proprietary protocol that routes packets through the system. I'll combine what we've learned by showing off an authenticated stack buffer overflow that Tenable found in RouterOS. Note to Review Board: I have a specific authenticated stack buffer overflow I plan to demonstrate. We have already disclosed the vulnerability to Mikrotik and it should be patched (or outside of Tenable’s 90-day disclosure policy) by the time DerbyCon rolls around.

Presented by