Recently I discovered two vulnerabilities in MikroTik RouterOS. One of them requires authentication (CVE-2019-15055). In the first report to MikroTik, this path traversal vulnerability allows an authenticated user to write/delete arbitrary writable files on the system, which could lead to privilege escalation. All discovered vulnerabilities have been fixed in the latest testing and stable version.
This vulnerability can be exploited if there is secondary disk available, which can be accessed via System → Disks
We have a secondary disk named disk1. Whenever a disk is mounted, RouterOS creates a symlink for the
disk in /rw/disk:
The vulnerability exists in diskd binary, inside the function handles the name of the disk.
The old symlink will be deleted and a new symlink for the new disk name will be created. Without any sanitization, we can use “.” and “/” to traverse the path, to delete any writable file or create any symlink which link to our controllable disk.
RouterOS stores credentials in /flash/rw/store/user.dat. We can exploit the vulnerability to delete this file, which will revert admin back to a blank password.
Update 06 Sept: Jacob then leveraged this vulnerability to get root access on the device.
Beside auditing the RouterOS main code, I also pay attention to the 3rd party libraries being used by RouterOS. RouterOS before 6.46 uses an old libexpat to parse UPnP XML payload.
With a little bit of effort, I was able to reproduce CVE-2018-20843, which makes the XML parser consume a high amount of RAM and CPU resources, cause the router to restart and lead to DoS.
MikroTik then confirmed the vulnerability, and stated that RouterOS after 6.46 will not vulnerable as they will use another parser.