New Exploit for MikroTik Router WinBox Vulnerability Gives Full Root Access

A known vulnerability in MikroTik routers is potentially far more dangerous than previously thought.

A cybersecurity researcher from Tenable Research has released a new proof-of-concept (PoC) RCE attack for an old directory traversal vulnerability that was found and patched within a day of its discovery in April this year.

The vulnerability, identified as CVE-2018-14847, was initially rated as medium in severity but should now be rated critical because the new hacking technique used against vulnerable MikroTik routers allows attackers to remotely execute code on affected devices and gain a root shell.

The vulnerability impacts Winbox—a management component for administrators to set up their routers using a Web-based interface—and a Windows GUI application for the RouterOS software used by the MikroTik devices.

The vulnerability allows “remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.”

New Hack Turned ‘Medium’ MikroTik Vulnerability Into ‘Critical’

However, the new attack method found by Tenable Research exploits the same vulnerability and takes it to one step ahead.

A PoC exploit, called “By the Way,” released by Tenable Research Jacob Baines, first uses directory traversal vulnerability to steal administrator login credentials from user database file and the then writes another file on the system to gain root shell access remotely.

In other words, the new exploit could allow unauthorized attackers to hack MikroTik’s RouterOS system, deploy malware payloads or bypass router firewall protections.

The technique is yet another security blow against MikroTik routers, which was previously targeted by the VPNFilter malware and used in an extensive cryptojacking campaign uncovered a few months ago.

New MikroTik Router Vulnerabilities

Besides this, Tenable Research also disclosed additional MikroTik RouterOS vulnerabilities, including:

  • CVE-2018-1156—A stack buffer overflow flaw that could allow an authenticated remote code execution, allowing attackers to gain full system access and access to any internal system that uses the router.
  • CVE-2018-1157—A file upload memory exhaustion flaw that allows an authenticated remote attacker to crash the HTTP server.
  • CVE-2018-1159—A www memory corruption flaw that could crash the HTTP server by rapidly authenticating and disconnecting.
  • CVE-2018-1158—A recursive parsing stack exhaustion issue that could crash the HTTP server via recursive parsing of JSON.

The vulnerabilities impact Mikrotik RouterOS firmware versions before 6.42.7 and 6.40.9.

Tenable Research reported the issues to MikroTik in May, and the company addressed the vulnerabilities by releasing its RouterOS versions 6.40.9, 6.42.7 and 6.43 in August.

While all the vulnerabilities were patched over a month ago, a recent scan by Tenable Research revealed that 70 percent of routers (which equals to 200,000) are still vulnerable to attack.

The bottom line: If you own a MikroTik router and you have not updated its RouterOS, you should do it right now.

Also, if you are still using default credentials on your router, it is high time to change the default password and keep a unique, long and complex password.

Go to Source

APT Hackers Infect Routers to Covertly Implant Slingshot Spying Malware

Security researchers at Kaspersky have identified a sophisticated APT hacking group that has been operating since at least 2012 without being noticed due to their complex and clever hacking techniques.

The hacking group used a piece of advanced malware—dubbed Slingshot—to infect hundreds of thousands of victims in the Middle East and Africa by hacking into their routers.

According to a 25-page report published [PDF] by Kaspersky Labs, the group exploited unknown vulnerabilities in routers from a Latvian network hardware provider Mikrotik as its first-stage infection vector in order to covertly plant its spyware into victims’ computers.

Although it is unclear how the group managed to compromise the routers at the first place, Kaspersky pointed towards WikiLeaks Vault 7 CIA Leaks, which revealed the ChimayRed exploit, now available on GitHub, to compromise Mikrotik routers.

Once the router is compromised, the attackers replace one of its DDL (dynamic link libraries) file with a malicious one from the file-system, which loads directly into the victim’s computer memory when the user runs Winbox Loader software.


Winbox Loader is a legitimate management tool designed by Mikrotik for Windows users to easily configure their routers that downloads some DLL files from the router and execute them on a system.

This way the malicious DLL file runs on the targeted computer and connects to a remote server to download the final payload, i.e., Slingshot malware.

Slingshot malware includes two modules—Cahnadr (a kernel mode module) and GollumApp (a user mode module), designed for information gathering, persistence and data exfiltration.

Cahnadr module, aka NDriver, takes care of anti-debugging, rootkit and sniffing functionality, injecting other modules, network communications—basically all the capabilities required by user-mode modules.

“[Cahnadr is a] kernel-mode program is able to execute malicious code without crashing the whole file system or causing Blue Screen—a remarkable achievement,” Kaspersky says in its blog post published today.

“Written in pure C language, Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions, and carries out integrity control of various system components to avoid debugging and security detection.”

Whereas GollumApp is the most sophisticated module which has a wide range of spying functionalities that allow attackers to capture screenshots, collect network-related information, passwords saved in web browsers, all pressed keys, and maintains communication with remote command-and-control servers.


Since GollumApp runs in kernel mode and can also run new processes with SYSTEM privileges, the malware gives attackers full control of the infected systems.

Although Kaspersky has not attributed this group to any country but based on clever techniques it used and limited targets, the security firm concluded that it is definitely a highly skilled and English-speaking state-sponsored hacking group.

“Slingshot is very complex, and the developers behind it have clearly spent a great deal of time and money on its creation. Its infection vector is remarkable—and, to the best of our knowledge, unique,” the researchers say.

The victims include most of the times individuals and some government organizations across various countries including Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, the Democratic Republic of the Congo, Turkey, Sudan and the United Arab Emirates.

Go to Source