The document describes a remote heap corruption vulnerability in the sshd component of Mikrotik RouterOS that allows full access to the router device. It provides instructions for obtaining developer access to Mikrotik RouterOS using a modified NPK file to log in as the "devel" user and drop to a busybox shell. This allows further research on the sshd vulnerability using debugging tools. It notes over 290,000 Mikrotik routers exposed on Shodan and provides download links for a package with research materials.
The document describes a remote heap corruption vulnerability in the sshd component of Mikrotik RouterOS that allows full access to the router device. It provides instructions for obtaining developer access to Mikrotik RouterOS using a modified NPK file to log in as the "devel" user and drop to a busybox shell. This allows further research on the sshd vulnerability using debugging tools. It notes over 290,000 Mikrotik routers exposed on Shodan and provides download links for a package with research materials.
The document describes a remote heap corruption vulnerability in the sshd component of Mikrotik RouterOS that allows full access to the router device. It provides instructions for obtaining developer access to Mikrotik RouterOS using a modified NPK file to log in as the "devel" user and drop to a busybox shell. This allows further research on the sshd vulnerability using debugging tools. It notes over 290,000 Mikrotik routers exposed on Shodan and provides download links for a package with research materials.
During an audit the Mikrotik RouterOS sshd (ROSSSH) has been identified to have
a remote previous to authentication heap corruption in its sshd component.
Exploitation of this vulnerability will allow full access to the router device. This analysis describes the bug and includes a way to get developer access to re cent versions of Mikrotik RouterOS using the /etc/devel-login file. This is done by forging a modified NPK file usi ng a correct signature and logging into the device with username devel and the password of the administrator. This will d rop into a busybox shell for further researching the sshd vulnerability using gdb and strace tools that have been compiled for the Mikrotik busybox platform. Shodanhq.com shows >290.000 entries for the ROSSSH search term. The 50 megs Mikrotik package including the all research items can be downloaded here: http://www.farlight.org/mikropackage.zip https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sp loits/28056.zip