Vulnerabilities in MikroTik RouterOS

Recently I discovered two vulnerabilities in MikroTik RouterOS. One of them requires authentication (CVE-2019-15055). In the first report to MikroTik, this path traversal vulnerability allows an authenticated user to write/delete arbitrary writable files on the system, which could lead to privilege escalation. All discovered vulnerabilities have been fixed in the latest testing and stable version.

CVE-2019-15055

This vulnerability can be exploited if there is secondary disk available, which can be accessed via System → Disks

Figure 1: Available secondary disk

We have a secondary disk named disk1. Whenever a disk is mounted, RouterOS creates a symlink for the
disk in /rw/disk:

Figure 2: A symlink is created when a disk is mounted

The vulnerability exists in diskd binary, inside the function handles the name of the disk.

Figure 3: Vulnerable code in diskd

The old symlink will be deleted and a new symlink for the new disk name will be created. Without any sanitization, we can use “.” and “/” to traverse the path, to delete any writable file or create any symlink which link to our controllable disk.

RouterOS stores credentials in /flash/rw/store/user.dat. We can exploit the vulnerability to delete this file, which will revert admin back to a blank password.

Update 06 Sept: Jacob then leveraged this vulnerability to get root access on the device.

FG-VD-19-110

Beside auditing the RouterOS main code, I also pay attention to the 3rd party libraries being used by RouterOS. RouterOS before 6.46 uses an old libexpat to parse UPnP XML payload.

Figure 4: UPnP XML parsing

With a little bit of effort, I was able to reproduce CVE-2018-20843, which makes the XML parser consume a high amount of RAM and CPU resources, cause the router to restart and lead to DoS.

MikroTik then confirmed the vulnerability, and stated that RouterOS after 6.46 will not vulnerable as they will use another parser.

Leave a Reply

Your email address will not be published. Required fields are marked *